manage TLSA records
Feature Request: A nice augment to managing letsencrypt certificates would be to automatically setup the TLSA record in DNS; it would be impractical to use TLSA otherwise. This can also be done for non-letsencrypt certificates, of course.
Example command to generate the TLSA record:
# domain=domain.com
# openssl x509 -noout -fingerprint -sha256 < /etc/letsencrypt/live/${domain}/cert.pem | sed -e s/://g -e "s/.*=/_443._tcp.${domain}. 1800 IN TLSA 3 0 1 /"
_443._tcp.domain.com. 1800 IN TLSA 3 0 1 C2C7CE93AC8716A8550EF1D3856C669B45456CF2204C081AB8F52DCC230D0031
Then import that into a DNS record.
The only(?) remaining issue is handling certificate rollover, which is done by having multiple TLSA records for the old and new certificates. When adding a TLSA record, first determine the certificate's expiry date and add a little time to that (24 hours?), save that timestamp somewhere (new expire/remove date field in db table?), and run a little cleanup routine that removes old TLSA records that have expired.
Certificate expiry date is gotten with:
# openssl x509 -noout -enddate < /etc/letsencrypt/live/${domain}/cert.pem
notAfter=Oct 2 05:04:00 2016 GMT