manage TLSA records

Feature Request: A nice augment to managing letsencrypt certificates would be to automatically setup the TLSA record in DNS; it would be impractical to use TLSA otherwise. This can also be done for non-letsencrypt certificates, of course.

Example command to generate the TLSA record:

# domain=domain.com
# openssl x509 -noout -fingerprint -sha256 < /etc/letsencrypt/live/${domain}/cert.pem | sed -e s/://g -e "s/.*=/_443._tcp.${domain}. 1800 IN TLSA 3 0 1 /"
_443._tcp.domain.com. 1800 IN TLSA 3 0 1 C2C7CE93AC8716A8550EF1D3856C669B45456CF2204C081AB8F52DCC230D0031

Then import that into a DNS record.

The only(?) remaining issue is handling certificate rollover, which is done by having multiple TLSA records for the old and new certificates. When adding a TLSA record, first determine the certificate's expiry date and add a little time to that (24 hours?), save that timestamp somewhere (new expire/remove date field in db table?), and run a little cleanup routine that removes old TLSA records that have expired.

Certificate expiry date is gotten with:

# openssl x509 -noout -enddate < /etc/letsencrypt/live/${domain}/cert.pem
notAfter=Oct  2 05:04:00 2016 GMT