Quickstart¶
First, install with pip as usual (see Installation):
~$ pip install alnitak
Next, create a configuration file /etc/alnitak.conf
containing details
of the certificates you wish to generate DANE TLSA records for. See
Configuration for more details.
Then initialize alnitak in order to create and populate the
/etc/alnitak/dane
directory:
~$ alnitak init
Finally, run alnitak daily, for example as a cron job:
# m h dom mon dow command
0 3,15 * * * /usr/bin/alnitak
and also add it to certbot’s pre- and deploy-hooks:
[renewalparams]
pre_hook = alnitak pre
renew_hook = alnitak deploy
(See Certbot for more details.)
Now alnitak is ready to be used. All services that use certificates that
you wish to publish TLSA records for should use certificates
/etc/alnitak/dane/example.com/cert.pem
instead of directly using the
Let’s Encrypt certificate /etc/letsencrypt/live/example.com/cert.pem
(and analogously for the other certificate files).
Certificate renewal will now also automatically renew DANE TLSA records, and needs no manual intervention.