Quickstart¶

First, install with pip as usual (see Installation):

~$ pip install alnitak

Next, create a configuration file /etc/alnitak.conf containing details of the certificates you wish to generate DANE TLSA records for. See Configuration for more details.

Then initialize alnitak in order to create and populate the /etc/alnitak/dane directory:

~$ alnitak init

Finally, run alnitak daily, for example as a cron job:

# m h  dom mon dow   command
0 3,15 *   *   *     /usr/bin/alnitak

and also add it to certbot’s pre- and deploy-hooks:

[renewalparams]
pre_hook = alnitak pre
renew_hook = alnitak deploy

(See Certbot for more details.)

Now alnitak is ready to be used. All services that use certificates that you wish to publish TLSA records for should use certificates /etc/alnitak/dane/example.com/cert.pem instead of directly using the Let’s Encrypt certificate /etc/letsencrypt/live/example.com/cert.pem (and analogously for the other certificate files).

Certificate renewal will now also automatically renew DANE TLSA records, and needs no manual intervention.

Quickstart¶

Previous topic

Next topic

This Page