The format of the TLSA entry would be as follows:
_443._tcp.www.netfuture.ch. 3600 IN TLSA (3 0 1 BFEFBE7E7157D66B1F6FF58C1E5BE2B8F7AF92B84130EABA59EEC3D4052650BC)
Where www.netfuture.ch specifies the hostname and _443._tcp port (443=HTTPS) and protocol (TCP). The TLSA entry can be cached for 3600s and is meant for Internet use. The hash is calculated in SHA-256 (1) from the entire certificate (0) and specifies that it is the host’s certificate, which does not need to be further verified (3).
However, if you are using an earlier version of ISC BIND (before 9.8.3), or some other DNS server, which does not yet know about the TLSA RR, you may need to write the above line as shown below into your zone file.
_443._tcp.www.netfuture.ch. 3600 IN TYPE52 \# 35 03 00 01 BFEFBE7E7157D66B1F6FF58C1E5BE2B8F7AF92B84130EABA59EEC3D4052650BC
Here, \# indicates that the field is hex-encoded, the directly following 35 gives the length in bytes (3 control bytes, 32 hash bytes). The control values need to be padded to two (hex!) digits.
To generate the fingerprint, use the following command:
$ openssl x509 -noout -fingerprint -sha256 < /path/to/your/certificate/file | tr -d :
Please note that many versions of openssl do support SHA-256 as the fingerprint algorithm, even though the manual or help does not specify it. “tr” deletes the colons, which must not be part of the zone file. The resulting output is then:
SHA256 Fingerprint=BFEFBE7E7157D66B1F6FF58C1E5BE2B8F7AF92B84130EABA59EEC3D4052650BC
All you need is to copy/paste BFEFBE…BC into the hash field of the zone file.
– Credits to netfuture –
The fullchain.pem Let’s Encrypt certificate on the Raspberry Pi using Apache and Bookworm is stored in the following location:
/etc/letsencrypt/live/<fqdn>/fullchain.pem
Periodically Let’s encrypt informs by email to renew the certificate. Make sure the website is open and functional for port 443 and 80. Typically for my website I use Apache so the update command is:
sudo certbot --apache– Credits to pimylifeup –
To automate Let’s encrypt renewal can be done with the use of a crontab job:
0 */12 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload apache2"