Question Possible via cli to reissue certificates with DANE + auto create TLSA records?

[Talistech]

Server operating system version

Ubuntu 22.04.5 LTS

Plesk version and microupdate number

Plesk Obsidian 18.0.73 Update #4

We are currently automating DNSSEC activation for all domains. Most of the process is already automated, but one part still requires manual action.

After enabling DNSSEC and adding the DS records, we still need to reissue the SSL certificates through the Plesk GUI and manually enable DANE support.
When doing this via the GUI, Plesk automatically requests a new certificate and then shows a screen asking you to add several TLSA records, for example:

We are ready to install the SSL/TLS certificate and provide DANE support for this domain.
Before you proceed, make sure that the following TLSA records are added to the DNS zone
and can be resolved externally.

Record type: TLSA
Domain name:
_25._tcp.mail.example.com.
_110._tcp.mail.example.com.
_465._tcp.mail.example.com.
_587._tcp.mail.example.com.
_993._tcp.mail.example.com.
_995._tcp.mail.example.com.

Is there a way to automate this entire step?

In short: I would like to fully automate certificate reissuance (including wildcard certificates), automatically enable DANE support, and have Plesk create the required TLSA records just like it does when using the web interface.

Any guidance or CLI/API references would be greatly appreciated.

 

[Talistech]

/bump

Will this always be a manual action?

 

[learning_curve]

@Talistech

Do you have unrestricted root access to your server? Do you manage all of your DNS inside, or outside of Plesk?
If you do have unrestricted root access to your server (we do) and you do manage all of your DNS outside of Plesk (we do) then there is a solution (below)
Can't usefully comment on configs different that this one, but others may do.

You can configure ALL of your DNSSEC and DANE via your external DNS management portal, not Plesk.
We do this, by using our IONOS Cloud Server Panels and various IONOS API Portals.
Yes, this section is all manual work, but you will only need to do this once (unless you need to make some other major server config changes later on).
Then, as opposed to using the Plesk GUI to reissue your SSL certificates, you can use an external provider instead. Several choices are available.
We use acme.sh and renew all of our SSL Certificates via correctly configured API's (those supported by acme.sh & IONOS).
You can configure your own, chosen external provider to renew your SSL Certificates via cron jobs, to make this section automated.
There will be no requirement to add TLSA records every time as part of the SSL Certificates renewals (as you've posted above). See 3rd line above.
The final process ie the installation of the SSL Certificates, you can still do manually through the Plesk GUI (which you're already familiar with) if you want to.
However, as these SSL Certificates are generated outside of Plesk, you can script the installation section instead.
This installation section would still not be automated though, unless, your script(s) are run via cron jobs that you also configure yourself.

Note: Stating the obvious, but you can add all other enhancements via your external DNS management portal as well as DNSSEC and DANE.
eg MTA-STS (Mail Transfer Agent Strict Transport Security) and/or many other items.

 

[Talistech]

Hi, thanks for the detailed reply.

Yes we have full root on the server and yes we do use DNS inside of our plesk. All nameservers are pointing to our plesk and DNS is managed via the panel.
I know that it can be done via acme.sh or letsencrypt via cli but I wanted to use the builtin tools that are provided by plesk for this.
For example if you want to renew your SSL certificate, you can achieve that with this command, but it does not "check" the DANE support.

But long story short; as you have suggested, we have achieved this with a custom script and created the TLSA dns records manually (not via Plesk GUI), DNSSEC is totally valid when we use online validators, but the checkmark on the SSL/TLS Certificate shows 'Not Secured'. But its a false positive.


As I have found out, this checkmark can only be converted to 'Secured' if you reissue a new certificate, check DANE support and let Plesk create your TLSA records for you, then it becomes a green checkmark.
If you do the exact same steps via CLI the checkmark does not become green.

Thanks for your contribution to this topic! Appreciate it

 

[learning_curve]

~~ But its a false positive ~~

This type of annoying glitch / error, is the main reason we manage all of our DNS outside of Plesk.
You're obviously more patient than we are!
Regardless, you've sorted the issue anyway now, which is what matters most.