{"id":13929881,"url":"https://github.com/TheTesla/cryptdomainmgr","last_synced_at":"2025-07-19T12:30:46.852Z","repository":{"id":53655026,"uuid":"115055850","full_name":"TheTesla/cryptdomainmgr","owner":"TheTesla","description":"automate certificate, TLSA, DKIM and many more","archived":false,"fork":false,"pushed_at":"2022-10-31T11:26:08.000Z","size":550,"stargazers_count":28,"open_issues_count":2,"forks_count":2,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-11-26T19:36:37.459Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/TheTesla.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-12-21T23:21:27.000Z","updated_at":"2022-08-28T15:38:37.000Z","dependencies_parsed_at":"2023-01-20T13:01:39.816Z","dependency_job_id":null,"html_url":"https://github.com/TheTesla/cryptdomainmgr","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/TheTesla/cryptdomainmgr","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheTesla%2Fcryptdomainmgr","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheTesla%2Fcryptdomainmgr/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheTesla%2Fcryptdomainmgr/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheTesla%2Fcryptdomainmgr/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/TheTesla","download_url":"https://codeload.github.com/TheTesla/cryptdomainmgr/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheTesla%2Fcryptdomainmgr/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265934185,"owners_count":23852086,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-07T18:02:36.389Z","updated_at":"2025-07-19T12:30:46.347Z","avatar_url":"https://github.com/TheTesla.png","language":"Python","readme":"[![Build Status](https://app.travis-ci.com/TheTesla/cryptdomainmgr.svg?branch=master)](https://app.travis-ci.com/TheTesla/cryptdomainmgr)\n\n# Crypto Domain Manager\n\nAutomate all your cryptographic needs!\n\n## Goals\n\n* Zero downtime\n* Automatic certificate renewal\n* Spam protection\n* Updated DNS records\n\nConfigure once and always stay up to date.\n\n## Use cases\n\n* Renew letsencrypt certicates\n* Derive all kinds of data from the signature\n* Ensure everything is secure\n\n## External Service APIs\n\n* Domain Certificate: [letsencrypt.org](https://letsencrypt.org)\n* DNS Record Updates: [inwx.de](https://inwx.de)\n\n## Linux Services\n\n* DKIM signatures:\n  * rspamd\n* Reload systemd services:\n  * apache2\n  * postfix\n  * dovecot\n  * rspamd\n  * traefik in Docker\n\n## Managed DNS Records\n\n* TLSA - for [DNS based authentication of named entities](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) DANE\n* DKIM - domain keys for email signatures and spam detection\n* CAA - specify the CA\n* DMARC, SPF, ADSP - configure secure DNS\n\n## No downtime strategy\n\nUpdating keys, certifcates and other needs 3 steps to prevent gaps in availabillity:\n\n1. **Prepare**: Create certificates, keys etc. and publish corresponding records to DNS.\n2. **Rollover**: Apply new certificates and keys, because now negative cache TTL on DNS is reached.\n3. **Cleanup**: Delete all no more needed stuff from disk and DNS.\n\n## Needed Plugins and Dependencies\n\n* **dnsuptools**: to interface with DNS API -- updating DNS entries\n* **dehydrated**: to get new certificate (included with cryptdomainmgr)\n* **rspamd**: to create (and use) DKIM keys\n\n## Installation\n\nThese libraries are needed for pycurl used by dnsuptools for automatic ip retrieving:\n```bash\napt install -y libcurl4-openssl-dev libssl-dev\n```\nThis comman is used by dehydrated to communicate with letsencrypt for certificate renewal:\n```bash\napt install -y curl\n```\nFor DKIM we need rspamd:\n```bash\napt install -y lsb-release wget # optional\nCODENAME=`lsb_release -c -s`\nwget -O- https://rspamd.com/apt-stable/gpg.key | apt-key add -\necho \"deb [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main\" \u003e /etc/apt/sources.list.d/rspamd.list\necho \"deb-src [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main\" \u003e\u003e /etc/apt/sources.list.d/rspamd.list\napt update\napt install -y rspamd\n```\nNow install the cryptdomainmgr. This pulls all need dependencies.\n```bash\npython2 -m pip install cryptdomainmgr\n```\nFeel free to try python3, but inwx client doesn't support it.\n```bash\npython3 -m pip install cryptdomainmgr\n```\n\n## Documentation\n\nWe need help here!\n\nFor now please look at:\n* German project description and tutorial: https://www.entroserv.de/offene-software/cryptdomainmgr\n* Slides: https://github.com/TheTesla/cryptdomainmgr-talk\n* Look at the configfiles examples\n\nhints:\n* Multiple Configfiles with priority allowed\n* Specify content of config file content as argument\n\n## Next goals\n\n* improve documentation\n* docker support - partly done, ToDo: label handling needed, daemon mode without external shell stript needed\n* website\n* automated tests - partly done\n* nsupdate for DNS updates\n\nLong term goals:\n* ARC key renewal\n* WPIA integration\n* DNSSEC key renewal\n* TXT record (may collide with SPF and other TXT based records)\n* multi server support for one domain: TLSA delete by timeout\n* constrain minimum renewal/phase time interval\n* validations - ensure signatures are used correctly\n* run as service\n* PowerDNS support\n\n## Contributions\n\nIf you like the project feel free to give me a star.\nPlease let us know if you use this project.\n\nAll kind of contributions are welcome.\n","funding_links":[],"categories":["others"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FTheTesla%2Fcryptdomainmgr","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FTheTesla%2Fcryptdomainmgr","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FTheTesla%2Fcryptdomainmgr/lists"}