{"id":27264299,"url":"https://github.com/stenstromen/gotlsaflare","last_synced_at":"2025-08-20T04:05:34.008Z","repository":{"id":115453556,"uuid":"598833285","full_name":"Stenstromen/gotlsaflare","owner":"Stenstromen","description":"Go binary for updating TLSA DANE record on cloudflare from x509 Certificate","archived":false,"fork":false,"pushed_at":"2025-07-29T20:30:46.000Z","size":82,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-08-07T00:48:41.048Z","etag":null,"topics":["automation","certificate","cloudflare","dane","dns","go","security","tlsa","x509"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Stenstromen.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-02-07T22:28:29.000Z","updated_at":"2025-07-29T20:28:08.000Z","dependencies_parsed_at":"2023-11-07T04:04:56.854Z","dependency_job_id":"dec65b21-9205-42c4-ad2b-e51e67e96656","html_url":"https://github.com/Stenstromen/gotlsaflare","commit_stats":null,"previous_names":[],"tags_count":18,"template":false,"template_full_name":null,"purl":"pkg:github/Stenstromen/gotlsaflare","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Stenstromen%2Fgotlsaflare","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Stenstromen%2Fgotlsaflare/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Stenstromen%2Fgotlsaflare/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Stenstromen%2Fgotlsaflare/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Stenstromen","download_url":"https://codeload.github.com/Stenstromen/gotlsaflare/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Stenstromen%2Fgotlsaflare/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271262767,"owners_count":24728979,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-20T02:00:09.606Z","response_time":69,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","certificate","cloudflare","dane","dns","go","security","tlsa","x509"],"created_at":"2025-04-11T06:55:27.751Z","updated_at":"2025-08-20T04:05:33.980Z","avatar_url":"https://github.com/Stenstromen.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003c!-- markdownlint-disable MD051 --\u003e\n# GoTLSAFlare\n\n![GoTLSAFlare](./gotlsaflare.webp)\n\n- [GoTLSAFlare](#gotlsaflare)\n  - [Description](#description)\n  - [Generate Cloudflare API Token](#generate-cloudflare-api-token)\n  - [Installation via Homebrew (MacOS/Linux - x86\\_64/arm64)](#installation-via-homebrew-macoslinux---x86_64arm64)\n  - [Download and Run Binary](#download-and-run-binary)\n  - [Build and Run Binary](#build-and-run-binary)\n  - [Example Usage](#example-usage)\n  - [Practical Usage](#practical-usage)\n    - [Create TLSA Record, DANE-EE (3 1 1) and DANE-TA (2 0 1)](#create-tlsa-record-dane-ee-3-1-1-and-dane-ta-2-0-1)\n    - [Create TLSA Record, DANE-TA (2 0 1) only](#create-tlsa-record-dane-ta-2-0-1-only)\n    - [Create TLSA Record, DANE-EE (3 1 1) only (default)](#create-tlsa-record-dane-ee-3-1-1-only-default)\n    - [Create TLSA Record with SHA2-512 matching type](#create-tlsa-record-with-sha2-512-matching-type)\n    - [Create TLSA Record with SHA2-512 matching type for both DANE-EE and DANE-TA](#create-tlsa-record-with-sha2-512-matching-type-for-both-dane-ee-and-dane-ta)\n    - [LetsEncrypt Certbot renewal hook](#letsencrypt-certbot-renewal-hook)\n    - [LetsEncrypt Certbot renewal hook with rolling update](#letsencrypt-certbot-renewal-hook-with-rolling-update)\n  - [Random Notes](#random-notes)\n    - [Generate DANE-EE Publickey SHA256 (3 1 1) TLSA Record](#generate-dane-ee-publickey-sha256-3-1-1-tlsa-record)\n    - [Generate DANE-EE Publickey SHA512 (3 1 2) TLSA Record](#generate-dane-ee-publickey-sha512-3-1-2-tlsa-record)\n    - [POST TLSA UPDATE](#post-tlsa-update)\n\n## Description\n\nGo binary for updating TLSA DANE record on cloudflare from x509 Certificate\n\n## Generate Cloudflare API Token\n\n1. Visit [https://dash.cloudflare.com/profile/api-tokens](https://dash.cloudflare.com/profile/api-tokens)\n2. Create Token\n3. \"Edit Zone DNS\" Template\n4. \"Zone Resources\" Include \u003e Specific Zone \u003e example.com\n\n## Installation via Homebrew (MacOS/Linux - x86_64/arm64)\n\n```bash\nbrew install stenstromen/tap/gotlsaflare\n```\n\n## Download and Run Binary\n\n- For **MacOS** and **Linux**: Checkout and download the latest binary from [Releases page](https://github.com/Stenstromen/gotlsaflare/releases/latest/)\n- For **Windows**: Build the binary yourself.\n\n## Build and Run Binary\n\n```bash\ngo build\n./gotlsaflare\n```\n\n## Example Usage\n\n```bash\n# Set Cloudflare API TOKEN\nexport TOKEN=\"# Cloudflare API TOKEN\"\n\n# Create TLSA Record, DANE-EE (3 1 1)\n./gotlsaflare create --url example.com --subdomain email --tcp25 --cert path/to/certificate.pem\n\n# Update TLSA Record, DANE-EE (3 1 1)\n./gotlsaflare update --url example.com --subdomain email --tcp25 --cert path/to/certificate.pem\n\n# Create TLSA Record, DANE-TA (2 0 1) only\n./gotlsaflare create --url example.com --subdomain email --tcp25 --dane-ta --no-dane-ee --cert path/to/fullchain.pem\n\n# Create TLSA Record, both DANE-EE (3 1 1) and DANE-TA (2 0 1)\n./gotlsaflare create --url example.com --subdomain email --tcp25 --dane-ta --cert path/to/fullchain.pem\n\n# Create TLSA Record, DANE-EE (3 1 1) only (default)\n./gotlsaflare create --url example.com --subdomain email --tcp25 --no-dane-ta --cert path/to/certificate.pem\n\n# Update TLSA Record, both DANE-EE (3 1 1) and DANE-TA (2 0 1)\n./gotlsaflare update --url example.com --subdomain email --tcp25 --dane-ta --cert path/to/fullchain.pem\n\n# Update TLSA Record, both DANE-EE (3 1 1) and DANE-TA (2 0 1) with rolling update (keeps old record for TTL seconds, then deletes it)\n./gotlsaflare update --url example.com --subdomain email --tcp25 --dane-ta --cert path/to/fullchain.pem --rollover\n\n# Update TLSA Record, both DANE-EE (3 1 1) and DANE-TA (2 0 1) with custom TCP port\n./gotlsaflare update --url example.com --subdomain www --tcp-port 443 --dane-ta --cert path/to/fullchain.pem\n\n# Create TLSA Record with explicit selector (overrides defaults)\n./gotlsaflare create --url example.com --subdomain email --tcp25 --cert path/to/certificate.pem --selector 0\n\n# Create TLSA Record with explicit selector for both DANE-EE and DANE-TA (overrides defaults)\n./gotlsaflare create --url example.com --subdomain email --tcp25 --dane-ta --cert path/to/certificate.pem --selector 0\n\n# Create TLSA Record with SHA2-512 matching type (default is SHA2-256)\n./gotlsaflare create --url example.com --subdomain email --tcp25 --cert path/to/certificate.pem --matching-type 2\n\n# Create TLSA Record with SHA2-512 matching type for both DANE-EE and DANE-TA\n./gotlsaflare create --url example.com --subdomain email --tcp25 --dane-ta --cert path/to/certificate.pem --matching-type 2\n```\n\n```bash\nUsage of ./gotlsaflare\nGo binary for updating TLSA DANE record on Cloudflare from x509 Certificate.\n\nUsage:\n  gotlsaflare [command]\n\nAvailable Commands:\n  completion  Generate the autocompletion script for the specified shell\n  create      Create TLSA DNS Record\n  help        Help about any command\n  update      Update TLSA DNS Record\n\nFlags:\n  -h, --help   help for gotlsaflare\n\nUse \"gotlsaflare [command] --help\" for more information about a command.\n```\n\n## Practical Usage\n\n### Create TLSA Record, DANE-EE (3 1 1) and DANE-TA (2 0 1)\n\n```bash\nexport TOKEN=\"# Cloudflare API TOKEN\"\ngotlsaflare create --url example.com --subdomain email --tcp25 --dane-ta --cert path/to/fullchain.pem\n```\n\n### Create TLSA Record, DANE-TA (2 0 1) only\n\n```bash\nexport TOKEN=\"# Cloudflare API TOKEN\"\ngotlsaflare create --url example.com --subdomain email --tcp25 --dane-ta --no-dane-ee --cert path/to/fullchain.pem\n```\n\n### Create TLSA Record, DANE-EE (3 1 1) only (default)\n\n```bash\nexport TOKEN=\"# Cloudflare API TOKEN\"\ngotlsaflare create --url example.com --subdomain email --tcp25 --cert path/to/certificate.pem\n```\n\n### Create TLSA Record with SHA2-512 matching type\n\n```bash\nexport TOKEN=\"# Cloudflare API TOKEN\"\ngotlsaflare create --url example.com --subdomain email --tcp25 --cert path/to/certificate.pem --matching-type 2\n```\n\n### Create TLSA Record with SHA2-512 matching type for both DANE-EE and DANE-TA\n\n```bash\nexport TOKEN=\"# Cloudflare API TOKEN\"\ngotlsaflare create --url example.com --subdomain email --tcp25 --dane-ta --cert path/to/fullchain.pem --matching-type 2\n```\n\n### LetsEncrypt Certbot renewal hook\n\n```bash\n# Update TLSA Record, DANE-EE (3 1 1)\necho \"TOKEN='Cloudflare API TOKEN' gotlsaflare update --url example.com --subdomain email --tcp25 --cert path/to/fullchain.pem\" \u003e\u003e /etc/letsencrypt/renewal-hooks/post/update-tlsa.sh\n\n# Restart Postfix service\necho 'systemctl restart postfix.service' \u003e\u003e /etc/letsencrypt/renewal-hooks/post/update-tlsa.sh\n\n# Make script executable\nchmod +x /etc/letsencrypt/renewal-hooks/post/update-tlsa.sh\n\n# Restart Certbot service\nsystemctl restart certbot.service\n```\n\n### LetsEncrypt Certbot renewal hook with rolling update\n\n```bash\n# Update TLSA Record, DANE-EE (3 1 1)  with rolling update\necho \"TOKEN='Cloudflare API TOKEN' gotlsaflare update --url example.com --subdomain email --tcp25 --dane-ta --cert path/to/fullchain.pem --rollover\" \u003e\u003e /etc/letsencrypt/renewal-hooks/post/update-tlsa.sh\n\n# Restart Postfix service\necho 'systemctl restart postfix.service' \u003e\u003e /etc/letsencrypt/renewal-hooks/post/update-tlsa.sh\n\n# Make script executable\nchmod +x /etc/letsencrypt/renewal-hooks/post/update-tlsa.sh\n\n# Restart Certbot service\nsystemctl restart certbot.service\n```\n\n## Random Notes\n\n### Generate DANE-EE Publickey SHA256 (3 1 1) TLSA Record\n\n```bash\nopenssl x509 -noout -pubkey -in fullchain.pem | openssl rsa -pubin -outform DER 2\u003e/dev/null | sha256sum\n```\n\n### Generate DANE-EE Publickey SHA512 (3 1 2) TLSA Record\n\n```bash\nopenssl x509 -noout -pubkey -in fullchain.pem | openssl rsa -pubin -outform DER 2\u003e/dev/null | sha512sum\n```\n\n### POST TLSA UPDATE\n\n`https://api.cloudflare.com/client/v4/zones/:identifier/dns_records`\n\n```json\n{\n    \"type\":\"TLSA\",\n    \"name\":\"_25._tcp.test\",\n    \"data\":\n        {\n        \"usage\":3,\n        \"selector\":1,\n        \"matching_type\":1,\n        \"certificate\":\"SHA256SUM\"\n        },\n    \"ttl\":3600,\n    \"priority\":10,\n    \"proxied\":false,\n    \"comment\":\"This is a comment\"\n}\n```\n\nExample with SHA2-512:\n\n```json\n{\n    \"type\":\"TLSA\",\n    \"name\":\"_25._tcp.test\",\n    \"data\":\n        {\n        \"usage\":3,\n        \"selector\":1,\n        \"matching_type\":2,\n        \"certificate\":\"SHA512SUM\"\n        },\n    \"ttl\":3600,\n    \"priority\":10,\n    \"proxied\":false,\n    \"comment\":\"This is a comment\"\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstenstromen%2Fgotlsaflare","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstenstromen%2Fgotlsaflare","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstenstromen%2Fgotlsaflare/lists"}