On Tue, Apr 12, 2022 at 10:03:23PM +0200, Ralph Seichter wrote:
Re Viktor mentioning earlier on the Postfix mailing list that "there's a need for an example complete config file":
https://letsdns.org/example.html shows a complete and functioning example, in which I have only changed the domain name to example.com.
Dehydrated stores newly issued (i.e. queued) Let's Encrypt certificates in /var/lib/dehydrated/certs/example.com and calls LetsDNS from a hook function. LD generates DNS records for both the queued and the active certificate (found in /etc/postfix/tls). Two days later the queued cert is copied over the active one.
This ensures a non-breaking certificate roll-over, further backed by the TLSA records LetsDNS generates for the CA certificate. Also, as is mentioned in the docs, LetsDNS deduplicates TLSA records automatically to avoid superfluous entries if possible.
I hope this sheds a bit more light on what is happening.
Yes, this is helpful, and I encourage you to write up how the certificate lifecycle integrates with "letsdns", what custom actions are supposed to do, ... who's resposible for activating the "queued" certificate, ...
Presently it is not clear to me how the new tool is to be used. I hope you'll have some cycles to document the key use cases.