package dns-certify

  1. Overview
  2. Docs
Module type
Class type
val signing_request : [ `host ] Domain_name.t -> ?more_hostnames:[ `host ] Domain_name.t list -> X509.Private_key.t -> X509.Signing_request.t

signing_request name ~more_hostnames key creates a X509 signing request where name will be the common name in its subject, and if more_hostnames is provided and non-empty, name :: more_hostnames will be the value of a subjectAlternativeName extension.

val letsencrypt_name : 'a Domain_name.t -> ([ `raw ] Domain_name.t, [> `Msg of string ]) result

letsencrypt_name host is the service name at which we store let's encrypt certificates for the host.

type u_err = [
  1. | `Tsig of Dns_tsig.e
  2. | `Bad_reply of Dns.Packet.mismatch * Dns.Packet.t
  3. | `Unexpected_reply of Dns.Packet.reply

The type of update errors.

val pp_u_err : u_err Fmt.t

pp_u_err ppf u pretty-prints u on ppf.

val nsupdate : (int -> Cstruct.t) -> (unit -> Ptime.t) -> host:[ `host ] Domain_name.t -> keyname:'b Domain_name.t -> zone:[ `host ] Domain_name.t -> Dns.Dnskey.t -> X509.Signing_request.t -> (Cstruct.t * (Cstruct.t -> (unit, [> u_err ]) result), [> `Msg of string ]) result

nsupdate rng now ~host ~keyname ~zone dnskey csr is a buffer with a DNS update that removes all TLSA records from the given host, and adds a single TLSA record containing the certificate signing request. It also returns a function which decodes a given answer, checks it to be a valid reply, and returns either unit or an error. The outgoing packet is signed with the provided dnskey, the answer is checked to be signed by the same key. If the sign operation fails, nsupdate returns an error.

type q_err = [
  1. | `Decode of Dns.Packet.err
  2. | `Bad_reply of Dns.Packet.mismatch * Dns.Packet.t
  3. | `Unexpected_reply of Dns.Packet.reply
  4. | `No_tlsa

The type for query errors.

val pp_q_err : q_err Fmt.t

pp_q_err ppf q pretty-prints q on ppf.

val query : (int -> Cstruct.t) -> X509.Public_key.t -> [ `host ] Domain_name.t -> (Cstruct.t * (Cstruct.t -> (X509.Certificate.t, [> q_err ]) result), [> `Msg of string ]) result

query rng pubkey name is a buffer with a DNS TLSA query for the given name, and a function that decodes a given answer, either returning a X.509 certificate or an error.