Problem with Let's Encrypt Certificate

Gedalya gedalya at gedalya.net
Mon Feb 20 01:55:45 UTC 2017


On 02/19/2017 08:39 PM, Michael A. Peters wrote:
> Every time I change the private key -
>
> A) I have to make a TLSA record for the new key 

You're actually expected to pin the CA in your TLSA record, not your own key.

https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022

http://www.internetsociety.org/deploy360/blog/2016/01/lets-encrypt-certificates-for-mail-servers-and-dane-part-1-of-2/

https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/

I had the privilege of being auto-yelled at by Viktor Dukhovni over forgetting to adjust my TLSA after changing certificates for SMTP. I would however prefer to automate the process of pushing new TLSA records, waiting out twice the TTL and then pushing the certificate. Going through this every time would ensure I have valid records every time, without having to worry about the CA key changing. This is on my to-do list, for SMTP, XMPP, IMAP etc.




More information about the dovecot mailing list