Problem with Let's Encrypt Certificate
Joseph Tam
jtam.home at gmail.com
Thu Feb 23 21:55:54 UTC 2017
On Thu, 23 Feb 2017, KT Walrus wrote:
>> It's on my to-do list, but I think you can use dehydrated in signing
>> mode.
>>
>> --signcsr (-s) path/to/csr.pem Sign a given CSR, output CRT on stdout (advanced usage)
>>
>> In this way, you can reuse private key, as well as making it more
>> secure by removing a privileged operations (private key acces) allowing
>> dehydrated to be run as a non-privilged/separate user.
>
> You might want to check out this blog:
>
> http://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/
This was exactly the type of procedure I wanted: persistent key
that can be protected.
> The author outlines a procedure for using DANE and Let?s Encrypt
> automatically generated certs in production. I don?t really know much
> about DANE, but those wanting to implement it with free certs might
> want to check out this blog.
I don't use DANE either, but it looks fraught with stale-cache peril.
If DANE with rotating keys is your thing, I would lower the DANE record
TTL to something small like 60s one TTL period before cert renewal, then
set it back after cert renewal. Some DNS software will auto-decrement
TTL to expire at a certin time, then transition to the new definition.
Joseph Tam <jtam.home at gmail.com>
More information about the dovecot
mailing list