On Mon, Sep 21, 2020 at 04:22:08AM -0200, Viktor Dukhovni wrote:
Links to the actual certificates can be found at:
https://letsencrypt.org/certificates/ https://letsencrypt.org/certs/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-e1.pem
The "2 1 1" digests of "R3" and "E1" are (but don't take my word for it, re-compute these for yourself):
; $ tlsagen lets-encrypt-r3.pem smtp.example.org 2 1 1 ; _25._tcp.smtp.example.org. IN TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D
; $ tlsagen lets-encrypt-e1.pem smtp.example.org 2 1 1 ; _25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10
It was correclty noted in:
https://community.letsencrypt.org/t/dane-and-upcoming-le-issuer-certs/134172...
that the "backup" CAs should also be listed, as LE might need to switch to using them in an emergency without prior notice.
Therefore the full list of DANE-TA(2) digests to publish (when relying on these rather than "3 1 1" records) is:
; (These can be retired soon, but not just yet) ; ; letsencryptauthorityx3.pem ; letsencryptauthorityx4.pem ; _25._tcp.smtp.example.org. IN TLSA 2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517616E8A18 _25._tcp.smtp.example.org. IN TLSA 2 1 1 B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E02CF362B
; (May not be needed if your leaf cert is RSA, ECDSA certs ; will I expect be soon signed with one of these). ; ; lets-encrypt-e1.pem ; lets-encrypt-e2.pem ; _25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10 _25._tcp.smtp.example.org. IN TLSA 2 1 1 BD936E72B212EF6F773102C6B77D38F94297322EFC25396BC3279422E0C89270
; (May not be needed if your leaf cert is ECDSA, once ; ECDSA certificate issuance cuts over to e1/e2). ; ; lets-encrypt-r3.pem ; lets-encrypt-r4.pem