Upcoming Let's Encrypt intermediate issuer certificate change...
If you're relying on DANE TLSA "2 0 1" or "2 0 2" records that the match the current Let's Encrypt Intermediate certificate, you need to make appropriate plans for the switchover to a new intermediate CA cert on 2010-07-08:
https://scotthelme.co.uk/lets-encrypt-to-transition-to-isrg-root/
this will result in a change in the content (and digest) of the intermediate issuer cert. But the underlying public key is *not* changing. Therefore, the sensible solution is before then to switch to "2 1 1" records that will continue to work across the cutover.
The "2 1 1" record will of course have a different digest from the "2 0 1" record (and likewise for "2 1 2" vs. "2 0 2").
The stable key digests are:
2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 2 1 2 774fad8c9a6afc2bdb44faba8390d213ae592fb0d56c5dfab152284e334d7cd6abd05799236e7aa6266edf81907c60404c57ee54c10a3a82fcc2a9146629b140
See also:
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-r... https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources https://github.com/danefail/list/issues/47#issuecomment-456623996
Teilnehmer (1)
-
Viktor Dukhovni