Please take care when deploying Let's Encrypt certificates...
If you've published DANE TLSA records for your current certificate chain, and are considering switch to Let's Encrypt issued certificates, please do not forget:
https://dane.sys4.de/common_mistakes#3
https://tools.ietf.org/html/rfc7671#section-8.1
I've seen more than one of the early adopters of LE certificates neglect to update their TLSA records (a few TTLs) *before* deploying the new LE certificate chain.
On 11/19/2015 7:58 PM, Viktor Dukhovni wrote:
If you've published DANE TLSA records for your current certificate chain, and are considering switch to Let's Encrypt issued certificates, please do not forget:
https://dane.sys4.de/common_mistakes#3 https://tools.ietf.org/html/rfc7671#section-8.1I've seen more than one of the early adopters of LE certificates neglect to update their TLSA records (a few TTLs) *before* deploying the new LE certificate chain.
Something else to keep in mind with the Let's Encrypt certificates is that they have a 90-day lifetime with the automatic renewal process starting at sixty days.
Using a Let's Encrypt certificate with DANE TLSA will require an alert sysadmin.
https://community.letsencrypt.org/t/maximum-and-minimum-certificate-lifetime...
On Fri, Nov 20, 2015 at 12:21:12PM -0500, Mike wrote:
https://dane.sys4.de/common_mistakes#3 https://tools.ietf.org/html/rfc7671#section-8.1I've seen more than one of the early adopters of LE certificates neglect to update their TLSA records (a few TTLs) *before* deploying the new LE certificate chain.
Something else to keep in mind with the Let's Encrypt certificates is that they have a 90-day lifetime with the automatic renewal process starting at sixty days.
Automated replacement might make them entirely unsuitable for DANE-EE(3). That is, assuming the automation neglects the necessary DNS update precondition.
One of the most important features of DANE-EE(3) is that certificates DO NOT EXPIRE with DANE-EE(3). You replace it when you are ready to do it, not when the certificate goes up in smoke. The expiration is in the RRSIG end time, not in the certificate.
If you lose that with EE, DO NOT switch to LE. For port 25 SMTP it'll do more harm than good. By all means use LE for port 587 (different certs for the MTA and MSA).
The only way LE for port 25 with DANE can work is if renewal is possible with the same private key, and the TLSA records are "3 1 1", making certificate replacement a non-event.
The other way, is to publish "2 0 1" records for the LE root CA (which MUST then appear in the server's chain) or "2 1 1" records for the LE intermediate CA (which must appear in the server's chain, but that's more typically true anyway).
Using "3 0 1" with LE 90 day certificates that are rotated automatically, sounds like a recipe for disaster, unless deployment of the new certificate can be delayed (after it is obtained) and the required DNS updates automated, with the certificate deployed only once the DNS records have been fielded sufficiently long.
Using a Let's Encrypt certificate with DANE TLSA will require an alert sysadmin.
https://community.letsencrypt.org/t/maximum-and-minimum-certificate-lifetime...
This does not discuss whether a new key is used for each renewal. Can anyone using LE automated rotation check whether the key stays the same or not?
participants (2)
-
Mike -
Viktor Dukhovni