PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates
Please note that the Let's Encrypt intermediate CA certificate "X3" will soon be phased out in favour of "R3" and "E1" which have new keys, and so any DANE TLSA "2 1 1" records matching "X3" will not match "R3" or "E1".
https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html
If you are using Let's Encrypt with DANE-TA(2) [issuer CA] TLSA records, any extant "2 1 1" records need to be augmented soon with additional records matching the new "R3" and "E1", in advance of these reissuing your certificates.
Failure to act in time is likely to result in an outage once renewals switch to signing via "R3" or "E1".
Links to the actual certificates can be found at:
https://letsencrypt.org/certificates/ https://letsencrypt.org/certs/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-e1.pem
The "2 1 1" digests of "R3" and "E1" are (but don't take my word for it, re-compute these for yourself):
; $ tlsagen lets-encrypt-r3.pem smtp.example.org 2 1 1 ; _25._tcp.smtp.example.org. IN TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D
; $ tlsagen lets-encrypt-e1.pem smtp.example.org 2 1 1 ; _25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10
The above were computed with the attached "tlsagen" script, but it is prudent to also check with tools from other sources, this email message could well have been a forgery (I hope your copy matches what I sent).
On Mon, Sep 21, 2020 at 04:22:08AM -0200, Viktor Dukhovni wrote:
Links to the actual certificates can be found at:
https://letsencrypt.org/certificates/ https://letsencrypt.org/certs/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-e1.pem
The "2 1 1" digests of "R3" and "E1" are (but don't take my word for it, re-compute these for yourself):
; $ tlsagen lets-encrypt-r3.pem smtp.example.org 2 1 1 ; _25._tcp.smtp.example.org. IN TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D
; $ tlsagen lets-encrypt-e1.pem smtp.example.org 2 1 1 ; _25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10
It was correclty noted in:
https://community.letsencrypt.org/t/dane-and-upcoming-le-issuer-certs/134172...
that the "backup" CAs should also be listed, as LE might need to switch to using them in an emergency without prior notice.
Therefore the full list of DANE-TA(2) digests to publish (when relying on these rather than "3 1 1" records) is:
; (These can be retired soon, but not just yet) ; ; letsencryptauthorityx3.pem ; letsencryptauthorityx4.pem ; _25._tcp.smtp.example.org. IN TLSA 2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517616E8A18 _25._tcp.smtp.example.org. IN TLSA 2 1 1 B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E02CF362B
; (May not be needed if your leaf cert is RSA, ECDSA certs ; will I expect be soon signed with one of these). ; ; lets-encrypt-e1.pem ; lets-encrypt-e2.pem ; _25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10 _25._tcp.smtp.example.org. IN TLSA 2 1 1 BD936E72B212EF6F773102C6B77D38F94297322EFC25396BC3279422E0C89270
; (May not be needed if your leaf cert is ECDSA, once ; ECDSA certificate issuance cuts over to e1/e2). ; ; lets-encrypt-r3.pem ; lets-encrypt-r4.pem
On Sep 21, 2020, at 4:22 AM, Viktor Dukhovni ietf-dane@dukhovni.org wrote:
Please note that the Let's Encrypt intermediate CA certificate "X3" will soon be phased out in favour of "R3" and "E1" which have new keys, and so any DANE TLSA "2 1 1" records matching "X3" will not match "R3" or "E1".
This has now happened. New Let's Encrypt certificates are being issued via "R3" and "X3" has been retired:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html https://letsencrypt.org/certificates/#intermediate-certificates
Over the next 60-90 days the remaining not yet expired or renewed certificate chains issued by "X3" are still will age out, at which point no one will need to include the "X3" or "X4" hashes in their TLSA records.
If your TLSA records still include only "X3", the current renewal cycle is your last opportunity to add the hashes "R3", "R4", "E1" and "E2" to your your TLSA RRset. The extant "X3" hash can be removed once a new certificate issued by one of the new CAs is deployed.
Over the last few days the DANE survey has started reporting a handful of new failures each day that resulted from a new "R3" certificate for an MX host whose TLSA RRset included only the "X3" hash. Please save yourself and me the trouble of dealing with this only after an initial outage.
Also as explained in:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Please avoid issuer TLSA records with selector Cert(0), i.e. "2 0 1" and "2 0 2". These are much more fragile, and worse, "R3" and "R4" are cross-signed by two different issuers, so there are two differnt full cert hashes for R3 and R4, but just one underlying public key and corresponding "2 1 1" hash.
DO NOT use "2 0 1" or "2 0 2" records. The best choice is "2 1 1".
participants (1)
-
Viktor Dukhovni