Re: [exim] PLEASE NOTE: Upcoming changes in Let's Encrypt is…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates
On Mon, Sep 21, 2020 at 04:23:55AM -0200, Viktor Dukhovni via Exim-users wrote:

> Links to the actual certificates can be found at:
>
>     https://letsencrypt.org/certificates/
>     https://letsencrypt.org/certs/lets-encrypt-r3.pem
>     https://letsencrypt.org/certs/lets-encrypt-e1.pem

>
> The "2 1 1" digests of "R3" and "E1" are (but don't take my word for it,
> re-compute these for yourself):
>
>     ; $ tlsagen lets-encrypt-r3.pem smtp.example.org 2 1 1
>     ;
>     _25._tcp.smtp.example.org. IN TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D

>
>     ; $ tlsagen lets-encrypt-e1.pem smtp.example.org 2 1 1
>     ;
>     _25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10


It was correclty noted in:

    https://community.letsencrypt.org/t/dane-and-upcoming-le-issuer-certs/134172/2?u=ietf-dane


that the "backup" CAs should also be listed, as LE might need to switch
to using them in an emergency without prior notice.

Therefore the full list of DANE-TA(2) digests to publish (when relying
on these rather than "3 1 1" records) is:

    ; (These can be retired soon, but not just yet)
    ;
    ; letsencryptauthorityx3.pem
    ; letsencryptauthorityx4.pem 
    ;
    _25._tcp.smtp.example.org. IN TLSA 2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517616E8A18
    _25._tcp.smtp.example.org. IN TLSA 2 1 1 B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E02CF362B


    ; (May not be needed if your leaf cert is RSA, ECDSA certs
    ; will I expect be soon signed with one of these).
    ;
    ; lets-encrypt-e1.pem
    ; lets-encrypt-e2.pem
    ;
    _25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10
    _25._tcp.smtp.example.org. IN TLSA 2 1 1 BD936E72B212EF6F773102C6B77D38F94297322EFC25396BC3279422E0C89270


    ; (May not be needed if your leaf cert is ECDSA, once 
    ; ECDSA certificate issuance cuts over to e1/e2).
    ;
    ; lets-encrypt-r3.pem
    ; lets-encrypt-r4.pem


-- 
    Viktor.