Re: [exim] PLEASE NOTE: Upcoming changes in Let's Encrypt is…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Dan Egli
Date:  
À: exim-users
Sujet: Re: [exim] PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates
On 9/21/2020 1:51 AM, Viktor Dukhovni via Exim-users wrote:

>      https://community.letsencrypt.org/t/dane-and-upcoming-le-issuer-certs/134172/2?u=ietf-dane

>
> that the "backup" CAs should also be listed, as LE might need to switch
> to using them in an emergency without prior notice.
>
> Therefore the full list of DANE-TA(2) digests to publish (when relying
> on these rather than "3 1 1" records) is:
>
>      ; (These can be retired soon, but not just yet)
>      ;
>      ; letsencryptauthorityx3.pem
>      ; letsencryptauthorityx4.pem
>      ;
>      _25._tcp.smtp.example.org. IN TLSA 2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517616E8A18
>      _25._tcp.smtp.example.org. IN TLSA 2 1 1 B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E02CF362B

>
>      ; (May not be needed if your leaf cert is RSA, ECDSA certs
>      ; will I expect be soon signed with one of these).
>      ;
>      ; lets-encrypt-e1.pem
>      ; lets-encrypt-e2.pem
>      ;
>      _25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10
>      _25._tcp.smtp.example.org. IN TLSA 2 1 1 BD936E72B212EF6F773102C6B77D38F94297322EFC25396BC3279422E0C89270

>
>      ; (May not be needed if your leaf cert is ECDSA, once
>      ; ECDSA certificate issuance cuts over to e1/e2).
>      ;
>      ; lets-encrypt-r3.pem
>      ; lets-encrypt-r4.pem


Forgive me for being a bit dense, but I'm new to the SSL world. I have
certificates by LetsEncrypt, generated about a month ago. Where and how
do I look to determine if I need new certificates. And what's with the
TLSA DNS entries? I've never heard of a TLSA record.

Thanks!

--

Dan Egli on my Test Site