Ahoj,
Dňa Thu, 16 Nov 2023 15:12:15 -0500 Viktor Dukhovni via Exim-users
<exim-users@???> napísal:
> I don't recommend DANE-TA(2), and encourage use of DANE-EE(3) instead.
I am far from DANE expert, but my understanding is, that DANE-TA is
good for own CAs, where one have full control on (intermediate) CA's
certs and its renews.
If one use that for foreign CA, soon or latter can meet unexpected CA
certificate replace, and monitoring can only avoid to problem persist
for long time, but not avoid to happen. Right?
> You do however need to be more sophisticated about any key rollovers
> that you do perform from time to time.
IMO not as sophisticated is needed. I still don't use DANE yet, but i am
in stage of preparation for it.
For now i have SMTP's cert with persistent key already. I have deploy
(shell) script on MX, which detects certificate change (systemd's path
unit), and on change it compares old and new cert's keys and if they
match, it copies new certificate to right place (and exim auto-reloads
it). This part works for some time (months) already.
If keys doesn't match, it has to reject cert update/replace and
notifies me (as i need manually modify DNS), but this part is not
tested yet. The notification contains new required TLSA-EE value(s),
thus can be simply switched to automate TLSA change, when my provider
will start to support that.
> I have a partial (usabel work-in-progress) solution to that workflow
> for "certbot" in the form of:
>
> https://github.com/tlsaware/danebot
>
> Any motivated and suitably skilled volunteers?
I take quick look on it. I am not very open to "wrapper" solution. Does
it something, what is not possible from certbot's deploy hook?
regards
--
Slavko
https://www.slavino.sk
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
