Please take care when deploying Let's Encrypt certificates...
the.lists at mgm51.com
Fri Nov 20 18:21:12 CET 2015
On 11/19/2015 7:58 PM, Viktor Dukhovni wrote:
> If you've published DANE TLSA records for your current certificate
> chain, and are considering switch to Let's Encrypt issued certificates,
> please do not forget:
> I've seen more than one of the early adopters of LE certificates
> neglect to update their TLSA records (a few TTLs) *before* deploying
> the new LE certificate chain.
Something else to keep in mind with the Let's Encrypt certificates is
that they have a 90-day lifetime with the automatic renewal process
starting at sixty days.
Using a Let's Encrypt certificate with DANE TLSA will require an alert
More information about the dane-users