Please take care when deploying Let's Encrypt certificates...
Mike
the.lists at mgm51.com
Fri Nov 20 18:21:12 CET 2015
On 11/19/2015 7:58 PM, Viktor Dukhovni wrote:
>
> If you've published DANE TLSA records for your current certificate
> chain, and are considering switch to Let's Encrypt issued certificates,
> please do not forget:
>
> https://dane.sys4.de/common_mistakes#3
>
> https://tools.ietf.org/html/rfc7671#section-8.1
>
> I've seen more than one of the early adopters of LE certificates
> neglect to update their TLSA records (a few TTLs) *before* deploying
> the new LE certificate chain.
>
Something else to keep in mind with the Let's Encrypt certificates is
that they have a 90-day lifetime with the automatic renewal process
starting at sixty days.
Using a Let's Encrypt certificate with DANE TLSA will require an alert
sysadmin.
https://community.letsencrypt.org/t/maximum-and-minimum-certificate-lifetimes/264/9
More information about the dane-users
mailing list