Please take care when deploying Let's Encrypt certificates...

Viktor Dukhovni ietf-dane at
Fri Nov 20 19:50:02 CET 2015

On Fri, Nov 20, 2015 at 12:21:12PM -0500, Mike wrote:

> >
> > 
> >
> > 
> > I've seen more than one of the early adopters of LE certificates
> > neglect to update their TLSA records (a few TTLs) *before* deploying
> > the new LE certificate chain.
> Something else to keep in mind with the Let's Encrypt certificates is
> that they have a 90-day lifetime with the automatic renewal process
> starting at sixty days.

Automated replacement might make them entirely unsuitable for
DANE-EE(3).  That is, assuming the automation neglects the necessary
DNS update precondition.

One of the most important features of DANE-EE(3) is that certificates
DO NOT EXPIRE with DANE-EE(3).  You replace it when you are ready
to do it, not when the certificate goes up in smoke.  The expiration
is in the RRSIG end time, not in the certificate.

If you lose that with EE, DO NOT switch to LE.  For port 25 SMTP
it'll do more harm than good.  By all means use LE for port 587
(different certs for the MTA and MSA).

The only way LE for port 25 with DANE can work is if renewal is
possible with the same private key, and the TLSA records are "3 1
1", making certificate replacement a non-event.

The other way, is to publish "2 0 1" records for the LE root CA
(which MUST then appear in the server's chain) or "2 1 1" records
for the LE intermediate CA (which must appear in the server's chain,
but that's more typically true anyway).

Using "3 0 1" with LE 90 day certificates that are rotated
automatically, sounds like a recipe for disaster, unless deployment
of the new certificate can be delayed (after it is obtained) and
the required DNS updates automated, with the certificate deployed
only once the DNS records have been fielded sufficiently long.

> Using a Let's Encrypt certificate with DANE TLSA will require an alert
> sysadmin.

This does not discuss whether a new key is used for each renewal.
Can anyone using LE automated rotation check whether the key stays
the same or not?


More information about the dane-users mailing list