Upcoming Let's Encrypt intermediate issuer certificate change...
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Apr 17 10:08:21 CEST 2019
If you're relying on DANE TLSA "2 0 1" or "2 0 2" records that
the match the current Let's Encrypt Intermediate certificate,
you need to make appropriate plans for the switchover to a
new intermediate CA cert on 2010-07-08:
https://scotthelme.co.uk/lets-encrypt-to-transition-to-isrg-root/
this will result in a change in the content (and digest) of the
intermediate issuer cert. But the underlying public key is *not*
changing. Therefore, the sensible solution is before then to switch
to "2 1 1" records that will continue to work across the cutover.
The "2 1 1" record will of course have a different digest from the
"2 0 1" record (and likewise for "2 1 2" vs. "2 0 2").
The stable key digests are:
2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18
2 1 2 774fad8c9a6afc2bdb44faba8390d213ae592fb0d56c5dfab152284e334d7cd6abd05799236e7aa6266edf81907c60404c57ee54c10a3a82fcc2a9146629b140
See also:
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://github.com/danefail/list/issues/47#issuecomment-456623996
--
Viktor.
More information about the dane-users
mailing list