PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates

Viktor Dukhovni ietf-dane at
Mon Sep 21 08:22:08 CEST 2020

Please note that the Let's Encrypt intermediate CA certificate "X3" will soon be
phased out in favour of "R3" and "E1" which have new keys, and so any DANE TLSA
"2 1 1" records matching "X3" will not match "R3" or "E1".

If you are using Let's Encrypt with DANE-TA(2) [issuer CA] TLSA records, any extant
"2 1 1" records need to be augmented soon with additional records matching the new
"R3" and "E1", in advance of these reissuing your certificates.

Failure to act in time is likely to result in an outage once renewals switch to
signing via "R3" or "E1".

Links to the actual certificates can be found at:

The "2 1 1" digests of "R3" and "E1" are (but don't take my word for it,
re-compute these for yourself):

	; $ tlsagen lets-encrypt-r3.pem 2 1 1
	; IN TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D

	; $ tlsagen lets-encrypt-e1.pem 2 1 1
	; IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10

The above were computed with the attached "tlsagen" script, but it is
prudent to also check with tools from other sources, this email message
could well have been a forgery (I hope your copy matches what I sent).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: tlsagen
Type: application/octet-stream
Size: 1598 bytes
Desc: not available
URL: <>

More information about the dane-users mailing list