Read on Twitter
#DANE #LetsEncrypt
Please note that the Let's Encrypt intermediate CA certificate "X3" will soon be phased out in favour of "R3" and "E3" which have new keys, and so any DANE TLSA "2 1 1" records matching "X3" will not match "R3" or "E3". https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html
Please note that the Let's Encrypt intermediate CA certificate "X3" will soon be phased out in favour of "R3" and "E3" which have new keys, and so any DANE TLSA "2 1 1" records matching "X3" will not match "R3" or "E3". https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html
Any "2 1 1" records need to be augmented soon with additional records matching "R3" and "E3", in advance of these issuing certificates for servers with DANE-TA(2) TLSA records.
Failure to act is likely to result in an outage once renewals switch to signing via "R3" or "E3".
Failure to act is likely to result in an outage once renewals switch to signing via "R3" or "E3".
Small correction, the "E3" should have been "E1".
Links to the actual certificates can be found at:
https://letsencrypt.org/certificates/
https://letsencrypt.org/certs/lets-encrypt-r3.pem
https://letsencrypt.org/certs/lets-encrypt-e1.pem
Links to the actual certificates can be found at:
https://letsencrypt.org/certificates/
https://letsencrypt.org/certs/lets-encrypt-r3.pem
https://letsencrypt.org/certs/lets-encrypt-e1.pem
A more detailed post to dane-users:
https://mail.sys4.de/pipermail/dane-users/2020-September/000578.html
https://mail.sys4.de/pipermail/dane-users/2020-September/000578.html
