Let's Encrypt retired and new issuer CAs

Sun, 25 Aug 2024 07:16:27 -0700 

The major changes in the Let's Encrypt issuer CA lineup noted in my
previous post:

    
https://list.sys4.de/hyperkitty/list/[email protected]/message/ZTM3XQMI3XP7PWMWJTXBYDPVU4UENE24/

are now largely completed.  Of the ~46000 domains with working
DANE-TA(2) TLSA records matching a Let's Encrypt intermediate issuer,
just 62 are still based on R3, and none on X3, X4, R4, E1 or E2.

These last few R3 issued certificates will either be renewed or will
expire by September 4th.

Therefore, if you haven't done so already, please read the fine advice
in:

    https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html

and switch to R10..R14 or E5..E9 (or rarely both) as appropriate.  If
you prefer to instead pin the ISRG root CAs, you MUST ensure that your
SMTP server's chain file also includes the ISRG X1 or ISRG X2 root
(whichever happened to issue the intermediate CA cert), and then you can
publish TLSA records matching these roots.

        https://dane.sys4.de/common_mistakes#4
        https://github.com/Mailu/Mailu/issues/2138
        https://datatracker.ietf.org/doc/html/rfc7671#section-5.2.3
 
Note that some MTA operators have made the mistake of listing just R10
or R11 (similary just E5 or E6), whichever was the first new issuer they
saw, without understanding that the issuer will randomly rotate between
these, and may in an emergency be one of their backups.

DO NOT be tempted to skimp on the list of published TAs, if you're
keen on using DANE-TA(2) with Let's Encrypt, publish the full set,
and keep track of periodic Let's Encrypt service announcements.

An of course, DO NOT neglect monitoring, perhaps based on:

    
https://list.sys4.de/hyperkitty/list/[email protected]/thread/NKDBQABSTAAWLTHSZKC7P3HALF7VE5QY/

And of course, it may be simplest to stop playing Let's Encrypt TA
whack-a-mole, and switch to "3 1 1" records:

    https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html

Perhaps with the aid of:

    https://github.com/tlsaware/danebot

or similar/equivalent.  Best of luck, but, if can you pay attention to
detail, you should not need it.

-- 
    Viktor.  Слава Україні!

Reply via email to