Dňa 28. júna 2025 19:01:10 UTC používateľ John R Levine via mailop
<[email protected]> napísal:
>On Sat, 28 Jun 2025, Alessandro Vesely wrote:
>>> I use Let's Encrypt and resign the same requests so the TLSA doesn't change.
>>
>> Alternatively can set
>>
>> # Options used in the renewal process
>> [renewalparams]
>> reuse_key = True
>
>Any change you caould give us a hint what program or what config file that is ?
>
It is certbot's renewal config file for particular cert, on
debian it is in /etc/letsencrypt/renewal/*.conf.
But one do not need to care about config file, i am not
sure about exact version, but it works with 2.1 version,
and can be done from shell:
certbot renew --reuse-key
And then force to renew key and then keep it for future
renews by (beware, both are needed):
certbot renew --reuse-key --new-key
One will want to add the --cert-name and/or --force-renewal
options too...
To revert back to new key on every renew use:
certbot renew --no-reuse-key
Hope this will help with DANE & LE. I have prepared system
for this, but as my DNS provider doesn't provide my any way
to automate it, whole system ends with sending me email
with new TLSA value and instructions how to deploy new
cert manually, but i am lazy to manually publish TLSA record
:-)
regards
--
Slavko
https://www.slavino.sk/
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
