Mailing List Archive

PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates
Please note that the Let's Encrypt intermediate CA certificate "X3" will soon be
phased out in favour of "R3" and "E1" which have new keys, and so any DANE TLSA
"2 1 1" records matching "X3" will not match "R3" or "E1".

https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html

If you are using Let's Encrypt with DANE-TA(2) [issuer CA] TLSA records, any extant
"2 1 1" records need to be augmented soon with additional records matching the new
"R3" and "E1", in advance of these reissuing your certificates.

Failure to act in time is likely to result in an outage once renewals switch to
signing via "R3" or "E1".

Links to the actual certificates can be found at:

https://letsencrypt.org/certificates/
https://letsencrypt.org/certs/lets-encrypt-r3.pem
https://letsencrypt.org/certs/lets-encrypt-e1.pem

The "2 1 1" digests of "R3" and "E1" are (but don't take my word for it,
re-compute these for yourself):

; $ tlsagen lets-encrypt-r3.pem smtp.example.org 2 1 1
;
_25._tcp.smtp.example.org. IN TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D

; $ tlsagen lets-encrypt-e1.pem smtp.example.org 2 1 1
;
_25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10

The above were computed with the attached "tlsagen" script, but it is
prudent to also check with tools from other sources, this email message
could well have been a forgery (I hope your copy matches what I sent).

--
Viktor.
Re: PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates [ In reply to ]
On Mon, Sep 21, 2020 at 04:23:55AM -0200, Viktor Dukhovni via Exim-users wrote:

> Links to the actual certificates can be found at:
>
> https://letsencrypt.org/certificates/
> https://letsencrypt.org/certs/lets-encrypt-r3.pem
> https://letsencrypt.org/certs/lets-encrypt-e1.pem
>
> The "2 1 1" digests of "R3" and "E1" are (but don't take my word for it,
> re-compute these for yourself):
>
> ; $ tlsagen lets-encrypt-r3.pem smtp.example.org 2 1 1
> ;
> _25._tcp.smtp.example.org. IN TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D
>
> ; $ tlsagen lets-encrypt-e1.pem smtp.example.org 2 1 1
> ;
> _25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10

It was correclty noted in:

https://community.letsencrypt.org/t/dane-and-upcoming-le-issuer-certs/134172/2?u=ietf-dane

that the "backup" CAs should also be listed, as LE might need to switch
to using them in an emergency without prior notice.

Therefore the full list of DANE-TA(2) digests to publish (when relying
on these rather than "3 1 1" records) is:

; (These can be retired soon, but not just yet)
;
; letsencryptauthorityx3.pem
; letsencryptauthorityx4.pem
;
_25._tcp.smtp.example.org. IN TLSA 2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517616E8A18
_25._tcp.smtp.example.org. IN TLSA 2 1 1 B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E02CF362B

; (May not be needed if your leaf cert is RSA, ECDSA certs
; will I expect be soon signed with one of these).
;
; lets-encrypt-e1.pem
; lets-encrypt-e2.pem
;
_25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10
_25._tcp.smtp.example.org. IN TLSA 2 1 1 BD936E72B212EF6F773102C6B77D38F94297322EFC25396BC3279422E0C89270

; (May not be needed if your leaf cert is ECDSA, once
; ECDSA certificate issuance cuts over to e1/e2).
;
; lets-encrypt-r3.pem
; lets-encrypt-r4.pem

--
Viktor.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates [ In reply to ]
On 9/21/2020 1:51 AM, Viktor Dukhovni via Exim-users wrote:

> https://community.letsencrypt.org/t/dane-and-upcoming-le-issuer-certs/134172/2?u=ietf-dane
>
> that the "backup" CAs should also be listed, as LE might need to switch
> to using them in an emergency without prior notice.
>
> Therefore the full list of DANE-TA(2) digests to publish (when relying
> on these rather than "3 1 1" records) is:
>
> ; (These can be retired soon, but not just yet)
> ;
> ; letsencryptauthorityx3.pem
> ; letsencryptauthorityx4.pem
> ;
> _25._tcp.smtp.example.org. IN TLSA 2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517616E8A18
> _25._tcp.smtp.example.org. IN TLSA 2 1 1 B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E02CF362B
>
> ; (May not be needed if your leaf cert is RSA, ECDSA certs
> ; will I expect be soon signed with one of these).
> ;
> ; lets-encrypt-e1.pem
> ; lets-encrypt-e2.pem
> ;
> _25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10
> _25._tcp.smtp.example.org. IN TLSA 2 1 1 BD936E72B212EF6F773102C6B77D38F94297322EFC25396BC3279422E0C89270
>
> ; (May not be needed if your leaf cert is ECDSA, once
> ; ECDSA certificate issuance cuts over to e1/e2).
> ;
> ; lets-encrypt-r3.pem
> ; lets-encrypt-r4.pem

Forgive me for being a bit dense, but I'm new to the SSL world. I have
certificates by LetsEncrypt, generated about a month ago. Where and how
do I look to determine if I need new certificates. And what's with the
TLSA DNS entries? I've never heard of a TLSA record.

Thanks!

--

Dan Egli on my Test Site



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates [ In reply to ]
On 21/09/2020 09:34, Dan Egli via Exim-users wrote:
> Forgive me for being a bit dense, but I'm new to the SSL world. I have
> certificates by LetsEncrypt, generated about a month ago. Where and how
> do I look to determine if I need new certificates. And what's with the
> TLSA DNS entries? I've never heard of a TLSA record.

TLSA records are part of DANE. If you're not using DANE, you
don't need them.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates [ In reply to ]
On Monday, 21 September 2020 6:39:35 PM AEST Jeremy Harris via Exim-users
wrote:
> On 21/09/2020 09:34, Dan Egli via Exim-users wrote:
> > Forgive me for being a bit dense, but I'm new to the SSL world. I have
> > certificates by LetsEncrypt, generated about a month ago. Where and how
> > do I look to determine if I need new certificates. And what's with the
> > TLSA DNS entries? I've never heard of a TLSA record.
>
> TLSA records are part of DANE. If you're not using DANE, you
> don't need them.
DANE is a means of publishing trust information in the DNS with DNSSEC
signatures as an alternative to the CAs acting as a trusted 3rd party. This
helps in email as many MX records are not able to be tied to a common name
and/or subject alternative name that would match the domain of the email
recipient that could be verified by the sender.




--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates [ In reply to ]
On 9/21/2020 2:39 AM, Jeremy Harris via Exim-users wrote:
> On 21/09/2020 09:34, Dan Egli via Exim-users wrote:
>> Forgive me for being a bit dense, but I'm new to the SSL world. I have
>> certificates by LetsEncrypt, generated about a month ago. Where and how
>> do I look to determine if I need new certificates. And what's with the
>> TLSA DNS entries? I've never heard of a TLSA record.
> TLSA records are part of DANE. If you're not using DANE, you
> don't need them.


You didn't answer my main question of how do I determine if I need to
upgrade my LetsEncrypt certificates.


And although I'm going to google it, What the %$&@%$* is DANE? :-[


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates [ In reply to ]
On Mon, Sep 21, 2020 at 02:07:00PM -0600, Dan Egli via Exim-users wrote:

> You didn't answer my main question of how do I determine if I need to
> upgrade my LetsEncrypt certificates.

If you're not using DANE, there's nothing special you need to do with
your Let's Encrypt certificates. Just run "certbot" or your preferred
ACME client on a regular basis to make sure the certs have not expired.

> And although I'm going to google it, What the %$&@%$* is DANE? :-[

https://tools.ietf.org/html/rfc7672#section-1.3

--
Viktor.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/