Hier werden die Unterschiede zwischen zwei Versionen gezeigt.
— |
pr:le-dns-dane [2023/12/09 18:24] (aktuell) martok angelegt |
||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== DANE records with Let's Encrypt ====== | ||
+ | ===== Problem ===== | ||
+ | |||
+ | TLSA records announce what certificate is expected from an endpoint. Since the cert changes often, that can be tricky. One method re-uses the certificate key material so it doesn't change, but that's not very nice. We //want// to rotate the keys. | ||
+ | |||
+ | ===== Setup ===== | ||
+ | |||
+ | Instead of pinning the cert itself, use DANE-TA(2) to pin the currently active intermediate. | ||
+ | |||
+ | |||
+ | ==== Compute the Intermediate TLSA RR ==== | ||
+ | |||
+ | Find and download the currently used intermediate from LE's published [[https://letsencrypt.org/certificates/|Chain of Trust]]. Then compute its hash: | ||
+ | |||
+ | <file bash> | ||
+ | openssl x509 -in lets-encrypt-x3-cross-signed.pem -noout -pubkey | | ||
+ | openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex | | ||
+ | awk '{print "le-ca TLSA 2 1 1", $NF}' | ||
+ | </file> | ||
+ | |||
+ | Next, publish that somewhere such as at the SOA level. Don't forget to put a comment on there and set a calendar reminder to check for the new one in time. | ||
+ | <file> | ||
+ | ; Let's Encrypt R3 intermediate, expires: 15. September 2025 16:00:00 GMT | ||
+ | le-r3._dane 3600 IN TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d | ||
+ | </file> | ||
+ | |||
+ | Finally, point all service records there: | ||
+ | <file> | ||
+ | _25._tcp.mx1.sys IN CNAME le-r3._dane.example.com. | ||
+ | </file> |