On 11/19/2015 7:58 PM, Viktor Dukhovni wrote: > > If you've published DANE TLSA records for your current certificate > chain, and are considering switch to Let's Encrypt issued certificates, > please do not forget: > > https://dane.sys4.de/common_mistakes#3 > > https://tools.ietf.org/html/rfc7671#section-8.1 > > I've seen more than one of the early adopters of LE certificates > neglect to update their TLSA records (a few TTLs) *before* deploying > the new LE certificate chain. >
Something else to keep in mind with the Let's Encrypt certificates is that they have a 90-day lifetime with the automatic renewal process starting at sixty days. Using a Let's Encrypt certificate with DANE TLSA will require an alert sysadmin. https://community.letsencrypt.org/t/maximum-and-minimum-certificate-lifetimes/264/9
