On 29 Dec 2016, at 20:56, Patrick Domack <[email protected]> wrote > Quoting Michael Grimm <[email protected]>:
>> #) Would it be possible to get *two* distinct LE certificates, one for the >> IMAP and one for the webserver .. >> #) .. and simultaneously *keep* my selfsigned certificate for the the >> mailserver .. >> #) .. and forget about the issues mentioned above? >> >> #) Or should I strictly separate my mailserver from the rest by means of >> distinct domains, instead? > > You can get multiple certificates, I have several myself in a single domain, > and so this same thing. Thanks for your feedback. Then I will gor for that. > I am using an LE certificate for my DANE TLSA records, and I do have the > auto-rotation script update the TLSA entry. While this is as simple as it > sounds, dnssec makes it more complicated. > > You have to remember your dns ttl and and dnssec rrsig ttl and rrsig > expiration for the given entry. I have switched to using dns slave servers > and in my implementation that means dnssec rrsig values are signed valid for > a week, so I don't push out the new certificate from LE, till two weeks after > I added the TLSA dns record, to be safe. See my answers to Viktor. I am very hesitant when it comes to human intervention. Thus, I will avoid it. > The only issue I have had with selfsigned certs is that some mailservers will > not send you email if you use one, since the sender has turned on certificate > verification, and it will not fail back to non-encrypted to send email. This > is mainly a misconfig on their part, but it matters if you want email from > them. This has been very minimal impact, but I have seen it a few times. I haven't run into that issue, yet, luckily. If that will happen to my users, I will have to take the burden and apply LE certificates for port 25 as well. But until that time, I will avoid human intervention into a process where two autorotation tools go for "incompatible" tasks :-) Or is there one single tool dealing with DNSSEC, TLSA rotation, and LE upgrades on the market? Thank you for your valuable input and with kind regards, Michael
