Quoting Michael Grimm <[email protected]>:
On 29 Dec 2016, at 20:56, Patrick Domack <[email protected]> wrote
Quoting Michael Grimm <[email protected]>:
#) Would it be possible to get *two* distinct LE certificates, one
for the IMAP and one for the webserver ..
#) .. and simultaneously *keep* my selfsigned certificate for the
the mailserver ..
#) .. and forget about the issues mentioned above?
#) Or should I strictly separate my mailserver from the rest by
means of distinct domains, instead?
You can get multiple certificates, I have several myself in a
single domain, and so this same thing.
Thanks for your feedback. Then I will gor for that.
I am using an LE certificate for my DANE TLSA records, and I do
have the auto-rotation script update the TLSA entry. While this is
as simple as it sounds, dnssec makes it more complicated.
You have to remember your dns ttl and and dnssec rrsig ttl and
rrsig expiration for the given entry. I have switched to using dns
slave servers and in my implementation that means dnssec rrsig
values are signed valid for a week, so I don't push out the new
certificate from LE, till two weeks after I added the TLSA dns
record, to be safe.
See my answers to Viktor. I am very hesitant when it comes to human
intervention. Thus, I will avoid it.
The only issue I have had with selfsigned certs is that some
mailservers will not send you email if you use one, since the
sender has turned on certificate verification, and it will not fail
back to non-encrypted to send email. This is mainly a misconfig on
their part, but it matters if you want email from them. This has
been very minimal impact, but I have seen it a few times.
I haven't run into that issue, yet, luckily. If that will happen to
my users, I will have to take the burden and apply LE certificates
for port 25 as well. But until that time, I will avoid human
intervention into a process where two autorotation tools go for
"incompatible" tasks :-) Or is there one single tool dealing with
DNSSEC, TLSA rotation, and LE upgrades on the market?
You just add it as part of your certificate update script.
Just like you would have it bind a call to update like apache for
certificate pinning, you have it call nsupdate to add the new tlsa
record into your dns server.
