On 02/19/2017 05:39 AM, KT Walrus wrote:
That's one of the reasons I don't like Let's Encrypt, with one year certs it is
easier to look at the certs and see what is going to expire in the coming month
needing a new private key.
I use dehydrated (with Cloudflare DNS challenges) and as far as I know, it
seems to generate a new private key every time.
Yeah that would be a problem for me because I implement DANE.
Every time I change the private key -
A) I have to make a TLSA record for the new key
B) I have to let that key propagate in DNS while the old cert is active.
I use 8 hour TTL for DNS records, so that takes 16 hours (twice the TTL)
C) Then I can switch to the new key / cert in the server.
I use TLSA records for everything TLS, even dovecot - despite the fact I
am not aware of any IMAP clients that will validate via DANE - because
it is the right thing to do and sooner or later IMAP clients will
support DNSSEC and DANE.
Having to do that every three months for every service I run, I really
do not see what real world benefit I or my users would gain.
