On 2017-10-13 at 20:15 +0200, Philip Paeps wrote: > On 2017-10-13 13:02:35 (-0500), Chris Adams wrote: > >Once upon a time, Kostya Vasilyev <kmans...@gmail.com> said: > >>The app "remembers" the SSL certs it has seen for a particular server > >>/ port, and if, when it connects, it finds that the cert has changed - > >> > >>- it flags this as an error and requires the user to decide if he/she > >>wants to proceed (displaying information about the "last known" and > >>the "new" certificates). > > > >Aside from your Google-related questions, this is going to be a problem > >with anybody using Let's Encrypt certs, as they'll typically change > >every two months. > > I hope the original poster's software checks if the *key* changes and > not the *certificate*. > > In the case of letsencrypt.org certificates, they're simply reissued / > resigned every two months. The keys don't change.
Nope. Many let's encrypt bots do create new keys. And that's part of the point of using short-lived certificates. Of course, there are cases where it is not practical, the certificate pinning mentioned by Luis on his blog is a good example that precludes simply generating a new one at renewal time. But if you are only using them for your clients to authenticate with the PKI, I would consider generating new ones to be the right configuration. _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
