Re: [exim] PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates

2020-09-21 Thread Viktor Dukhovni via Exim-users
On Mon, Sep 21, 2020 at 02:07:00PM -0600, Dan Egli via Exim-users wrote: > You didn't answer my main question of how do I determine if I need to > upgrade my LetsEncrypt certificates. If you're not using DANE, there's nothing special you need to do with your Let's Encrypt certificates. Just run

Re: [exim] PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates

2020-09-21 Thread Dan Egli via Exim-users
On 9/21/2020 2:39 AM, Jeremy Harris via Exim-users wrote: On 21/09/2020 09:34, Dan Egli via Exim-users wrote: Forgive me for being a bit dense, but I'm new to the SSL world. I have certificates by LetsEncrypt, generated about a month ago. Where and how do I look to determine if I need new certif

Re: [exim] PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates

2020-09-21 Thread Richard James Salts via Exim-users
On Monday, 21 September 2020 6:39:35 PM AEST Jeremy Harris via Exim-users wrote: > On 21/09/2020 09:34, Dan Egli via Exim-users wrote: > > Forgive me for being a bit dense, but I'm new to the SSL world. I have > > certificates by LetsEncrypt, generated about a month ago. Where and how > > do I loo

Re: [exim] PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates

2020-09-21 Thread Jeremy Harris via Exim-users
On 21/09/2020 09:34, Dan Egli via Exim-users wrote: > Forgive me for being a bit dense, but I'm new to the SSL world. I have > certificates by LetsEncrypt, generated about a month ago. Where and how > do I look to determine if I need new certificates. And what's with the > TLSA DNS entries? I've ne

Re: [exim] PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates

2020-09-21 Thread Dan Egli via Exim-users
On 9/21/2020 1:51 AM, Viktor Dukhovni via Exim-users wrote: https://community.letsencrypt.org/t/dane-and-upcoming-le-issuer-certs/134172/2?u=ietf-dane that the "backup" CAs should also be listed, as LE might need to switch to using them in an emergency without prior notice. Therefore the

Re: [exim] PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates

2020-09-21 Thread Viktor Dukhovni via Exim-users
On Mon, Sep 21, 2020 at 04:23:55AM -0200, Viktor Dukhovni via Exim-users wrote: > Links to the actual certificates can be found at: > > https://letsencrypt.org/certificates/ > https://letsencrypt.org/certs/lets-encrypt-r3.pem > https://letsencrypt.org/certs/lets-encrypt-e1.pem >

[exim] PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates

2020-09-20 Thread Viktor Dukhovni via Exim-users
Please note that the Let's Encrypt intermediate CA certificate "X3" will soon be phased out in favour of "R3" and "E1" which have new keys, and so any DANE TLSA "2 1 1" records matching "X3" will not match "R3" or "E1". https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html If you ar