DANE and upcoming LE issuer certs

Don't stop with just R3/E1. At any moment, Let's Encrypt can switch to the backup facility and start issuing from R4/E2 without prior notice. You should rather put all the possible TLSA records in, that means current X3 and X4 and future R3/E1 and R4/E2.

Also, don't forget to configure the server to provide proper intermediary certificate, otherwise those TLSA records are useless.

3 Likes