How to keep the cert hash throughout renewal process?

I’m testing Let’s Encrypt certificates with postfix mail server and it works fine
(well, still need to figure out why posttls-finger says “Untrusted TLS
connection established”, but the cert itself technically works fine).

What I’m currently trying to setup is a combination of LE valid cert +
DANE TLSA verification as additional security measure to prevent
man-in-the-middle attack. So far - so good. Currently it’s working for
mx.go6lab.si:

[root@bgp-research /]# posttls-finger mx.go6lab.si
posttls-finger: using DANE RR: _25._tcp.mx.go6lab.si IN TLSA 3 1 1
C6:9E:2F:18:9F:D3:94:33:1B:3C:63:0D:8A:7B:F7:2F:B5:DB:7C:43:56:C2:37:FA:38:37:08:07:BB:3E:89:45
posttls-finger: Connected to mx.go6lab.si[2001:67c:27e4::23]:25
posttls-finger: mx.go6lab.si[2001:67c:27e4::23]:25: depth=0 matched end
entity public-key sha256
digest=C6:9E:2F:18:9F:D3:94:33:1B:3C:63:0D:8A:7B:F7:2F:B5:DB:7C:43:56:C2:37:FA:38:37:08:07:BB:3E:89:45
posttls-finger: mx.go6lab.si[2001:67c:27e4::23]:25: Matched
subjectAltName: mx.go6lab.si
posttls-finger: mx.go6lab.si[2001:67c:27e4::23]:25 CommonName mx.go6lab.si
posttls-finger: mx.go6lab.si[2001:67c:27e4::23]:25:
subject_CN=mx.go6lab.si, issuer_CN=Let’s Encrypt Authority X1,
fingerprint=08:26:D5:4D:AA:10:9B:D9:5D:3C:22:79:33:B8:FB:2A:AE:F0:DB:8E,
pkey_fingerprint=5E:27:22:E0:44:A7:DC:A1:3D:55:5F:B7:B5:E5:F4:87:4B:58:43:9F
posttls-finger: Verified TLS connection established to
mx.go6lab.si[2001:67c:27e4::23]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Problem is, that certificate is valid just for 3 months and then I need
to renew it. If I use 3 1 1 selectors mechanism for TLSA record and
renew the certificate without regenerating the CSR (with other CAs),
the cert hash remains the same and TLSA then remains the same. It would
probably not work with 3 0 1 selectors, but that’s another story. Same goes with
DANE for websites.

Sooo… being said that - is there an option to tell letsencrypt-auto
client not to regenerate CSR but use the same one every time so hash
doesn’t change?

I tried to use letsencrypt-auto and specify latest .pem file in /etc/letsencrypt/csr/ directory, but it exits with error saying that it can’t load the csr. I tried to create a CSR from LE private key, but same error.

Any suggestions how I could renew LE certificate and keep the hash the same so I can leave my TLSA 3 1 1 record intact?

Cheers and thnx, Jan Zorz

This is not possible. But you can use the same key:

Also look at:

See https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/ for a detailed walk-through of the recommended approach.