(What’s a “holiday”?)
And what is DANE? DNSSEC at your registrar makes sure you get the correct IP address when you want to connect, while a DANE TLSA record (signed by DNSSEC) will give information about the SSL/TLS certificate you can expect at the specific service you are connecting to. So perfect forward secrecy for Apache, Postfix, stunnel, etc.
I’ve just about got LE set up for DANE, but I don’t know some functions of certbot. Here’s what I have so far:
DANE with LetsEncrypt is a problem because LE certs expire every 90 days, but the public cert must be hashed at the registrar. So force LE to use my CSR, for the same public cert hash every time. (Unchanging cert) Make a point to manually change certs once/year.
- Edit /etc/letsencrypt/csr-quantum-equities.com.conf
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
countryName = US
stateOrProvinceName = Washington
localityName = Seattle
organizationName = ''
commonName = quantum-equities.com
emailAddress = ‘’
subjectAltName = @alt_names
DNS.1 = mail.quantum-equities.com
DNS.2 = www.quantum-equities.com
… other domains
- # openssl req -new -sha512 -key /etc/letsencrypt/live/quantum-equities.com/privkey.pem -out /etc/letsencrypt/csr-quantum-equities.com.csr -subj '/CN=quantum-equities.com' -config /etc/letsencrypt/csr-quantum-equities.com.conf - Use this CSR to obtain an LE cert: # systemctl stop httpd # certbot certonly --csr /etc/letsencrypt/csr-quantum-equities.com.csr -d quantum-equities.com 2: Spin up a temporary webserver (standalone) # mv 0000_cert.pem /etc/letsencrypt/archive/quantum-equities.com/cert1.pem # mv 0000_chain.pem /etc/letsencrypt/archive/quantum-equities.com/chain1.pem # mv 0001_chain.pem /etc/letsencrypt/archive/quantum-equities.com/fullchain1.pem ... other domains
So far, so good. Now I have my LE certs in place, but how to renew? I needed certonly, to get my initial certs with a custom --csr, so I doubt that certbot will be happy with a simple run. (although it does work with --dryrun) My understanding is that certs fetched with certonly, can not be renewed with a run.
Assuming that is not true, I can just update with a regular run and --csr to specify the same cert over and over so DANE doesn’t get upset.
Assuming the above is true, I’ll need to make a script of some sort.