Executive Summary: When using LE certificates, which feature 90-day expirations and automated renewal, be sure to avoid publishing “3 0 1” and “3 0 2” DANE TLSA records. Automated renewal of LE certificates will result in a new certificate digest (fingerprint) and willl invalidate your TLSA records. …

Please avoid "3 0 1" and "3 0 2" DANE TLSA records with LE certificates

ietf-dane January 30, 2016, 9:59pm 6

Yes, while including root CAs in the chain may be unusual without DANE, it is required with DANE if you want to use a root CA as a DANE-TA(2) trust-anchor. See:

Understanding SMTP DANE implementation options

Topic		Replies	Views
A DANE-friendly Certbot workflow Help	4	2186	September 23, 2021
DANE and upcoming LE issuer certs Issuance Tech	18	5980	November 25, 2020
DANE TLSA and reuse-key Help	3	811	January 14, 2024
Current + Next DANE key rollover and rotation for 3 1 1 TLSA records Issuance Tech	1	3394	January 22, 2021
Automating LE certificate renewal for use with DANE Help	1	1369	January 8, 2017

Please avoid "3 0 1" and "3 0 2" DANE TLSA records with LE certificates

Related topics