Short chain and DANE

9peppe · November 18, 2023, 1:46pm

I mean, I was wrong again. I did not have all four intermediates. But this had me find a way to check.

I'm not sure this works that well, tho:

dig tlsa _25._tcp.mailserver.example. +short | awk '{print $4$5}' | xargs -I{} curl -s 'https://crt.sh/?spkisha256={}&output=json' | jq '.[].id' |  xargs -I{} echo 'https://crt.sh/?id={}'

(there is no json output on ?id, it looks like)

ietf-dane · November 18, 2023, 6:27pm

Giuseppe C.:

I mean, I was wrong again. I did not have all four intermediates. But this had me find a way to check.

I'm not sure this works that well, tho:
dig tlsa _25._tcp.mailserver.example. +short | awk '{print $4$5}' | xargs -I{} curl -s 'https://crt.sh/?spkisha256={}&output=json' | jq '.[].id' |  xargs -I{} echo 'https://crt.sh/?id={}'

Quick tech note: you probably missed the +nosplit option in the dig manpage. Avoids the need for fragile hacks to try to restitch the output.

Anyway, I am not sure what searching crt.sh achieves. The check you need is against a current complete list of the intermediates used by Let's Encrypt, and I don't see how the crt.sh lookup of just the TLSA RRs you're using does that.

The right thing to do is to put a "gate" between your actual live certificates, and what the ACME client gives you, and check that the obtained certificate chain matches your TLSA records, before installing them into the actual location where your mailserver loads its certificates.

If the match fails, you have 30 days to discover why ACME gave you a non-matching chain and to fix the problem.

You could also mark on your calendar a task to check the LE certificate page once or twice a year, and do any necessary housekeeping, since you might be publishing TLSA records matching retired CAs, the the "gate" above won't catch that.

Once you do have a list of the "active" intermediate CA certs, you can easily compute their key digests without queries to crt.sh.

9peppe · November 18, 2023, 7:08pm

Indeed.

My goal was going from hash to key/certificate, because I was not sure what I had in my records. (And not all of them were from LE) (there was a lot of rubbish)

The opposite oneliner should be

find certs -name '*.pem' | xargs -I{} sh -c 'openssl x509 -in {} -noout -pubkey | openssl pkey -pubin -outform DER | sha256sum' | cut -f1 -d" " | xargs -I{} echo "_25._tcp.mailserver.example. 10800 IN TLSA 2 1 1 {}"

where certs/ has every intermediate in pem format.

system · December 18, 2023, 7:08pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Shortening the Let's Encrypt Chain of Trust API Announcements	9	8956	September 30, 2024
Ready to test shortest ECDSA only ISRG Root X2 Help	18	481	July 6, 2024
Current + Next DANE key rollover and rotation for 3 1 1 TLSA records Issuance Tech	1	3338	January 22, 2021
Extend cross-signed by IdenTrust’s DST Root CA X3 signed certs Help	14	682	May 18, 2024
Howto obtain a full certificate chain without a cross-signed ISRG Root X1 Help	3	5532	October 31, 2021

Short chain and DANE

Related topics