Fix typos, make screenshot a progressive JPEG.
This commit is contained in:
parent
6e1c5bc28e
commit
98aed49586
@ -6,7 +6,7 @@ description: >
|
||||
on my server that uses SSL certificates from Let's Encrypt.
|
||||
date: 2024-10-03T09:26:58Z
|
||||
draft: false
|
||||
# ShowLastmod: true
|
||||
ShowLastmod: true
|
||||
toc: true
|
||||
scrolltotop: true
|
||||
tags:
|
||||
@ -14,9 +14,9 @@ tags:
|
||||
- certificate
|
||||
---
|
||||
|
||||
I have been operating my own mail server for some 10+ years. Recently, some
|
||||
I have been operating my own mail server for some 10 years. Recently, some
|
||||
e-mails that others attempted to send to me any my family would not longer be
|
||||
delivered. This is a very unfortunate situation, because most people will not
|
||||
delivered. This is a very unfortunate situation, because most senders will not
|
||||
make a second attempt (e.g., with a different recipient address), leave alone
|
||||
provide you with an error message. However, luckily, this morning (Reunification
|
||||
Day in Germany!), I received this screenshot:
|
||||
@ -36,7 +36,7 @@ trial and error, I found the following resource most useful:
|
||||
|
||||
<https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html>
|
||||
|
||||
Key points:
|
||||
Key points from this and other pages to remember:
|
||||
|
||||
- When using TLSA RR in the form `2 1 1 ...`, i.e., declaring that the payload
|
||||
(`...`) of the record is the digest of a "trust anchor", be aware that this
|
||||
@ -56,7 +56,7 @@ their page linked to above has a list of mail servers that still use a TLSA
|
||||
record with a _retired_ CA from Let's Encrypt -- and that list contains
|
||||
`bovender.de' :-/ I guess it's about time to fix that!
|
||||
|
||||
## Let's Eencrypt's chains of trust
|
||||
## Let's Encrypt's chains of trust
|
||||
|
||||
Let's Encrypt's chains of trust are described here:
|
||||
|
||||
@ -71,7 +71,7 @@ Let's Encrypt lists four active intermediate CAs:
|
||||
- R10 and R11 for certificates with RSA public keys
|
||||
|
||||
To find out which of the two algorithms (ECDSA and RSA) was used to generate
|
||||
your mail server's certificate, SSH into your server, navigate to
|
||||
your mail server's certificate, ssh into your server, navigate to
|
||||
`/etc/letsencrypt/live/<mailserver-certificate-name>` as root and issue:
|
||||
|
||||
```text
|
||||
@ -93,7 +93,9 @@ Certificate:
|
||||
|
||||
Thus, my mail server's current (!) certificate was issued by **R11**.
|
||||
|
||||
This may be different in the future. For example, currently my web server's certificate uses the ECDSA algorithm:
|
||||
This may be different in the future when the certificate is renewed.
|
||||
|
||||
Currently my web server's certificate uses the ECDSA algorithm:
|
||||
|
||||
```text
|
||||
$ cd ../bovender/
|
||||
@ -177,7 +179,7 @@ the pound sign (`#`) MUST NOT be included in the record, of course.
|
||||
2 1 1 6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7 # R11
|
||||
```
|
||||
|
||||
Following the advice by "~viktor" on [ISI.edu][isi], I have left only those two
|
||||
Following the advice by _viktor_ on [ISI.edu][isi], I have left only those two
|
||||
records in my DNS zone that represent currently used intermediate CAs (R10 and
|
||||
R11). I know that `certbot` will not issue ECDSA certificates for my mail server
|
||||
because the configuration file (see above) contains the line `key_type=RSA`. My
|
||||
@ -186,14 +188,14 @@ web server as [Chrome and Firefox do not support it][dane].
|
||||
|
||||
## Verify the validity of the TLSA record
|
||||
|
||||
To test the DANE works as expected, try one of these sites:
|
||||
To test that DANE works as expected, try one of these sites:
|
||||
|
||||
- <https://www.mailhardener.com/tools/dane-validator?domain=bovender.de>
|
||||
- <https://dane.sys4.de/smtp/bovender.de>
|
||||
- <https://www.nslookup.io/domains/bovender.de/dns-records/tlsa/>
|
||||
|
||||
Place this into your DNS records and wait for the updated records to propagate
|
||||
worldwide.
|
||||
Query TLSA records:
|
||||
|
||||
- <https://www.nslookup.io/domains/_25._tcp.bovender.de/dns-records/tlsa/>
|
||||
|
||||
## "Die Moral von der Geschicht"
|
||||
|
||||
|
Binary file not shown.
Before Width: | Height: | Size: 441 KiB After Width: | Height: | Size: 306 KiB |
Loading…
Reference in New Issue
Block a user