diff --git a/content/posts/2024/dane-tlsa-record-for-letsencrypt/index.md b/content/posts/2024/dane-tlsa-record-for-letsencrypt/index.md index 29d3c49..bb0f7ed 100644 --- a/content/posts/2024/dane-tlsa-record-for-letsencrypt/index.md +++ b/content/posts/2024/dane-tlsa-record-for-letsencrypt/index.md @@ -6,7 +6,7 @@ description: > on my server that uses SSL certificates from Let's Encrypt. date: 2024-10-03T09:26:58Z draft: false -# ShowLastmod: true +ShowLastmod: true toc: true scrolltotop: true tags: @@ -14,9 +14,9 @@ tags: - certificate --- -I have been operating my own mail server for some 10+ years. Recently, some +I have been operating my own mail server for some 10 years. Recently, some e-mails that others attempted to send to me any my family would not longer be -delivered. This is a very unfortunate situation, because most people will not +delivered. This is a very unfortunate situation, because most senders will not make a second attempt (e.g., with a different recipient address), leave alone provide you with an error message. However, luckily, this morning (Reunification Day in Germany!), I received this screenshot: @@ -36,7 +36,7 @@ trial and error, I found the following resource most useful: -Key points: +Key points from this and other pages to remember: - When using TLSA RR in the form `2 1 1 ...`, i.e., declaring that the payload (`...`) of the record is the digest of a "trust anchor", be aware that this @@ -56,7 +56,7 @@ their page linked to above has a list of mail servers that still use a TLSA record with a _retired_ CA from Let's Encrypt -- and that list contains `bovender.de' :-/ I guess it's about time to fix that! -## Let's Eencrypt's chains of trust +## Let's Encrypt's chains of trust Let's Encrypt's chains of trust are described here: @@ -71,7 +71,7 @@ Let's Encrypt lists four active intermediate CAs: - R10 and R11 for certificates with RSA public keys To find out which of the two algorithms (ECDSA and RSA) was used to generate -your mail server's certificate, SSH into your server, navigate to +your mail server's certificate, ssh into your server, navigate to `/etc/letsencrypt/live/` as root and issue: ```text @@ -93,7 +93,9 @@ Certificate: Thus, my mail server's current (!) certificate was issued by **R11**. -This may be different in the future. For example, currently my web server's certificate uses the ECDSA algorithm: +This may be different in the future when the certificate is renewed. + +Currently my web server's certificate uses the ECDSA algorithm: ```text $ cd ../bovender/ @@ -177,7 +179,7 @@ the pound sign (`#`) MUST NOT be included in the record, of course. 2 1 1 6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7 # R11 ``` -Following the advice by "~viktor" on [ISI.edu][isi], I have left only those two +Following the advice by _viktor_ on [ISI.edu][isi], I have left only those two records in my DNS zone that represent currently used intermediate CAs (R10 and R11). I know that `certbot` will not issue ECDSA certificates for my mail server because the configuration file (see above) contains the line `key_type=RSA`. My @@ -186,14 +188,14 @@ web server as [Chrome and Firefox do not support it][dane]. ## Verify the validity of the TLSA record -To test the DANE works as expected, try one of these sites: +To test that DANE works as expected, try one of these sites: - - -- -Place this into your DNS records and wait for the updated records to propagate -worldwide. +Query TLSA records: + +- ## "Die Moral von der Geschicht" diff --git a/content/posts/2024/dane-tlsa-record-for-letsencrypt/outlook-error.jpg b/content/posts/2024/dane-tlsa-record-for-letsencrypt/outlook-error.jpg index a743cae..fef7574 100644 Binary files a/content/posts/2024/dane-tlsa-record-for-letsencrypt/outlook-error.jpg and b/content/posts/2024/dane-tlsa-record-for-letsencrypt/outlook-error.jpg differ