daniel/blog
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix typos, make screenshot a progressive JPEG.

Browse Source
This commit is contained in:
daniel 2024-10-04 07:17:33 +02:00
parent 6e1c5bc28e
commit 98aed49586
2 changed files with 14 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
content/posts/2024/dane-tlsa-record-for-letsencrypt/index.md
View File

@ -6,7 +6,7 @@ description: >
on my server that uses SSL certificates from Let's Encrypt. on my server that uses SSL certificates from Let's Encrypt.
date: 2024-10-03T09:26:58Z date: 2024-10-03T09:26:58Z
draft: false draft: false
# ShowLastmod: true ShowLastmod: true
toc: true toc: true
scrolltotop: true scrolltotop: true
tags: tags:
@ -14,9 +14,9 @@ tags:
- certificate - certificate
--- ---
I have been operating my own mail server for some 10+ years. Recently, some I have been operating my own mail server for some 10 years. Recently, some
e-mails that others attempted to send to me any my family would not longer be e-mails that others attempted to send to me any my family would not longer be
delivered. This is a very unfortunate situation, because most people will not delivered. This is a very unfortunate situation, because most senders will not
make a second attempt (e.g., with a different recipient address), leave alone make a second attempt (e.g., with a different recipient address), leave alone
provide you with an error message. However, luckily, this morning (Reunification provide you with an error message. However, luckily, this morning (Reunification
Day in Germany!), I received this screenshot: Day in Germany!), I received this screenshot:
@ -36,7 +36,7 @@ trial and error, I found the following resource most useful:
<https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html> <https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html>
Key points: Key points from this and other pages to remember:
- When using TLSA RR in the form `2 1 1 ...`, i.e., declaring that the payload - When using TLSA RR in the form `2 1 1 ...`, i.e., declaring that the payload
(`...`) of the record is the digest of a "trust anchor", be aware that this (`...`) of the record is the digest of a "trust anchor", be aware that this
@ -56,7 +56,7 @@ their page linked to above has a list of mail servers that still use a TLSA
record with a _retired_ CA from Let's Encrypt -- and that list contains record with a _retired_ CA from Let's Encrypt -- and that list contains
`bovender.de' :-/ I guess it's about time to fix that! `bovender.de' :-/ I guess it's about time to fix that!
## Let's Eencrypt's chains of trust ## Let's Encrypt's chains of trust
Let's Encrypt's chains of trust are described here: Let's Encrypt's chains of trust are described here:
@ -71,7 +71,7 @@ Let's Encrypt lists four active intermediate CAs:
- R10 and R11 for certificates with RSA public keys - R10 and R11 for certificates with RSA public keys
To find out which of the two algorithms (ECDSA and RSA) was used to generate To find out which of the two algorithms (ECDSA and RSA) was used to generate
your mail server's certificate, SSH into your server, navigate to your mail server's certificate, ssh into your server, navigate to
`/etc/letsencrypt/live/<mailserver-certificate-name>` as root and issue: `/etc/letsencrypt/live/<mailserver-certificate-name>` as root and issue:
```text ```text
@ -93,7 +93,9 @@ Certificate:
Thus, my mail server's current (!) certificate was issued by **R11**. Thus, my mail server's current (!) certificate was issued by **R11**.
This may be different in the future. For example, currently my web server's certificate uses the ECDSA algorithm: This may be different in the future when the certificate is renewed.
Currently my web server's certificate uses the ECDSA algorithm:
```text ```text
$ cd ../bovender/ $ cd ../bovender/
@ -177,7 +179,7 @@ the pound sign (`#`) MUST NOT be included in the record, of course.
2 1 1 6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7 # R11 2 1 1 6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7 # R11
``` ```
Following the advice by "~viktor" on [ISI.edu][isi], I have left only those two Following the advice by _viktor_ on [ISI.edu][isi], I have left only those two
records in my DNS zone that represent currently used intermediate CAs (R10 and records in my DNS zone that represent currently used intermediate CAs (R10 and
R11). I know that `certbot` will not issue ECDSA certificates for my mail server R11). I know that `certbot` will not issue ECDSA certificates for my mail server
because the configuration file (see above) contains the line `key_type=RSA`. My because the configuration file (see above) contains the line `key_type=RSA`. My
@ -186,14 +188,14 @@ web server as [Chrome and Firefox do not support it][dane].
## Verify the validity of the TLSA record ## Verify the validity of the TLSA record
To test the DANE works as expected, try one of these sites: To test that DANE works as expected, try one of these sites:
- <https://www.mailhardener.com/tools/dane-validator?domain=bovender.de> - <https://www.mailhardener.com/tools/dane-validator?domain=bovender.de>
- <https://dane.sys4.de/smtp/bovender.de> - <https://dane.sys4.de/smtp/bovender.de>
- <https://www.nslookup.io/domains/bovender.de/dns-records/tlsa/>
Place this into your DNS records and wait for the updated records to propagate Query TLSA records:
worldwide.
- <https://www.nslookup.io/domains/_25._tcp.bovender.de/dns-records/tlsa/>
## "Die Moral von der Geschicht" ## "Die Moral von der Geschicht"

BIN
content/posts/2024/dane-tlsa-record-for-letsencrypt/outlook-error.jpg
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 441 KiB

After

Width:  |  Height:  |  Size: 306 KiB