ACME Server with reuse-key // LE Ending Expiration Notification

Today I got the Information:

We’re writing to inform you that we intend to discontinue sending expiration notification emails. You can learn more in this blog post. You will receive this reminder email again in the coming months:

This is very disappointing, as the reminders were my last resort for renewing my certificates in practice.

Unfortunately, this is necessary because no server can handle the automatic renewal without replacing the private key.

Therefore, I have to generate a new TLSA key in time every time, which is a bit annoying. But if I miss it, my DANE is broken.

I would gladly do without the reminder emails if the ACME server would renew the certificate with reuse-key like …

certbot renew --quiet --reuse-key

Is there any possibility to configure the ACME-Server right?

AFAIK, every ACME CA can renew the cert without replacing the private key, and certainly Let’s Encrypt can. Whether NS8 can is a separate question, but the issue then is on the client side, not on the server side.

Can’t you use the intermediate CA keys for this purpose? Edit: Yes, you can–and you should. As with the misbegotten HPKP, if you’re going to pin public keys, they should be the public keys of your certificate authority. In the case of Let’s Encrypt, they’re currently issuing from both R10 and R11, so you’d need to pin both (or the ECC CAs, if you’re using one of those).

Hi @danb35 ,

Thanks for thinking along. But there may be a misunderstanding.

I don’t attach any certificates at all. With the help of a TLSA generator, I generate a TSLA key in the DNS from the public key (an no other one).

This in turn, together with a suitable SPF record, ensures the authenticity of my mail server.

I can only generate the TLSA key from the public key.

If the private key remains unchanged, I don’t have to generate a new TLSA key and it doesn’t matter that the LE-Cert is renewed.

*._tcp.mail.dargels.de.	3600	IN	TLSA	2 1 1 2bbad93ab5c79279ec12…
mail.dargels.de.	86400	IN	TXT	"v=spf1 a mx ~all"

https://stats.dnssec-tools.org/explore/?dargels.de

https://de.ssl-tools.net/mailservers/dargels.de

Of course you don’t; you pin public keys (more accurately, hashes of public keys), which is what I said. But you should be pinning the public keys of the certificate authority, not those corresponding to your own certificates.

Edit: previous discussion of this here:

If you need to be manually updating anything when you get a new cert, you’re doing something very wrong.

2 Likes

Where can I get them?

manually updating anything when you get a new cert

I only renew the certificates manually to prevent the TLSA key from expiring.

If I miss the expiry date of the certificate, it will of course renew itself. But with the consequences described, which I try to proactively avoid.

They’re part of every single cert you get from any CA. Every certificate contains its public key (and other information), and every CA issues certs through intermediate CAs, the certificates (and thus public keys) for which are included in the certificate you receive. So you, or anyone else connecting via TLS to your properly-configured server, will receive the cert for the intermediate CA. Run openssl x509 -in certificate.pem -pubkey -noout | openssl ec -pubin -outform der | sha256sum on that cert (or really, each of those certs as discussed below) to generate the hash for the TLSA record.

In the case of Let’s Encrypt, the certs are also posted here:

If you want to be on the safe side, pin the public keys for E5, E6, R10, and R11. If you know that you only use RSA certs, you can just pin R10 and R11; if only ECC, just E5 and E6. You’ll still need to update periodically, as intermediates do change, but this would be an “every few years” thing rather than “every couple of months.”

2 Likes

Crazy, I downloaded the PEM-File and used it for generating an new (!) TLSA-Key.

The key is identical to my previous one.

The old certificate I used for the first TLSA key was from the NS8 server [using this method].(Path to the certs? - #6 by capote)
And it was precisely this certificate that I used for the TLSA key. And it is precisely these keys that become obsolete when the certificate is changed.

I am confused…

Because Let’s Encrypt issues from both intermediates. Which is why I said to make TLSA records for both R10 and R11.

1 Like

Ok, I understand. I don’t see a way to hash both certs into one TSLA key.
And its not possible to generate two different TLSA-records.

Of course it is:

If your DNS host doesn’t permit it, that’s a strong reason to change DNS providers.

You’re right, my second attempt worked and I was able to generate the second key.
Thank you very much!