Ahoj, Dňa Thu, 16 Nov 2023 15:12:15 -0500 Viktor Dukhovni via Exim-users <exim-users@lists.exim.org> napísal:
> I don't recommend DANE-TA(2), and encourage use of DANE-EE(3) instead. I am far from DANE expert, but my understanding is, that DANE-TA is good for own CAs, where one have full control on (intermediate) CA's certs and its renews. If one use that for foreign CA, soon or latter can meet unexpected CA certificate replace, and monitoring can only avoid to problem persist for long time, but not avoid to happen. Right? > You do however need to be more sophisticated about any key rollovers > that you do perform from time to time. IMO not as sophisticated is needed. I still don't use DANE yet, but i am in stage of preparation for it. For now i have SMTP's cert with persistent key already. I have deploy (shell) script on MX, which detects certificate change (systemd's path unit), and on change it compares old and new cert's keys and if they match, it copies new certificate to right place (and exim auto-reloads it). This part works for some time (months) already. If keys doesn't match, it has to reject cert update/replace and notifies me (as i need manually modify DNS), but this part is not tested yet. The notification contains new required TLSA-EE value(s), thus can be simply switched to automate TLSA change, when my provider will start to support that. > I have a partial (usabel work-in-progress) solution to that workflow > for "certbot" in the form of: > > https://github.com/tlsaware/danebot > > Any motivated and suitably skilled volunteers? I take quick look on it. I am not very open to "wrapper" solution. Does it something, what is not possible from certbot's deploy hook? regards -- Slavko https://www.slavino.sk
pgpvP1AhGBD8s.pgp
Description: Digit??lny podpis OpenPGP
-- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
