On Thu, Nov 23, 2023 at 12:25:19PM +0000, Alan Munday via Postfix-users wrote:
> > > It may be prudent to mark your calendar to check the Let's Encrypt > > > certificate page once or twice a year, and make appropriate changes if > > > new intermediate issuer CAs are introduced, or extant ones retired. > > > > > > https://letsencrypt.org/certificates/ > > Can I check I have not missed something here. > > > When I use Viktor's chaingen.sh I get a TLSA 3 1 1 which matches the > TLSA 2 1 1 above. That's because you're trying to use "chaingen.sh" on just the chain file with the issuer CAs, rather than the complete chain with the server certificate *followed* by the issuer CAs. For Let's Encrypt, the therefore, you need either concatenate the "cert" and "fullchain" (not really) files: h=$(uname -n) # or whatever MX hostname you use l=$(uname -n) # or whatever "lineage" name is pertinent d=/etc/letsencrypt/live/$l eechain=$(mktemp -t fullchain.XXXXXX) cat $d/cert.pem $d/fullchain.pem > $eechain chaingen.sh $eechain $h rm $eechain or just know that all the issuer CA usages should be "2" not "3" when running "chaingen" on a partial chain that is missing the end-entity (EE, i.e. leaf or server) certificate. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
