On Sun, Dec 06, 2015 at 12:38:21AM +0000, Viktor Dukhovni wrote:
> My DANE SMTP survey has so far found 19 domains with 11 distinct
> LE certificates, whose expiration dates are:
>
> 2 ; Expiration = 2016-02-01T10:02:00Z
> 1 ; Expiration = 2016-02-02T14:15:00Z
> 1 ; Expiration = 2016-02-02T14:29:00Z
> 1 ; Expiration = 2016-02-08T15:58:00Z
> 4 ; Expiration = 2016-02-08T19:45:00Z
> 2 ; Expiration = 2016-02-14T20:07:00Z
> 3 ; Expiration = 2016-02-18T11:48:00Z
> 2 ; Expiration = 2016-02-22T03:22:00Z
> 1 ; Expiration = 2016-02-22T05:57:00Z
> 1 ; Expiration = 2016-02-28T00:02:00Z
> 1 ; Expiration = 2016-03-02T21:45:00Z
>
> IIRC automated renewal attempts kick in after 60 days with 90 days
> total, so I'll not see how well the combination of LE certificate
> renewal with DANE TLSA records works for these users until the
> beginning of January.
I might note that the 11 distinct certificates are associated with 12
distinct MX hosts, for which the TLSA record types are:
8 3 0 1 - Breaks with automated key rotation sans DNS update
1 3 0 2 - Breaks with automated key rotation sans DNS update
2 3 1 1 - Works if certificate rotation leaves the key unchanged
1 2 0 1 - Works provided issuer certificate is unchanged.
The "2 0 1" site published a TLSA record for the LE intermediate
issuer CA, not the ultimate root CA. That seems to have a 5 year
lifetime, but it is not clear how often a new intermediate will be
fielded. That user will have to watch out for that:
Subject = CN=Let's Encrypt Authority X1,O=Let's Encrypt,C=US
Issuer = CN=DST Root CA X3,O=Digital Signature Trust Co.
Not before = 2015-10-19T22:33:36Z
Not after = 2020-10-19T22:33:36Z
--
Viktor.
