On Wed, Sep 28, 2016 at 01:55:06AM -0700, li...@lazygranch.com wrote:
> I didn't like the Let's Encrypt 90 day deal with mysterious upload to your
> server. It bugs me.
You're mistaken about how LE works. There is no remote control of
your server, or any externally imposed update. They provide a
script you can run from "cron" or similar to refresh your certificates.
You can run it as you see fit, and use it in a variety of ways.
Including obtaining new certs for the same underlying key (convenient
for DANE), and either deploying certs to where they're used live,
or somewhere else, where code you write can take care of automated
deployment, or just send you a reminder and you do the deployment
manually.
The only external influence on your server is the 90-day expiration,
so you have to do something every 90 days, which encourages automation
over manual processes, which is a good thing IMHO.
The fine folks at "mailinabox.org" seem to have put together a nice
turnkey email email server that, among other things, includes
integration with Let's Encrypt and DNS updates for DANE, so it all
"just works" (TM).
Indeed out of the 2215 distinct live DANE server certs I'm tracking,
353 are "mailinabox" servers, and unlike some other servers, whose
operators need occasional reminders to not forget to update TLSA
records after changing keys, the mailinabox servers never seem to
mess up. They just "magically" continue to have valid TLSA records
across multiple key and certificate renewals. So far, I'm quite
impressed.
--
Viktor.
