On Thu, Jan 21, 2021 at 06:46:41PM -0500, Theodore Knab wrote:
> I think I keep mine simpler,so mine shouldn't fail in April as long as
> my cronjob auto updates the SSL Cert.
If you're not using SNI with indexed file tables (cdb, lmdb, hash, or
btree), then your certificate chains are read directly from the source
PEM files, and these are generally sufficient to keep things fresh and
valid.
With DANE, and Let's Encrypt the public key should generally be managed
*outside* the ACME client (such as certbot), with the TLSA records set
to "3 1 1" (public key hash). Certificate renewal should use "extant"
keys, with a new key only added once the new matching TLSA RR (published
along with the current TLSA RR) has been in place for sufficiently many
TTLs. So it takes a bit more care to do the cert rollover correctly.
--
Viktor.
