-
Martin
> 15.09.24 18:36:18 - mdosch.de: Establishing a secure connection from mdosch.de to openim.de failed. Certificate hash: e848346b9b635ab1f58cafe6249547aaf3a83e07b35bb6330d742a2ea38a0a45. Error with certificate 0: no matching DANE TLSA records.
-
Menel
Openim is hotchilli?
-
Martin
Looks like: > xmpp-dns -s openim.de > xmpp-server jabber.hot-chilli.net. 5269 > Priority: 0 Weight: 0
-
ernst.on.tour
Roi (Admin from hot-chilli.net) has owned openim.de last year.
- Roi removed by moderator
-
Roi
Menel, yes, openim.de migrated to us last year as the old admin wanted to shutdown the server. https://jabber.hot-chilli.net/2023/03/30/openim-de/
-
Roi
But, hm, TLSA should be okay... There might be short temporary problems during cert rollover. Is it okay now?
-
Martin
My server still complains about DANE. :(
- a moderator removed a message
-
moparisthebest
> But, hm, TLSA should be okay... There might be short temporary problems during cert rollover. Is it okay now? If that's a possibility you are doing it wrong... The easiest thing to do is not change keys, only certs ↺
-
Roi
I'm using a Letsencrypt script. Is there an option to leave the keys?
-
Roi
But for this check everything is green: https://dane.sys4.de/smtp/openim.de
-
luca
What do you mean "not change keys, only certs"? I thought for every cert switch the TLSA records should be updated, as it leads to new hashes
-
Roi
luca, moparisthebest said that I am doing it wrong. So I thought maybe TLSA must not be changed when only changing certs, not keys.
-
moparisthebest
> What do you mean "not change keys, only certs"? I thought for every cert switch the TLSA records should be updated, as it leads to new hashes If you change keys and update tlsa records then you'll need to get new certs like a week early, add the new keys while keeping the same old cert in use, and only after a week start using the new cert and remove old tlsa records ↺
-
moparisthebest
Which is obviously a pain, but the only way to do it without breaking everyone for a time
-
moparisthebest
Roi: certbot surely has an option to keep the key the same meaning you don't need to update tlsa ever if you want, but I can't say offhand what it is, I use acme.sh where this is the default
-
Roi
moparisthebest, Okay well, I have to dig into this. Even if the TLSA records have a TTL of 5 minutes, it is not perfect. But I update these records right after the cert. So yeah, 300 seconds. But I learned that still a lot of DNS servers and/or clients do not care about TTL...
-
moparisthebest
Yep TTL is widely ignored :'(
-
moparisthebest
Roi: "reuse-key" assuming https://community.letsencrypt.org/t/certificate-renewal-using-the-same-private-key/173621 is right, then you don't need to change tlsa keys at all
-
moparisthebest
Assuming you are setting the key pinning ones and not the cert pinning ones :/
-
Menel
I do reuse keys, and if I like new, I'll generate a key manually, put the records for it up, and only after a day generate a new cert from it. Then the old tlsa can be deleted