PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates

Viktor Dukhovni
Please note that the Let's Encrypt intermediate CA certificate "X3" will soon be
phased out in favour of "R3" and "E1" which have new keys, and so any DANE TLSA
"2 1 1" records matching "X3" will not match "R3" or "E1".

  https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html

If you are using Let's Encrypt with DANE-TA(2) [issuer CA] TLSA records, any extant
"2 1 1" records need to be augmented soon with additional records matching the new
"R3" and "E1", in advance of these reissuing your certificates.

Failure to act in time is likely to result in an outage once renewals switch to
signing via "R3" or "E1".

Links to the actual certificates can be found at:

        https://letsencrypt.org/certificates/
        https://letsencrypt.org/certs/lets-encrypt-r3.pem
        https://letsencrypt.org/certs/lets-encrypt-e1.pem

The "2 1 1" digests of "R3" and "E1" are (but don't take my word for it,
re-compute these for yourself):

        ; $ tlsagen lets-encrypt-r3.pem smtp.example.org 2 1 1
        ;
        _25._tcp.smtp.example.org. IN TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D

        ; $ tlsagen lets-encrypt-e1.pem smtp.example.org 2 1 1
        ;
        _25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10

The above were computed with the attached "tlsagen" script, but it is
prudent to also check with tools from other sources, this email message
could well have been a forgery (I hope your copy matches what I sent).

--
        Viktor.




tlsagen (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates

Viktor Dukhovni
On Mon, Sep 21, 2020 at 04:22:42AM -0200, Viktor Dukhovni wrote:

> Links to the actual certificates can be found at:
>
> https://letsencrypt.org/certificates/
> https://letsencrypt.org/certs/lets-encrypt-r3.pem
> https://letsencrypt.org/certs/lets-encrypt-e1.pem
>
> The "2 1 1" digests of "R3" and "E1" are (but don't take my word for it,
> re-compute these for yourself):
>
> ; $ tlsagen lets-encrypt-r3.pem smtp.example.org 2 1 1
> ;
> _25._tcp.smtp.example.org. IN TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D
>
> ; $ tlsagen lets-encrypt-e1.pem smtp.example.org 2 1 1
> ;
> _25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10

It was correclty noted in:

    https://community.letsencrypt.org/t/dane-and-upcoming-le-issuer-certs/134172/2?u=ietf-dane

that the "backup" CAs should also be listed, as LE might need to switch
to using them in an emergency without prior notice.

Therefore the full list of DANE-TA(2) digests to publish (when relying
on these rather than "3 1 1" records) is:

    ; (These can be retired soon, but not just yet)
    ;
    ; letsencryptauthorityx3.pem
    ; letsencryptauthorityx4.pem
    ;
    _25._tcp.smtp.example.org. IN TLSA 2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517616E8A18
    _25._tcp.smtp.example.org. IN TLSA 2 1 1 B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E02CF362B

    ; (May not be needed if your leaf cert is RSA, ECDSA certs
    ; will I expect be soon signed with one of these).
    ;
    ; lets-encrypt-e1.pem
    ; lets-encrypt-e2.pem
    ;
    _25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10
    _25._tcp.smtp.example.org. IN TLSA 2 1 1 BD936E72B212EF6F773102C6B77D38F94297322EFC25396BC3279422E0C89270

    ; (May not be needed if your leaf cert is ECDSA, once
    ; ECDSA certificate issuance cuts over to e1/e2).
    ;
    ; lets-encrypt-r3.pem
    ; lets-encrypt-r4.pem
    ;
    _25._tcp.smtp.example.org. IN TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D
    _25._tcp.smtp.example.org. IN TLSA 2 1 1 E5545E211347241891C554A03934CDE9B749664A59D26D615FE58F77990F2D03

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates

patpro
Hello,

Just to ensure I've understood this well: if I'm using "3 1 1" I don't need to change anything, right?

thanks
patpro

September 21, 2020 9:49 AM, "Viktor Dukhovni" <[hidden email]> wrote:

> On Mon, Sep 21, 2020 at 04:22:42AM -0200, Viktor Dukhovni wrote:
>
>> Links to the actual certificates can be found at:
>>
>> https://letsencrypt.org/certificates
>> https://letsencrypt.org/certs/lets-encrypt-r3.pem
>> https://letsencrypt.org/certs/lets-encrypt-e1.pem
>>
>> The "2 1 1" digests of "R3" and "E1" are (but don't take my word for it,
>> re-compute these for yourself):
>>
>> ; $ tlsagen lets-encrypt-r3.pem smtp.example.org 2 1 1
>> ;
>> _25._tcp.smtp.example.org. IN TLSA 2 1 1
>> 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D
>>
>> ; $ tlsagen lets-encrypt-e1.pem smtp.example.org 2 1 1
>> ;
>> _25._tcp.smtp.example.org. IN TLSA 2 1 1
>> 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10
>
> It was correclty noted in:
>
> https://community.letsencrypt.org/t/dane-and-upcoming-le-issuer-certs/134172/2?u=ietf-dane
>
> that the "backup" CAs should also be listed, as LE might need to switch
> to using them in an emergency without prior notice.
>
> Therefore the full list of DANE-TA(2) digests to publish (when relying
> on these rather than "3 1 1" records) is:
>
> ; (These can be retired soon, but not just yet)
> ;
> ; letsencryptauthorityx3.pem
> ; letsencryptauthorityx4.pem
> ;
> _25._tcp.smtp.example.org. IN TLSA 2 1 1
> 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517616E8A18
> _25._tcp.smtp.example.org. IN TLSA 2 1 1
> B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E02CF362B
>
> ; (May not be needed if your leaf cert is RSA, ECDSA certs
> ; will I expect be soon signed with one of these).
> ;
> ; lets-encrypt-e1.pem
> ; lets-encrypt-e2.pem
> ;
> _25._tcp.smtp.example.org. IN TLSA 2 1 1
> 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10
> _25._tcp.smtp.example.org. IN TLSA 2 1 1
> BD936E72B212EF6F773102C6B77D38F94297322EFC25396BC3279422E0C89270
>
> ; (May not be needed if your leaf cert is ECDSA, once
> ; ECDSA certificate issuance cuts over to e1/e2).
> ;
> ; lets-encrypt-r3.pem
> ; lets-encrypt-r4.pem
> ;
> _25._tcp.smtp.example.org. IN TLSA 2 1 1
> 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D
> _25._tcp.smtp.example.org. IN TLSA 2 1 1
> E5545E211347241891C554A03934CDE9B749664A59D26D615FE58F77990F2D03
>
> --
> Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates

Viktor Dukhovni
On Mon, Sep 21, 2020 at 08:09:25AM +0000, [hidden email] wrote:

> Just to ensure I've understood this well: if I'm using "3 1 1" I don't
> need to change anything, right?

Correct.  But in that case, see:

    https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html

which describes key rollover recommendations for "3 1 1".

I expect to have code soon for robust integration of DANE "3 1 1" with
EFF's "certbot" for Let's Encrypt.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates

patpro
September 21, 2020 10:13 AM, "Viktor Dukhovni" <[hidden email]> wrote:

> On Mon, Sep 21, 2020 at 08:09:25AM +0000, [hidden email] wrote:
>
>> Just to ensure I've understood this well: if I'm using "3 1 1" I don't
>> need to change anything, right?
>
> Correct. But in that case, see:
>
> https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
>
> which describes key rollover recommendations for "3 1 1".


thanks.


> I expect to have code soon for robust integration of DANE "3 1 1" with
> EFF's "certbot" for Let's Encrypt.

Oh, that would be really nice to have!

thank you,
patpro
Reply | Threaded
Open this post in threaded view
|

Re: PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates

Viktor Dukhovni
In reply to this post by Viktor Dukhovni
On Mon, Sep 21, 2020 at 08:20:07AM -0400, micah anderson wrote:

> > Please note that the Let's Encrypt intermediate CA certificate "X3" will soon be
> > phased out in favour of "R3" and "E1" which have new keys, and so any DANE TLSA
> > "2 1 1" records matching "X3" will not match "R3" or "E1".
>
> Could you post the old record for the "X3" certificates? I think it
> might help to be able to find if one has it configured or not!

Below are all the hashes, for matching types SHA2-256(1) and SHA2-512(2),
of both the certificates (DANE selector Cert(0)) and their public keys
(DANE selector SPKI(1)).  Note, I do not recommend publishing anything
other than "2 1 1", but if you have used one of the other values, the
below list may be helpful, though one would really hope that you have
some idea of what's in your TLSA records and why...

In particular if you have hashes in your TLSA records that don't match
anything in your current certificate chain or in an upcoming update,
then delete them.  Random data you can't explain has no place in your
TLSA RRSet.

    letsencryptauthorityx3.pem
    _25._tcp.smtp.example.org. IN TLSA 2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517616E8A18
    _25._tcp.smtp.example.org. IN TLSA 2 1 2 774FAD8C9A6AFC2BDB44FABA8390D213AE592FB0D56C5DFAB152284E334D7CD6ABD05799236E7AA6266EDF81907C60404C57EE54C10A3A82FCC2A9146629B140
    _25._tcp.smtp.example.org. IN TLSA 2 0 1 731D3D9CFAA061487A1D71445A42F67DF0AFCA2A6C2D2F98FF7B3CE112B1F568
    _25._tcp.smtp.example.org. IN TLSA 2 0 2 5EC5B0783C6E667E0965DF772943A06326768DE0F75DC0BD2FE378F02CCCA7D56C987656174CBE158CC29ECD763F8BDA3454332CC7D47FB934691409C5FB8686

    letsencryptauthorityx4.pem
    _25._tcp.smtp.example.org. IN TLSA 2 1 1 B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E02CF362B
    _25._tcp.smtp.example.org. IN TLSA 2 1 2 A0F5D1333BC90BCEA0B0B5F401160B6E7F28A1256BC5B5D65F04B06B0BB0C96270AA81D8E2726394D385BF3E9EE46EB4AB7548C782D5688CC16D0CDFFEFB8594
    _25._tcp.smtp.example.org. IN TLSA 2 0 1 5DE9152BED31FA0515DD1FC746133F1327562EF72A84CF2D2403E748A604D0D4
    _25._tcp.smtp.example.org. IN TLSA 2 0 2 74DDAD9F8CDFA0FE6F6B70301B557A63A58B87FC2C17FAE0F65E47D141226C062A74FA14861DC47A720BD8699B99091A06BD695CDDE51222F837B9DECFC270C5

    lets-encrypt-r3.pem
    _25._tcp.smtp.example.org. IN TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D
    _25._tcp.smtp.example.org. IN TLSA 2 1 2 0F644C9A1DCB8C04BE6B385A60DBE4FDF7E2B81E335C9AD8C7CD0ABE2FF9E7E5BBFBB68B38DD0216F17808F48BDF6AF8C6347659C1F41A9858032C31F436D12C
    _25._tcp.smtp.example.org. IN TLSA 2 0 1 67ADD1166B020AE61B8F5FC96813C04C2AA589960796865572A3C7E737613DFD
    _25._tcp.smtp.example.org. IN TLSA 2 0 2 96C5793B2B57D8DF5891C94015720960E0DA4C2CF8CE1FC5707A0B46E5DB8CE3761FB5FDB430F619D1579F13E80FBDD973EF6A024129ED039AA193273158FCAD

    lets-encrypt-r4.pem
    _25._tcp.smtp.example.org. IN TLSA 2 1 1 E5545E211347241891C554A03934CDE9B749664A59D26D615FE58F77990F2D03
    _25._tcp.smtp.example.org. IN TLSA 2 1 2 59A91D97D81980951D0EF3C6D849B31606AF9AB2B0F7DCFAC93A53AE3263EB8902C3B7C564F33FF496F2D07C750B1B6924968C243882AF9E3532797EEF596F27
    _25._tcp.smtp.example.org. IN TLSA 2 0 1 1A07529A8B3F01D231DFAD2ABDF71899200BB65CD7E03C59FA82272533355B74
    _25._tcp.smtp.example.org. IN TLSA 2 0 2 0F0B4DD77EE99D8ED5724DA618B56017D08B757884796D087BF656E62D2717B5C913CB1E2EDA07AACBFDBFDCB1BA5BA52114D54C000E05B0CB755256A61C0C37

    lets-encrypt-e1.pem
    _25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10
    _25._tcp.smtp.example.org. IN TLSA 2 1 2 3561540FBF182BCE7749ACC131B421E691F083569C053E78F20274714C5E801226FF6EDB60641DDF70E71BD3A90DFE25DDD6464BE78106B77DECE4F6A3BFF13D
    _25._tcp.smtp.example.org. IN TLSA 2 0 1 46494E30379059DF18BE52124305E606FC59070E5B21076CE113954B60517CDA
    _25._tcp.smtp.example.org. IN TLSA 2 0 2 0FC8BDB5B93D95BB016BB543BD74B859E4C18930964D59CFC305B93EF3212C0C20F3084BA98FBF7AAC55D0D22C5B35566ED75BEBE6D5A7C53CA1F949C45C3C8E

    lets-encrypt-e2.pem
    _25._tcp.smtp.example.org. IN TLSA 2 1 1 BD936E72B212EF6F773102C6B77D38F94297322EFC25396BC3279422E0C89270
    _25._tcp.smtp.example.org. IN TLSA 2 1 2 23A30BD3B617652E97224E1FAF673C4E09F1C197E4994274E676F2490893E9560D99F00A8859E399B2C65219CE2EB9B76784A0EC775AB4973A14FC1437AC7D9F
    _25._tcp.smtp.example.org. IN TLSA 2 0 1 BACDE0463053CE1D62F8BE74370BBAE79D4FCAF19FC07643AEF195E6A59BD578
    _25._tcp.smtp.example.org. IN TLSA 2 0 2 E8EC8405AB45605AE6E4A54EFD6D626F663CB7E61A10D9A6A6A08B118E0D35763D0118E263A6DB64516CA9F4E7F64FCD2B5DBF9E7A7BA265870606AF26F4D855

In the final analysis, "3 1 1" is starting to look not only more secure,
but also, perhaps surpsingly, simpler to manage.  The medium-term
stability of issuer CA certs lulls the user into unwise procrastination.

The DANE-TA(2) use-case is more apporpriate for private CAs you yourself
control, than delegation of trust to a public CA, whose use of a
particular set of keys or certs is not under your control and may change
with little notice.

--
    Viktor.