Conversation

Replying to

and

Email server security depends on pinning the private key via a TLSA record. That means the regular certificate renewal process needs to reuse the same private key. Please read the next tweet in the thread. You're responding to this tweet out of context.

Quote Tweet

Daniel Micay

@DanielMicay

Jan 26, 2021

Replying to @DanielMicay @VDukhovni and 2 others

You add a TLSA record for the new certificate, then once enough time has passed switch over to it and tell certbot to delete the old certificate. MUAs usually expect a CA issued certificate for the submission ports and don't understand TLSA records so it's useful beyond MTA-STS.

Replying to

If you want to automate key rotation, you can do that. If you want to rotate the private key every week, that's entirely possible. You need to obtain a new certificate with the new private key, add a new TLSA record, wait and then rotate over to using the new certificate.

Replying to

Email servers can't validate each other's certificates based on certificate authorities unless they opt into that via MTA-STS which is a Trust-On-First-Use system like HSTS without support for preloading. It also still depends on DNS security, as do certificates from CAs.

Replying to

Don't need to rotate the key based on the Let's Encrypt schedule where you renew every 60 days and certificates expire after 90 days. Once you remove the previous TLSA record after rotation, prior certificates won't pass DANE verification. You could do it way more frequently.

Replying to

If you automate handling key rotation, which requires rotating the pins, then you can determine the rate that it happens. The Let's Encrypt rate limit is quite high although you would want to leave yourself leeway rather than using all of it as part of regular usage.

Replying to

If you don't use --reuse-key, then it's going to immediately start using the new key immediately and your TLSA pin will be broken. DNS records are cached based on their TTL and there will be a window of breakage based on TTL even if you add a certbot hook to update the record.

Replying to

and

Does certbot or friends have a hook for e.g. nsupdate?

Replying to

and

certbot supports arbitrary hooks which I personally use for github.com/tomwassenberg/ to have reliable OCSP Must-Staple with nginx. Could make a little script to generate a TLSA record and set it for the DNS server. I haven't implemented automation for key rotation myself.

Replying to

At the moment, to do a key rotation, I set the TTL for the TLSA records to 1 minute, wait, disable reuse_key, renew, add a new TLSA record, wait, then reload the server configuration. Our mail server is low traffic with a couple internal users and attestation.app/about alerts.

attestation.app

Auditor overview

Overview of the Auditor Android app and associated service.

Replying to

I don't have it automated because it's tricky to fit it into the way that certbot works right now. It would be nice if someone got a robust approach implemented that I could reuse, similar to that scripting for using OCSP Must-Staple with certbot and nginx. I don't have time.

Replying to

It doesn't fit into the way that hooks work right now. You need to use --cert-name to get a 2nd certificate to avoid certbot replacing the existing one. So, you would need to make scripting around certbot rather than within the existing framework it has for calling hooks.

6:32 PM · Jan 26, 2021Twitter Web App