If you want to automate key rotation, you can do that. If you want to rotate the private key every week, that's entirely possible. You need to obtain a new certificate with the new private key, add a new TLSA record, wait and then rotate over to using the new certificate.
Conversation
Email servers can't validate each other's certificates based on certificate authorities unless they opt into that via MTA-STS which is a Trust-On-First-Use system like HSTS without support for preloading. It also still depends on DNS security, as do certificates from CAs.
2
Don't need to rotate the key based on the Let's Encrypt schedule where you renew every 60 days and certificates expire after 90 days. Once you remove the previous TLSA record after rotation, prior certificates won't pass DANE verification. You could do it way more frequently.
1
If you automate handling key rotation, which requires rotating the pins, then you can determine the rate that it happens. The Let's Encrypt rate limit is quite high although you would want to leave yourself leeway rather than using all of it as part of regular usage.
1
If you don't use --reuse-key, then it's going to immediately start using the new key immediately and your TLSA pin will be broken. DNS records are cached based on their TTL and there will be a window of breakage based on TTL even if you add a certbot hook to update the record.
1
1
Does certbot or friends have a hook for e.g. nsupdate?
2
AVOID certbot hooks. They're *unreliable*, certbot will keep going whether the hooks succeed or fail.
Instead of running custom code via certbot hooks, wrap certbot in a script that performs appropriate pre and post actions *reliably*.
1
Yeah, ideally, someone would implement a script for doing rotations robustly via --cert-name so that certbot doesn't replace the live certificate. The OCSP stapling hook only works because nginx doesn't start using the new certificate until it's told to reload the configuration.
1
In theory, the OCSP server could be unavailable right after getting a new certificate, and then you'd have downtime for clients enforcing Must-Staple. It's not something I have to worry about though. We don't have anything close to a high availability setup with failover, etc.
1
Postfix does not support (ignores) OCSP, so not a risk there. Exim may optionally support it, but OCSP is silly with DANE, just change your TLSA RRs if the previous key is compromised.
1
Yeah, just talking about what I currently use the certbot hooks to do with web servers. I do have TLSA records for HTTPS but it's useless in practice since nothing uses it.