Sylvain, all - On 03.09.2019 13:12, Sylvain BAYA wrote:
[...]
...i can add this : if there is a technical issue (not impossible) in using LE certs the same way the actual solution is used on RIPE Anchors, then perhaps, preferably, RIPE *should* contribute to fund whatever necessary to solve the problem on LE side or internally.
indeed there is: one way to use Letsencrypt certificates is to have them automagically renewd every 90 days or so. This works like a charm on my host. The tricky bit, however, comes if you want to use this very certificate in a TLSA RR as well: all of a sudden the RR points to a non-existing certificate when Letsencrypt's cron job has flipped the certificate. I haven't yet really gotten my head around it - but maybe the NCC could and would?! 8-) Chers, -C.