3 Sep
2019
3 Sep
'19
1:35 p.m.
Carsten Schiefner <carsten@schiefner.de> writes:
The tricky bit, however, comes if you want to use this very certificate in a TLSA RR as well: all of a sudden the RR points to a non-existing certificate when Letsencrypt's cron job has flipped the certificate.
I haven't yet really gotten my head around it - but maybe the NCC could and would?! 8-)
You can renew Let's Encrypt certificates without changing the key. And if you use the recommended 3 1 1 TLSA records, then you don't have to change it unless the key is changed. Bjørn