Hi, am a new mailcow user and i wanted to ask if the TLSA record is persistent (priv key on server doesnt change) or i have to renew the record also after every re-issue of LE?
Since the TLSA record is a hash of the certificat I would say that you really have to renew this record manually every three months when the cert has changed.
theMooMichel i guess thats only true if the keys are also renewed every time. if the keys are kept and just the cert gets renewed the TLSA record should also be persistant. but idk how the ACME Container does it, also i could be wrong…
By default mailcow does no rotate the private key, so only setting it once is just fine. I don’t recall any further details but the TLSA records allows you to specify how the certificate is validated in detail (e.g. full, only when private key changes, etc)
pkernstock sounds good.
I hope traefik handles it the same way by not rotating the private key.
Don’t want to manually change the values every three months. 🙂
pkernstock thank you! I hoped so. This is really awesome!
I’d make sure Traefik doesn’t rotate it. Maybe there’re some configuration options to explicitly set that, just in case.