Do i have to re-set TLSA records every 3months (or 60days)?

hndrk

Hi, am a new mailcow user and i wanted to ask if the TLSA record is persistent (priv key on server doesnt change) or i have to renew the record also after every re-issue of LE?

theMooMichel

Since the TLSA record is a hash of the certificat I would say that you really have to renew this record manually every three months when the cert has changed.

hndrk

theMooMichel i guess thats only true if the keys are also renewed every time. if the keys are kept and just the cert gets renewed the TLSA record should also be persistant. but idk how the ACME Container does it, also i could be wrong…

pkernstock

By default mailcow does no rotate the private key, so only setting it once is just fine. I don’t recall any further details but the TLSA records allows you to specify how the certificate is validated in detail (e.g. full, only when private key changes, etc)

theMooMichel

pkernstock sounds good.
I hope traefik handles it the same way by not rotating the private key.
Don’t want to manually change the values every three months. 🙂

hndrk

pkernstock thank you! I hoped so. This is really awesome!

pkernstock

I’d make sure Traefik doesn’t rotate it. Maybe there’re some configuration options to explicitly set that, just in case.