ACME post-renewal hook to fix TLSA records of jumping intermediate certs

neodym

Hey there,

Sometimes Let’s Encrypt appears to randomly switch between its intermediate certs (R10, R11).
Unfortunately, this breaks my TLSA records in the DNS.

Since Let’s Encrypt does not support the selection of the intermediate cert, I see only one possible solutions:
Use a post-renewal hook to automatically update the TLSA record. However, I haven’t found any hooks exposed.

Do I need to modify the Dockerfile to introduce the hook into acme.sh myself or is there another way?
Are there other possible solutions for the problem?

Thanks,
neodym

accolon

I added “2 1 1” records for both R10 and R11 (according to this list) in addition to a “3 1 1” record for my server public key.

This way, I don’t have to update the records as long as my public key is stable.

Do you have special requirements to use different TLSA records?

neodym

That’s indeed a good solution. Thanks for the suggestion, @accolon!
I do have stable private keys. I forgot that one can have multiple TLSA records.

However, it would still be nice to have an automated solution in case the Let’s Encrypt intermediate gets compromised and has to be replaced.