• Community Support
  • USEnglish
  • ACME post-renewal hook to fix TLSA records of jumping intermediate certs

Hey there,

Sometimes Let’s Encrypt appears to Let's Encrypt Community Support Icon randomly switch between its intermediate certs

(R10, R11).
Unfortunately, this breaks my TLSA records in the DNS.

Since Let’s Encrypt does not support the selection of the intermediate cert, I see only one possible solutions:
Use a post-renewal hook to automatically update the TLSA record. However, I haven’t found any hooks exposed.

Do I need to modify the Dockerfile to introduce the hook into acme.sh myself or is there another way?
Are there other possible solutions for the problem?

Thanks,
neodym

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

That’s indeed a good solution. Thanks for the suggestion, @accolon!
I do have stable private keys. I forgot that one can have multiple TLSA records.

However, it would still be nice to have an automated solution in case the Let’s Encrypt intermediate gets compromised and has to be replaced.

No one is typing