ACME post-renewal hook to fix TLSA records of jumping intermediate certs

Nneodym · Aug 15, 2024

Hey there,

Sometimes Let’s Encrypt appears to randomly switch between its intermediate certs

Let's Encrypt Community Support

Force use of R10 or R11 intermediate CA

Is complaining to the vendor/developer of this software not an option?

(R10, R11).
Unfortunately, this breaks my TLSA records in the DNS.

Since Let’s Encrypt does not support the selection of the intermediate cert, I see only one possible solutions:
Use a post-renewal hook to automatically update the TLSA record. However, I haven’t found any hooks exposed.

Do I need to modify the Dockerfile to introduce the hook into acme.sh myself or is there another way?
Are there other possible solutions for the problem?

Thanks,
neodym

Aaccolon · Aug 15, 2024

I added “2 1 1” records for both R10 and R11 (according to this list

dnssec-stats.ant.isi.edu

https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html

No preview could be generated for this link

) in addition to a “3 1 1” record for my server public key.

This way, I don’t have to update the records as long as my public key is stable.

Do you have special requirements to use different TLSA records?

Nneodym · Aug 16, 2024

That’s indeed a good solution. Thanks for the suggestion, @accolon!
I do have stable private keys. I forgot that one can have multiple TLSA records.

However, it would still be nice to have an automated solution in case the Let’s Encrypt intermediate gets compromised and has to be replaced.