LetsEncrypt is changing their certs
Viktor Dukhovni mentioned on dane-users that LetsEncrypt is rotating their intermediates.
This might affect torproject.org https hosts with key pins in chrome.
{
"name": "tor",
"static_spki_hashes": [
"RapidSSL",
"DigiCertEVRoot",
"Tor1",
"Tor2",
"Tor3",
"LetsEncryptAuthorityPrimary_X1_X3",
"LetsEncryptAuthorityBackup_X2_X4"
]
},
{ "name": "torproject.org", "policy": "custom", "mode": "force-https", "pins": "tor" },
{ "name": "blog.torproject.org", "policy": "custom", "mode": "force-https", "include_subdomains": true, "pins": "tor" },
{ "name": "check.torproject.org", "policy": "custom", "mode": "force-https", "include_subdomains": true, "pins": "tor" },
{ "name": "www.torproject.org", "policy": "custom", "mode": "force-https", "include_subdomains": true, "pins": "tor" },
{ "name": "dist.torproject.org", "policy": "custom", "mode": "force-https", "include_subdomains": true, "pins": "tor" },
We should verify if we need to have that updated, and if yes, to what.
We also should check if firefox just copies the chrome pins, is not affected, or also needs updating.
Todo list:
-
Chrome HSTS preload list -
Firefox HSTS preload list -
DANE (TLSA) records (clear: we use "3 1 1" records) -
CAA records (N/A) -
HPKP records (N/A, disabled in #33592 (closed)) -
check that we'll follow the cert chain change in the letsencrypt renewal code? (we just take whatever cert let's encrypt gives us, so no change required here) -
renew certs before the switch so we have an extra 90 days grace period?
Edited by anarcat