[Yeti DNS Discuss] A public Yeti DNS resolver (but with TLS)
Shane Kerr
shane at biigroup.cn
Thu Jan 5 10:44:05 UTC 2017
Stephane,
At 2017-01-05 10:47:30 +0100
Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> On Thu, Jan 05, 2017 at 09:32:04AM +1100,
> Geoff Huston <gih at apnic.net> wrote
> a message of 30 lines which said:
>
> > You should be aware that certbot renew will generate a new private
> > key when it renew your certificate.
> >
> > If you are using DANE this has some implications about the TLSA
> > record and you will need some local scripting to essentially perform
> > a key roll.
>
> Or if you are using key pinning (which is the only authentication
> currently documented in a RFC for DNS-over-TLS) :-(
>
> The more I use Let's Encrypt, the more I regret CAcert. I don't find
> an option in certbot to keep my keys.
According to the FAQ it is possible:
https://certbot.eff.org/faq/#can-i-use-an-existing-private-key-or-certificate-signing-request-csr-with-certbot
But it doesn't document how to do that in the FAQ. :(
It looks like this might be the option:
--key-path KEY_PATH Path to private key for cert installation or
revocation (if account key is missing) (default: None)
But I haven't tried it.
Cheers,
--
Shane
More information about the discuss
mailing list