Let’s Encrypt - keep the key for renewed certificates?

H

hk@

Renowned Member
Feb 10, 2010
247
7
83
Vienna
kapper.net
Hi,
in order to be able to pin a TLS connection on the reciving end of PMG it would be great to be able to set the acme cert renewal to keep the privatekey during renewals.

thank you in advance
hk
 
Hi,
same issue here. Would like to pin the private key. On Ubuntu you can do it by editing /etc/letsencrypt/cli.ini and add
reuse-key = true
to the config.
In this way my TLSA DNS records don't need to be changed every 90 days.

Is there a way to do it on PMG?
 
Last edited:
Haven't verified it explicitly - but I think that the ACME implementation in PMG and PVE does reuse the key in general.
Just try it out.
 
Hi,
on my last cert renewal the key has changed. My TLSA records where not valid anymore. :-(
Can you please check this also on your side, just to be safe.

Thanks Jochen
 
jochenfroehlich said:
Can you please check this also on your side, just to be safe.
Click to expand...
Sorry - my mistake! The key gets generated every time a certificate is ordered:

https://git.proxmox.com/?p=proxmox-...=ac1f71eddb6564dc56110eb1a713a92809318525#l35

you could consider to switch over to pinning the CA for verification (Certificate usage 0 according to https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities)

else you can use another ACME client which keeps the Key for renewals.

I hope this helps!
 
Would be nice if the key regeneration could be configured in PMG. (true/false).
Specifying 0 for the certificate usage would lower the security, as this would also allow other certificates issued from e.g. lets encrypt. As the market share of lets encrypt certificates is very high this doesn't make sense for me. (maybe if you use your own trusted CA).
I would prefer the PMG builtin ACME client for convenience. ;-)

Thanks for your support.
 
jochenfroehlich said:
Specifying 0 for the certificate usage would lower the security
Click to expand...
Some would argue that reusing the certificate key for a very longtime also lowers the security.

To my knowledge DANE never got too much traction and is not widely used (luckily I think that TLS for SMTP finally is supported for a large part of the mail-traffic).

I can see your point - if you want feel free to open an enhancement request over at https://bugzilla.proxmox.com - then others who also want this can say so there - but as it currently stands I would not consider this a priority for implementation.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back