I'm looking into enabling private key renewal for my email and XMPP, where I have DANE TLSA records deployed. Since these must be published to DNS before the new private key is used, I would also like use the rollover feature.
if you go from PRIVATE_KEY_ROLLOVER="no" and PRIVATE_KEY_RENEW="no" to both yes, dehydrated will not use the old key one last time, but throw it away, generate both a new key for immediate use and a rollover key.
It would be more convenient if, when rollover+renew is enabled and there is no rollover key, generate only the rollover key and keep using the old key until next renewal.
Possible workarounds include preemptively generating new rollover keys or delaying deployment of new keys and certificates until after new TLSA records have been published to DNS (and some time for caches to expire).
Hi and thanks a lot for dehydrated!
I'm looking into enabling private key renewal for my email and XMPP, where I have DANE TLSA records deployed. Since these must be published to DNS before the new private key is used, I would also like use the rollover feature.
Based on my reading of
https://github.com/dehydrated-io/dehydrated/blob/e3ef43c816f73d443f32410862d9253d35cf3f99/dehydrated#L1458-L1472
if you go from
PRIVATE_KEY_ROLLOVER="no"andPRIVATE_KEY_RENEW="no"to bothyes, dehydrated will not use the old key one last time, but throw it away, generate both a new key for immediate use and a rollover key.It would be more convenient if, when rollover+renew is enabled and there is no rollover key, generate only the rollover key and keep using the old key until next renewal.
Possible workarounds include preemptively generating new rollover keys or delaying deployment of new keys and certificates until after new TLSA records have been published to DNS (and some time for caches to expire).