DANE TLSA records for `_443._tcp.simplelogin.io.` does not match the certificate currently used.

[Jemmy1228]

Prerequisites

• [X] I have searched open and closed issues to make sure that the bug has not yet been reported.

Bug report

Describe the bug The public key hash specified in the TLSA records does not correspond to the certificate currently used for TLS. The pinned public key hash is the Subject Public Key Info (SPKI) hash of the Let's Encrypt R3 and R4 intermediates. However, as of June this year, Let's Encrypt has rotated their signing intermediate certificate, and the signing intermediate is no longer R3 or R4. Read the Let's blog post here.

Expected behavior Update the TLSA record each time a new certificate is issued, or pin the SPKI hash of the Let's encrypt root certificate. simplelogin.io is not the only domain affected, other simple login domains have the same issue.

Screenshots See the test results here

[nguyenkims]

Thanks, we'll update the record.