starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-13 15:13:33 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Phase in key rollover #610

New Issue
Open
opened 2025-12-29 01:27:49 +01:00 by adam · 0 comments
adam commented 2025-12-29 01:27:49 +01:00
Owner
Copy Link

Originally created by @Zash on GitHub (Oct 25, 2023).

Hi and thanks a lot for dehydrated!

I'm looking into enabling private key renewal for my email and XMPP, where I have DANE TLSA records deployed. Since these must be published to DNS before the new private key is used, I would also like use the rollover feature.

Based on my reading of

e3ef43c816/dehydrated (L1458-L1472)

if you go from PRIVATE_KEY_ROLLOVER="no" and PRIVATE_KEY_RENEW="no" to both yes, dehydrated will not use the old key one last time, but throw it away, generate both a new key for immediate use and a rollover key.

It would be more convenient if, when rollover+renew is enabled and there is no rollover key, generate only the rollover key and keep using the old key until next renewal.

Possible workarounds include preemptively generating new rollover keys or delaying deployment of new keys and certificates until after new TLSA records have been published to DNS (and some time for caches to expire).

Originally created by @Zash on GitHub (Oct 25, 2023). Hi and thanks a lot for dehydrated! I'm looking into enabling private key renewal for my email and XMPP, where I have [DANE](https://datatracker.ietf.org/doc/html/rfc7673) TLSA records deployed. Since these must be published to DNS before the new private key is used, I would also like use the rollover feature. Based on my reading of https://github.com/dehydrated-io/dehydrated/blob/e3ef43c816f73d443f32410862d9253d35cf3f99/dehydrated#L1458-L1472 if you go from `PRIVATE_KEY_ROLLOVER="no"` and `PRIVATE_KEY_RENEW="no"` to both `yes`, dehydrated will not use the old key one last time, but throw it away, generate both a new key for immediate use and a rollover key. It would be more convenient if, when rollover+renew is enabled and there is no rollover key, generate only the rollover key and keep using the old key until next renewal. Possible workarounds include preemptively generating new rollover keys or delaying deployment of new keys and certificates until after new TLSA records have been published to DNS (and some time for caches to expire).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#610
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?