Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DANE TLSA records for _443._tcp.simplelogin.io. does not match the certificate currently used. #2268

Open
1 task done
Jemmy1228 opened this issue Oct 17, 2024 · 1 comment
Open
1 task done

DANE TLSA records for _443._tcp.simplelogin.io. does not match the certificate currently used. #2268

Jemmy1228 opened this issue Oct 17, 2024 · 1 comment

Comments

@Jemmy1228
Copy link

Prerequisites

  • I have searched open and closed issues to make sure that the bug has not yet been reported.

Bug report

Describe the bug
The public key hash specified in the TLSA records does not correspond to the certificate currently used for TLS. The pinned public key hash is the Subject Public Key Info (SPKI) hash of the Let's Encrypt R3 and R4 intermediates. However, as of June this year, Let's Encrypt has rotated their signing intermediate certificate, and the signing intermediate is no longer R3 or R4. Read the Let's blog post here.

Expected behavior
Update the TLSA record each time a new certificate is issued, or pin the SPKI hash of the Let's encrypt root certificate. simplelogin.io is not the only domain affected, other simple login domains have the same issue.

Screenshots
See the test results here
@nguyenkims
Copy link
Contributor

Thanks, we'll update the record.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nguyenkims @Jemmy1228