SSL/DANE decentralized hosting certs

allan

I was thinking about switching to Enhance Control Panel

"Enhance automatically request a Let's Encrypt certificate for websites on Enhance cluster. An SSL certificate from a third-party can be installed at any point.
WARNING
3 days before the expiry of a third party certificate, Enhance will automatically request a Let's Encrypt certifica"

I use DANE certs for decentralized web 3.0 hosting. I use a cron job to resign the certs every 30 days
This warning appears to say my certs will be wiped out and replaced by lets encrypt certs. Central authority SSL certs will not work on a decentralized website.
Is there a way to remove the lets encrypt SSL cert renewall from my decentralized websites and use DANE only?
I also host regular ICANN sites that require that lets encrypt cert. so I need options.

Adam

I think what you're doing should be fine. If you install a custom certificate via the API or the UI, this will not be overwritten by a Let's Encrypt until 3 days before expiry. Therefore if you ensure (with your cron job) that a certificate is never < 3 days to expiry, it will never be replaced by Enhance.

allan

thanks for the reply, Adam.
Sounds good, guess Its about the mouse staying ahead of the cat with the certs

Im new to these control panels (I always use CLI).
I have some more related questions about hosting Web 3.0 TLD's and the Enhance DNS/nameserver role:
DANE rely's on DNSsec
Right now I use NSD as an authorative nameserver for the web3.0 TLD's and manually add (by script) the TLSA and the DS records to each zone file (parent TLD, SLD's and subdomains) to complete the trust chain. I then sign all zone files with DNSsec.

Does Enhance web hosting control panel work with adding new sites for TLD's as well as SLD's and subdomains?
If I use the nameserver role in Enhance, is DNSSEC enabled for all the zones files?
If the answer is yes to the above, does Enhance add the DS records to the proper zone files and resign all everytime a change is made to the zone file
Is the nameserver Enhance uses an authorative or a recursive server? Can it work with adding new TLD's and SLD's

Adam

allan Does Enhance web hosting control panel work with adding new sites for TLD's as well as SLD's and subdomains?

Yes, each website is its own DNS zone, even if it's an SLD/subdomain.

allan If I use the nameserver role in Enhance, is DNSSEC enabled for all the zones files?

You have toggle this on for each domain that you want to use DNSSEC with.

allan does Enhance add the DS records to the proper zone files and resign all everytime a change is made to the zone file

Yes.

allan Is the nameserver Enhance uses an authorative or a recursive server?

Authoritative, no recursion is possible.-

allan

nice.. thanks.
sounds like Enhance will handle decentralized TLD/SLD domains without any issue except making a few cron jobs
Im going to create a few VMs and give it a try.

is there any advice why I should not have all roles on one server? (except backups it will be on its own dedicated servrer)
I wanted to create :
1 vm for roles = enhance-app-database-nameserver1
1 vm (load balancing) for roles = app-database-nameserver2
1 vm for roles = backups

Adam

There's no reason why you shouldn't have all roles (except backup) on one server. It's common even in very large clusters for application/database to be on the same server. Some customers offload email to servers with slower CPU but more disk.