HSTS - pinning of private key didn't work

cakruege · November 23, 2015, 8:32pm

Hi,

I renewed my cert via

 ./letsencrypt-auto --renew certonly

I calculate my pin via

openssl rsa -in /etc/letsencrypt/live/<<<domain>>>/privkey.pem -pubout | \
openssl asn1parse -noout -inform pem -out /tmp/fingerprint.key;
openssl dgst -sha256 -binary /tmp/fingerprint.key | openssl enc -base64

But my pin changes.

Why did the private key change?

My1 · November 23, 2015, 9:35pm

as far as I know normally the renew process also changes the private key, annoying for pinning, especially when having cert lifetimes this short.

tlussnig · November 23, 2015, 10:01pm

that is one of the reason that i written my own client