HSTS - pinning of private key didn't work


#1

Hi,

I renewed my cert via

 ./letsencrypt-auto --renew certonly 

I calculate my pin via

openssl rsa -in /etc/letsencrypt/live/<<<domain>>>/privkey.pem -pubout | \
openssl asn1parse -noout -inform pem -out /tmp/fingerprint.key;
openssl dgst -sha256 -binary /tmp/fingerprint.key | openssl enc -base64

But my pin changes.

Why did the private key change?


#2

as far as I know normally the renew process also changes the private key, annoying for pinning, especially when having cert lifetimes this short.


#3

:slight_smile: that is one of the reason that i written my own client