Hi all,
The HPKP validation fails over at ssllabs.com when ever a new certificate is issued and the Pin SHA256 changes.
Is there automated option this is inserted into the “domain.com-le-ssl.conf” everytime certbot renew is done?
Currently I have to update each site.config file and apply new sha256 associated to the renewed certs.
Thanks
certbot generates a new private key every time it obtains a new certificate.
If you want to pin the end-entity certificate you’ll have to generate your own private key and CSR and use certbot --csr to obtain your certificate (which also requires you to set up renewal manually on your own).
Alternatively, you could instead pin the active and backup intermediate certificates (Let’s Encrypt Authority X3 and Let’s Encrypt Authority X4) or the current and future root certificates (DST Root CA X3 and ISRG Root X1).
you should use a script to do this 
there is a framework for this
review the different types of pinnings here as what @Patches suggested is actually a very elegant solution
Andrei
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
