slashnick
commented
7 years ago The bot has been fine even after a cert rotation, so we're safe to rotate again with a new public key to get this set up.
I'll document what I do in the wiki, for reference.
Add a
Public-Key-PinsHTTP header with the leaf public key, and some public keys of offline backup key pairs.Using out-of-the-box Let's Encrypt with auto-renew will cycle through new public keys every month or two. We can't pin to a moving target, so we need to either automate using the
--csrflag tocertbot, or use something likeacme-tiny(blog post).