How to change the ssl certificate on a site with HSTS enabled?

C

Cognac2016-05-17 18:49:18

Digital certificates

Cognac, 2016-05-17 18:49:18

Hello. Not so long ago, a site with an expiring certificate came under my wing. Instead of re-issuing the certificate from the old CA, I decided to try Let's encrypt. Works. But. The old site had HSTS enabled. I specified the required sha256 amounts and everything seems to be fine. BUT. Complaints began to come in that the site was not available. Error in Firefox: MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE. Chrome is similar. The problem is not isolated. keep-alive for the old certificate was set to a year.
What can be done in this situation? Returning the old service provider is understandable. But how then to change the certification authority, if such a need arises?
Disabling HSTS does not help.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

C

Cognac, 2016-05-17
@Cognac

Thanks for the reply and sorry for the confusion with terminology.
You write: do not cope. Can't cope at all? Even by purchasing a certificate from a previous CA?
There, not one sha256 was indicated in the header, but several. These are probably the fingerprints of certificates that are higher in the chain. That is, certificates of a certification authority. In this case, if these certificates have not changed, the error will disappear, right?