Hi! Currently, our server runs numerous websites using commercial TLS certificates, which are going to expire within the next months and years. We would like to replace these certs with Let's Encrypt certificates while preserving the key pair in order not to break HPKP. What is the best way to switch to LE within these constraints? As a side note, all these websites were created before the upgrade to 3.1, so they're (presumably) still using the old vhost template. Thanks in advance!
Never tested it, but... You should at least add LE root to those sites pinning while planning the migration, This way, when you switch over, the new root is already authorized. Think twice before pinning the leaf key (the only under your control) since LE's certs are really short-lived. You can have a look at: http://serverfault.com/questions/788453/can-i-use-public-key-pins-with-letsencrypt
True, (temporarily) pinning the Let's Encrypt root might be an option. However, I'd prefer not to do that permanently, since pinning anything but the leaf certificate kind of defeats the purpose of HPKP, IMO. Then the next question would be: Can I influence certbot's/ISPConfig's behavior such that it will not generate a new key on each cert renewal, but use the existing key (for example by adding an option to /etc/letsencrypt/cli.ini or some ISPConfig conf file)?
I don't think so -- at least I couldn't find any option to explicitly do it. Probably certbot generates new keypairs at every renewal for security reasons. You could try using --csr to use an existing CSR (reusing the keypair at least for first LE cert) but you'll have to do some scripting in post-renew hook because filenames have a prepended integer...
