From be3c95a9e6820f4962f09f32bc98771e216ef026 Mon Sep 17 00:00:00 2001
From: Dana Keeler <dkeeler@mozilla.com>
Date: Thu, 10 Dec 2020 17:17:12 +0000
Subject: [PATCH] Bug 1680372 - replace Let's Encrypt intermediate certificates
 with ISRG Root X1 in the mozilla_services pinset r=kjacobs DONTBUILD

Now that we're actually using Let's Encrypt for Mozilla services, we should pin
to the root.

Differential Revision: https://phabricator.services.mozilla.com/D99293
---
 security/manager/tools/PreloadedHPKPins.json | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/security/manager/tools/PreloadedHPKPins.json b/security/manager/tools/PreloadedHPKPins.json
index 42d2b36c14fc..4afc14373bd0 100644
--- a/security/manager/tools/PreloadedHPKPins.json
+++ b/security/manager/tools/PreloadedHPKPins.json
@@ -74,10 +74,7 @@
       "sha256_hashes": [
         "DigiCert Global Root CA",
         "DigiCert High Assurance EV Root CA",
-        // Backup intermediates with Let's Encrypt are not normally
-        // in use and require disabling Mozilla's sites blacklisting
-        "Let's Encrypt Authority X3",
-        "Let's Encrypt Authority X4"
+        "ISRG Root X1"
       ]
     },
     // For pinning tests on pinning.example.com, the certificate must be 'End