The first certificate I’ve ordered during the closed beta phase has been replaced now. HPKP is enabled again. With the standard Let’s Encrypt (LE) procedure, a new private key is generated every time a new certificate is issues.
In order be able to enable HPKP again, you either need to use the standard LE client with a previously created CSR or use some other client.
With the LE client, that would mean: letsencrypt-auto certonly -a manual --csr {csr}
as outlined in an article by Thomas Leister (in German).
One very nice alternative client is acme-tiny. I’ve decided to follow that route. It’s quite nicely outlined in a post by Scott Helme.
I still haven’t established a proper key turnover procedure for standard TLS certificates and for DNSSEC (where the key registration with the TLD is the most challenging and time-intensive task, depending on your provider). That’s some project for rainy, boring