I would like to implement SSL pinning on ESP8266. Since leaf certificate is changing quite often I would like to check for which domain leaf was issued and check that root belong Let’s Encrypt.
To which property should I pin in root? I would like to avoid the situation when certificate expires and I would need to re-flash my device.
It looks like you want to accept any certificate issued by Let's Encrypt for your specific domain. This is done implicitly without any pinning if your only root CA on the device is Let's Encrypt (provided of course that you do the usual proper certificate validation). If you have multiple root CA on the system you might pin at the specific public key of the root CA you want to use.
Another option would be to not care about the CA at all but instead ping against the public key of the leaf certificate. Usually this public key stays the same if one is just renewing a certificate, i.e. one will submit a CSR with the same public key as in the previous certificate. In case the private key was compromised you might also have some more spare keys you could use to create a new certificate and have these setup for pinning on the device too.
I'm not sure what the current capabilities of the ESP8266 platform are currently regarding certificate validation. But as far as I remember there was a time when all it could do was to check for a specific leaf certificate. In this case the second option of pinning against the public key of the leaf certificate and reusing the same key with certificate updates should be easier to implement.
