Acme.sh --staging option

Hi,

I try to use the staging (test) option “-- staging” but i don’t know when to use it : only on --issue or on each command ?

# export NSUPDATE_SERVER="ns1.domain.tld"
# export NSUPDATE_KEY="~/.acme.sh/keys/domain.tld.key"

# ~/.acme.sh/acme.sh --issue --dns dns_nsupdate -d domain.tld -d *.domain.tld –staging --reloadcmd "service apache2 restart"
# ~/.acme.sh/acme.sh --renew -d domain.tld -d *.domain.tld –staging --force
# ~/.acme.sh/acme.sh --remove -d domain.tld -d *.domain.tld –staging
# ~/.acme.sh/acme.sh --list --staging

And --list with or without --staging has the same result !?

# ~/.acme.sh/acme.sh --list
Main_Domain   KeyLength  SAN_Domains     Created                                     Renew
domain.tld  ""         *.domain.tld  mercredi 8 avril 2020, 12:04:56 (UTC+0000)  dimanche 7 juin 2020, 12:04:56 (UTC+0000)

# ~/.acme.sh/acme.sh --list --staging
Main_Domain   KeyLength  SAN_Domains     Created                                     Renew
domain.tld  ""         *.domain.tld  mercredi 8 avril 2020, 12:04:56 (UTC+0000)  dimanche 7 juin 2020, 12:04:56 (UTC+0000)

Can you explain how it works ?

acme.sh doesn’t really treat the staging api differently than the production one.

there is no --dry-run mode and if you renew from staging you risk overwriting your production certificates.

so, well, you should read its source code.

OK :frowning:

I have 2 others questions :
1/ Is there a letsencrypt global dashboard where i can see all certificates generated on all my servers for all my domains ?

2/ Acme.sh create automatically Letsencrypt account without asking me informations unlike cerbot :frowning:
Isn’t it important to give domain owner informations to Letsencrypt ? And how can i retrieve an “letsencrypt identifier” to join all my certificates on the same account ?

There are tools that search the certificate transparency logs, like https://crt.sh and https://tools.letsdebug.net/cert-search

You can tell acme.sh the info you want to use.

you can’t move certificates from one account to another. Just generate new ones on the account you want and let the old ones expire.

Oh ok, i start to understand. Letsencrypt’s accounts are just temporary accounts associated to a certificate which are deleted on certificate expiration and i’s not important to have all certicates under a same letsencrypt account ?

No, letsencrypt accounts are not temporary and not associated with one certificate only. Accounts are used to keep track of authorizations and their expiration (authorization and certificate are different things), among other things.

You can have several accounts but usually people have one account per machine.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.