We are using cert-manager to issue certificates in k8s from LE staging on a HSTS domain. Chrome requires us to have a valid full chain. So we have added the Intermediate and Root to each developer trusted store but now as stated in the staging environment docs…
Do not add the staging root or intermediate to a trust store that you use for ordinary browsing or other activities, since they are not audited or held to the same standards as our production roots, and so are not safe to use for anything other than testing
What means not safe here?
What sould we do considering HSTS domain and considering we are under heavy development (so k8s certificate is deleted and recreated ofter in a week)
The idea is that if you choose to trust the staging cert in your browser, you could be more vulnerable to online attacks involving fake certs. Although we don't know of any such attacks, we're not taking the same kinds of precautions to prevent them that we would with the regular CA.
For example, someone might be able to hack Let's Encrypt infrastructure or trick a Let's Encrypt employee in order to get access to the staging signing key (something that would be dramatically harder for the regular CA). Or Let's Encrypt might introduce a new experimental validation method in the future and test it first on the staging service, and it might turn out that the new method is insecure in some way.
Another kind of reason not to do this on a regular browser is that if you accidentally set up a production version of your own site with a testing certificate rather than a production certificate, it would be harder for you to notice that you've done so if your browsers accept the testing certificate with no error!
The idea is that if you choose to trust the staging cert in your browser, you could be more vulnerable to online attacks involving fake certs. Although we don’t know of any such attacks, we’re not taking the same kinds of precautions to prevent them that we would with the regular CA.
