I have successfully rolled out Let’s Encrypt on a Ubuntu machine (16.04) using the bundled letsencrypt client. I use Ansible to configure the whole system, including calling letsencrypt with the appropriate command line options.
I also have a local Virtualbox VM which is not reachable from the outside world. It allows me to test changes before I roll them out to the production environment. I use exactly the same Ansible setup for it, albeit with some different “testing” variables.
Before using Let’s Encrypt, I would just copy the production certificate to the testing environment also and ignore the certificate warnings when I open the web pages in the browser.
With Let’s Encrypt, I can’t do that anymore: The client won’t issue me a certificate, even if I pass --staging. I get this error:
- The following errors were reported by the server:
Domain: ci.isabelle.systems
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
Requested
ac7d42b402997f5a524d0940f3f4a656.9007b2d1b5be960418d8cff5a3bfe36c.acme.invalid
from 131.159.46.85:443. Received certificate containing
'ci.isabelle.systems'
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
Is there any way I can get the letsencrypt client to issue me a fake certificate without any kind of authorization?
There are a few other options though, depending on exactly what you need.
you say
Before using Let's Encrypt, I would just copy the production certificate to the testing environment also and ignore the certificate warnings when I open the web pages in the browser.
well, you could do exactly the same now.
You could self certify a certificate for that test domain
You could validate it using the DNS challenge - and then have a full LE cert for the domain ....
Since it is completely unreachable, you aren’t going to be able to verify ownership - hence letsencrypt can’t issue a cert.
If you want to test the full letsencrypt invocation the only other thing that springs to mind, is setting up another VM, which has a copy of LE’s staging server … and obtain fake certificates from that ( they would be identical to the LE staging fake certs.
It’s a bit more work, but would allow you to test the full setup.
Right. I'll think about it. Although it might make sense to integrate something like that into the official server (but I can't judge how much work that would be or whether many other people would consider this a worthy feature).
From a personal point of view, I take the alternative approach, and have a development version of accounts on a VPS (realtively cheap, only a few $ / month from some providers) and then duplicate the exact setup there (rather than a VM). That way it’s accessible from the internet in the same way as the real domain for testing - I simply firewall off the bulk of traffic.