Obtain fake certificate in "staging" mode without authorization


#1

I have successfully rolled out Let’s Encrypt on a Ubuntu machine (16.04) using the bundled letsencrypt client. I use Ansible to configure the whole system, including calling letsencrypt with the appropriate command line options.

I also have a local Virtualbox VM which is not reachable from the outside world. It allows me to test changes before I roll them out to the production environment. I use exactly the same Ansible setup for it, albeit with some different “testing” variables.

Before using Let’s Encrypt, I would just copy the production certificate to the testing environment also and ignore the certificate warnings when I open the web pages in the browser.

With Let’s Encrypt, I can’t do that anymore: The client won’t issue me a certificate, even if I pass --staging. I get this error:

 - The following errors were reported by the server:

   Domain: ci.isabelle.systems
   Type:   unauthorized
   Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
   Requested
   ac7d42b402997f5a524d0940f3f4a656.9007b2d1b5be960418d8cff5a3bfe36c.acme.invalid
   from 131.159.46.85:443. Received certificate containing
   'ci.isabelle.systems'

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Is there any way I can get the letsencrypt client to issue me a fake certificate without any kind of authorization?


#2

In terms of the letsencrypt client (certbot) no.

There are a few other options though, depending on exactly what you need.

you say

Before using Let’s Encrypt, I would just copy the production certificate to the testing environment also and ignore the certificate warnings when I open the web pages in the browser.

well, you could do exactly the same now.

You could self certify a certificate for that test domain

You could validate it using the DNS challenge - and then have a full LE cert for the domain …


#3

Right, sure. But that would defeat the point of the testing environment – it wouldn’t test the actual letsencrypt invocation.

This won’t work; I do control the DNS, but it’s not a supported provider for the various scripts floating around.


#4

As long has it has an API to add / change the DNS records then it’s pretty easy to do.


#5

That’s the problem: they don’t.


#6

Can you temporarily port forward port 80 to your VM machine whilst you complete verification of your test site ?


#7

Sadly no; as I said, it’s a VM which runs on a host which is behind a firewall and thus not reachable from the outside.


#8

Since it is completely unreachable, you aren’t going to be able to verify ownership - hence letsencrypt can’t issue a cert.

If you want to test the full letsencrypt invocation the only other thing that springs to mind, is setting up another VM, which has a copy of LE’s staging server … and obtain fake certificates from that ( they would be identical to the LE staging fake certs.

It’s a bit more work, but would allow you to test the full setup.


#9

Right. I’ll think about it. Although it might make sense to integrate something like that into the official server (but I can’t judge how much work that would be or whether many other people would consider this a worthy feature).


#10

From a personal point of view, I take the alternative approach, and have a development version of accounts on a VPS (realtively cheap, only a few $ / month from some providers) and then duplicate the exact setup there (rather than a VM). That way it’s accessible from the internet in the same way as the real domain for testing - I simply firewall off the bulk of traffic.


#11

For setting up your own local version of the ACME server used by LE - see boulder on github


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.