Skipping verification when using --test-cert?

I am working on integrating and automating ssl provisioning into a software as a service system using certbot.

In development I am passing the --test-cert flag, but it is still attempting the http verification process. Being that this is in development the web server is not live, therefore this fails.

Is there any way to skip this step under the local development / testing scenario?

Hi @matthewk,

There isn't a way to skip validation with the Let's Encrypt staging server. It exists to be as close a mirror of production as possible and performing validation the same way is a big part of that.

You could create your own staging environment by running Boulder, the Let's Encrypt CA locally and pointing Certbot at it, but that would still be performing validation, it would just let you fudge the DNS to send validation requests wherever you wanted for any domain.

Can you explain more what you are integrating/automating and how? If you're primarily using Certbot hooks it might be easier to test the hooks in isolation. If you're automating invoking Certbot maybe you could write a wrapper that stubs out the actual invocation that starts issuance?

Hi Daniel,

Thanks for your help! I am attempting to integrate the certbot command to issue an initial ssl certificate for a given domain as an operation launched by and end user of the software.

To do this I am executing the certbot command from my code and checking the exit code and response, then performing additional operations. Your post has brought to my attention though that I should probably be using the deploy hook for any operations needing to run after a successful certificate issue. Unfortunately that moves it into another process but I think I can deal with that, and as you rightly said that would make it a lot more testable.

I am slightly surprised this isn’t a more common issue though, I had assumed I could safely use the staging server to test my integration locally, but unless I have a live web server / live dns I am unable to easily test the process whilst interacting with letsencrypt. The addition of an explicit --skip-verification flag would I think be very useful to a lot of people in this scenario, unless I’m approaching this all wrong and assuming of course that everyone else isn’t just testing in production :worried:

I will check out Boulder too, hopefully setup isn’t too involved but that may provide the full end to end testing that I’m looking for, thanks for the link.

Great! I think that will work out better for you.

Sounds good. Let us know if you run into any snags. Setting up Boulder is a little bit involved because it's fairly complex software. The docker quick-start is definitely the easiest way and what I use myself.

We have another project on the go called Pebble that is designed to be easier to set up than Boulder to help with testing. Unfortunately it won't be useful to you yet - it only implements ACME v2 and Certbot hasn't yet implemented this new up-and-coming API. Hopefully over the next year you'll be able to use Certbot and Pebble in your test environment instead of Certbot and Boulder.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.