I have staging certificates that I'd like to install on my client machine in order to access a server with the same staging certificates. I'm not sure where to install the certificates. But, within /etc/ssl/certs seems plausible. I tried that, and it didn't work. Where should I put my copies of the staging certificates? Are there additional steps to take after copying the certificates to the right location?
At least one other person has installed certificates and is using the server without trouble. They're running a Mac, and I'm running Linux Mint 21.1. I think they installed their keys in /Library/Keychains/System.keychain on their Mac. I installed my keys in /etc/ssl/certs
It created: /tmp/staging_broccoli.cer and /tmp/staging_pear.cer
My web server is (include version): I don't have access to that.
The operating system my web server runs on is (include version): I don't have access to that.
My hosting provider, if applicable, is: n/a
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I don't manage the server. I'm trying to connect as a client.
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): In my personal life I used certbot for a mail server that I run at home.
The answer would be found by googling how to install a trusted certificate authority in whatever client OS you're running--which is a question that doesn't really have anything to do with Let's Encrypt. But why are you trying to use a web site that's only serving a staging cert?
It's for work. One person is bringing up a new server, and gets there server certs via LetsEncrypt. They run on a Mac. [I also get my mail server certs from LetsEncrypt. Not that it matters.]
My roll will be to test the applications on the server, once I can get on it. I'm actually about half on it. I can't get https to work, just http. I run Linux, so his recipe for installing certs on a Mac was marginally useful, though it worked for a few steps.
I went through a good number of articles today trying to understand where the cert files should go, and it looks like somewhere in /etc/ssl/. But, mostly I ran into articles about people wanting to convert between cer, pem, etc. I'll ask my coworker for help with the certs tomorrow as I don't really want to have my 2nd or 3rd posts tagged as suspect.
OK so I tagged your post. I am a trained and natural paranoid.
Do you work for OHSU? In any capacity?
So I suppose I don't understand the "role" thing.
Would you please provide a complete description of what you are trying to do, and to whom, and what your relationship with them is?
What authority have you been given to attempt to access an OHSU website.
So the issue I am having is someone asking for information on how to get any kind of unauthorized access a webite they YOU don't manage.
The administrators that have control over the website should be providing you with access.. NOT US.
Your post is vague at best and exhibits no authority to manipulate or "test" the site you claim to want client access to.
I was going to PM you, but instead decided to put my foot in my mouth like normal...
I would add that if The Oregon Center for Aging and Technology needs you and "one other person has installed certificates and is using the server"
the system administrators and management at OHSU should be where you seek assistance.
I can imagine a situation using Staging certs for testing.
The domain orcatech.org can be reached today over the public internet and it uses a production cert.
So, I assume there is also an "offline" server used on some private network. And, that server uses a Staging cert. Is that right?
You want to get the Staging root trusted on your client so the testing platform fully mimics a production cert rather than using, say, self-signed certs for such a purpose.
If that's the situation @danb35 described the remedy. You need to find out how to add a trusted root to the Linux Mint system. Perhaps someone here might know but their forum would know best (or their docs). Different distros have different methods. Often you need to run some command after updating the cert folder. Maybe you just need the right command for Mint.
@Rip I think you've been overly cautious here. The point seems to be that someone else is setting up a test server that will use Let's Encrypt staging certificates, and @KevinTheDrummer wants to access that service from his own work device in order to help test it.
One should not add trusted certificates on other people's devices without their consent, but one can choose to add them on one's own device for various reasons.
@KevinTheDrummer One thing to consider in doing this is that random strangers might become more able to carry out attacks against your other web browsing. If you have multiple web browsers installed on your system, you might consider making a specific browser profile (or using a specific browser) with the staging certificate(s) trusted there, so that the browser that you use for other purposes isn't affected. You can usually choose to trust certificate authorities at the individual browser (or browser profile) level, as opposed to system-wide.
My group's purview regarding computing is outside of corporate IT. I'm not testing anything having to do with corporate systems or assets. I and my group are employees of OHSU.
I'm not asking for someone to provide me access. I'd already been given the certs I need, at least on/off for the next couple days. Soon the production stuff will be in place. It seems that my lead and I didn't coordinate the short time span for the use of staging certs. He got his working before I could, and he moved the server side stuff away, and then nobody could get in, including me.
If you scroll down in the website you found, your find my photo. I'm sure that'll convince you of my authenticity.
Hi @KevinTheDrummer,
Thanks for that. I realize my initial response might have come off as overly paranoid and abrupt. My Bad.
My goal has always been to support enhanced security and legitimate use of Let's Encrypts free services.
Based on input from you and others in this thread, I recognize that your project is legit, and you're just trying to do your job.
You're working in a testing environment, which is a common scenario. I get it.
Anyway, as @schoen suggested, you might consider setting up a specific browser profile for your project. Then you can "trust" the staging certs in that profile without affecting your other web activities.
I hope this helps get this thread back on track so you can accomplish your goal.
@schoen Yes, my plan was to continue using Chrome for day-to-day, and do some testing with Firefox. I suspect that using an incognito browser window might provide protection. But, "suspecting" it might work doesn't seem good enough.
@linkp, I already know about /usr/loca/share/ca-certificates/ But, I didn't know about update-ca-certificates. I suspect that's the missing piece. THANK YOU.
While globaly trusting the Let's Encrypt staging CA will allow you to access sites that are using certificates that is has issued, this does expose you to greater risk by telling your system to trust certificates that it shouldn't. It's obviously fine for your test servers. It's the sites on the rest of the internet that are a concern.
If you are going to use Firefox, I would consider loading the staging root CA certificate only there, rather than globaly, as it has its own CA. I wouldn't expect private or incognito browsing to offer any protection against the risks introduced by trusting the LE staging CA.
I strongly recommend against using staging like this for the reasons @schoen stated above - everyone on your team less secure if they trust the staging roots.
As an alternative, i'd like to suggest the following: set up a subdomain like dev-internal.orcatech.org and use the production stuff on that. If you need to serve locally - either in your network or your machine - use DNS-01 authentication to create a trusted certificate. You can even do subdomains for group use, staging.dev-internal.orcatech.org (public DNS), or private use local.dev-internal.orcatech.org (pointing to 127.0.0.1) and distribute the local cert to team members on renewal. I often do the latter.
I prefer testing like that, because I get to test against the real chain and environment- the only difference is the domain name.
Why go to all the bother of using the Staging Certificates when Let’s Encrypt Production Certificates are free. Yes the Rate Limits are much higher for the Staging Environment.
How many Certificates and domain names are you thinking about?
I would suggest only using the Staging Environment for testing your servers ACME Client configuration.
