Tips for using staging server


#1

I am trying to figure out how to use the letsencrypt staging server to verify own staging setup that includes a letsencrypt client. I considered to ask letsencrypt staging to get certificates for names like www.staging.example.com corresponding to www.examle.com in the production.

But that implies that the staging setup will be different from the production. I would like to avoid that. So is it possible to ask the staging server for a certificate for www.example.com using http-01 challenge with the challenge coming to www.staging.example.com?


#2

You could probably temporarily forward the http acme-challenge request…
So that if:
http://www.example.com/.well-known/acme-challenge/###
forwards to:
http://www.staging.example.com/.well-known/acme-challenge/###
You can authenticate www.example.com requests from the www.staging.example.com server.

Of course, this would require making a production change to the www.example.com system in how it handles the acme-challenge requests - and then you would also need to put it back as you found it.


#3

Hm, but is it possible to detect if acme-challenge comes from the staging server based on HTTP request header like User-Agent? If so it should be OK to change production config to redirect based on that. Or is the IP-address the only difference between letsencrypt staging and production during http-01 authorization?


#4

You could configure both the staging and production environments to serve challenge responses from a single location.

For example, from /var/www/acme (if the environments happen to share a filesystem), or even with an HTTP redirect to http://acme-responder.example.com/$1.

But I find your premise a little perplexing. Using a different name seems like the correct thing to do and not a difference that you would be able to paper over with cleverness. As long as the environments are otherwise identical (e.g. authorization method, directories, DNS receords) it should be good enough.


#5

@jsha
from above:
is it possible to detect if acme-challenge comes from the staging server?


#6

Why not just get a wildcard cert that will be valid for whichever_server_name.example.com?


#9

Well, that’s a good idea but of course a wildcard certificate for *.example.com would not cover www.staging.example.com so they would have to change their naming scheme for staging servers :wink: