Tips for using staging server


I am trying to figure out how to use the letsencrypt staging server to verify own staging setup that includes a letsencrypt client. I considered to ask letsencrypt staging to get certificates for names like corresponding to in the production.

But that implies that the staging setup will be different from the production. I would like to avoid that. So is it possible to ask the staging server for a certificate for using http-01 challenge with the challenge coming to


You could probably temporarily forward the http acme-challenge request…
So that if:
forwards to:
You can authenticate requests from the server.

Of course, this would require making a production change to the system in how it handles the acme-challenge requests - and then you would also need to put it back as you found it.


Hm, but is it possible to detect if acme-challenge comes from the staging server based on HTTP request header like User-Agent? If so it should be OK to change production config to redirect based on that. Or is the IP-address the only difference between letsencrypt staging and production during http-01 authorization?


You could configure both the staging and production environments to serve challenge responses from a single location.

For example, from /var/www/acme (if the environments happen to share a filesystem), or even with an HTTP redirect to$1.

But I find your premise a little perplexing. Using a different name seems like the correct thing to do and not a difference that you would be able to paper over with cleverness. As long as the environments are otherwise identical (e.g. authorization method, directories, DNS receords) it should be good enough.


from above:
is it possible to detect if acme-challenge comes from the staging server?


Why not just get a wildcard cert that will be valid for


Well, that’s a good idea but of course a wildcard certificate for * would not cover so they would have to change their naming scheme for staging servers :wink:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.