Using Let's Encrypt staging environment and save certificates

Is it possible to use the staging environment of Let's Encrypt with certbot and save the certificates to disk?

If I use certbot --dry-run, it uses the staging environment but doesn't save the certificates to disk.

I am trying to set up some automation with the certificates, and don't want to run into any rate limits.


I ran this command:
certbot certonly --manual --dry-run --preferred-challenges=dns -d <my_domain> --manual-public-ip-logging-ok

It produced this output:
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:

  • The dry run was successful.

The operating system my web server runs on is (include version):
Windows 10

I can login to a root shell on my machine (yes or no, or I don't know):
Yes.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.9.0

1 Like

Yes, you can use --staging (which is really a shortcut for --server https://acme-staging-v02.api.letsencrypt.org/directory).

--dry-run will always discard the certificate.

3 Likes

Be careful that it doesn't also install the FAKE cert anywhere.
Perhaps include certonly

1 Like

When I tried that, it said that it was successful. :slight_smile:

However, the four *.pem files that it creates are completely empty -- zero bytes.

Is that expected?

1 Like

I'm not too up to speed with what happens with Certbot on Windows, but does opening those files as Administrator help?

The files in /etc/letsencrypt/live/<domain>/ are the ones you want to be looking at. They are symlinks which point to the most recently renewed certificate. The fact they are symlinks might cause Windows to display them as 0 bytes.

2 Likes

The default files are symbolic links to the latest files.
Please show them in File Explorer (in detailed view - with file extensions on).

2 Likes

Do you already have any real LE certs on this system?

1 Like

I was able to find the actual cert files in c:\certbot\archive<domain>.

Thank you both of you.

2 Likes

You can use --break-my-certs to actually install fake/staging certificates.

1 Like

Why do you even put that out there?
Now he might want to test with that and BREAK his working certs - LOL

1 Like

I figure if the package clearly says "will surely cause death and dismemberment"... :skull_and_crossbones:

:grin:

1 Like

I don't have any real LE certs on this system.

Right now, I'm only testing and learning.

Thank you again for your help. :slight_smile:

2 Likes

Learn away! We like informed certificate users.

:+1:

1 Like

Bear in mind that if you configure your webserver to directly read a file from archive/, autorenewal won't really work as expected. This is because every renewed certificate file in there has an incrementing counter. fullchain1.pem fullchain2.pem etc. The file you choose today would never get updated.

The live/ directory exists so that you can refer to the symlinks without having to update your server configuration at every renewal.

Even if the symink appears to be zero bytes, it should work just fine if you configure a webserver to use it.

2 Likes

--break-my-certs will be useful in an earlier stage even. Certbot will refuse to save certs with --staging if it found a previous valid cert and certonly won't make any difference about that. Sure, it won't force a renewal of nginx/Apache, so the services won't know that there was a fake cert installed, but the symbolic link will point to a fake cert anyway! certonly isn't going to change that.

Certbot doesn't have a command that will save certs to /archive/ without updating the symbolic link.

2 Likes