Free SSL certificates for test and development environments

If you have developed an application and are now facing a challenge of configuring your SSL in test environments, this article is just for you. Read on to learn how to:

  • provide your environments with LetsEncrypt certificates
  • automate their generation and renewal
  • elegantly circumvent the limitations of test and development environments.

Many an application developer faces a challenge when configuring SSL in test environments. Paid certificates unnecessarily increase the development cost. Wildcard certificates are often unavailable or the client/ the owner does not allow their use outside his production systems. Self-signed certificates, on the other hand, spoil impressions at test application presentations.

LetsEncrypt is a free of charge certification authority for creating and renewing free X.509 certificates. Offered since 2016, it has become widely popular and has been rolled out in many implementations, integrating it with popular WWW servers and applications terminating SSL.

LetsEncrypt certificates are very useful in development and staging environments. Due to their short life (90 days), they necessitate automation, which happens to be difficult due to a non-homogeneous environment often inaccessible from the Internet.

An impediment may also be posed by the applicable limits, which enable – at the time of writing – a maximum of 20 domain certificates to be generated per week.

In this article, we will take a look at the methods which can be applied to circumvent these limitations, ensure encrypted communication regardless of whether the environment is accessible from the Internet or not, and which application terminates SSL. We will also present a pseudocode for implementation and solutions which can be used to roll out your own solution.

Methods of authentication  (challenge types)

A standard method of validating certification requests is the http-01 ACME protocol, which uses verification by means of a temporary file with the name and content specified by the ACME server (e.g. This method is leveraged by most WWW server certification automation tools, certbot being the most popular of them.

This solution has two major drawbacks:

  • The implementation method depends on the WWW server used.
  • External facing applications may interfere with the web application used – if, for example, you have an automated redirection adding a www prefix to the address, you will have to switch it off for the time of certificate generation without a prefix.
  • The certified website must be available on the Internet, which is often unviable for purely development environments.

It is possible to carry out validation without initiating traffic to the WWW server. This is provided by the dns-01 ACME mechanism. The authentication is performed by means of TXT records in DNS, hence:

  • It can be used regardless of the WWW server used.
  • No interference with a web application is possible.
  • The certified website does not have to be open to the Internet, and what’s more – the certified domain does not have to exist at all, as long as you have control over the parent domain.

Illustrative architecture

The diagram below presents a communication model in certification performed by means of the dns-01 method:

Only the DNS server for the service of the desired domain and certification service are directly involved in the process.

Any service can serve as the DNS server as long as it enables the dynamic editing of records. It can, for example, be a DNS server serviced by API (Amazon Route53 or CloudFlare), and any server servicing RFC2136 protocol (Microsoft DNS, Bind 8, or Bind 9).

The certification service initiates communication with LetsEncrypt, carrying out validation by editing servers and – upon receipt of certificates – it installs them on web servers, as well as reloading them with a view to downloading data.

What is worth noting, however, is that certification service may work separately and service all the WWW servers, but it can also be installed in each WWW server as a separate process – as long as the policy of traffic in the private subnet allows outbound traffic.


The pseudocode of certification service may be as follows:

while sprawdz_challenge(challenge):
while sprawdz_challenge(challenge):

If your server services RFC2136, you can use the nsupdate tool for updates:

$ nsupdate -d -k klucz
update delete
update add 3600 TXT “LOREM IPSUM”

or rely on many available implementations, e.g. dns modules available in Python:

def doDNSUpdate(server, zone, record, value):
  keyRing, keyAlgo = getDNSKey(DNS_KEYFILE)
  update = dns.update.Update(zone, keyring=keyRing)
  if value is not None:
    update.replace(record, 5, "TXT", value)
  dns.query.tcp(update, server)

If your DNS server does not service dynamic changes in DNS, you can always try to use their API – it may prove necessary in the case of AWS Route53, for example.

The implementation of the ACME protocol may prove time consuming and as such it is worth relying on ready-made solutions, e.g. acme-tiny.

To wrap up…

Implementing automated website certification is particularly useful in mixed development environments where many projects are developed in diverse technologies. The solutions, as proposed, can be applied regardless of whether the application is built on Java, Ruby on Rails or PHP. Quite importantly, they don’t require opening up development environments to the world.

Establishing a separate certificate generation service is also a way to overcome the capacity limitations of LetsEncrypt, provided you allow the use of one certificate with an SAN extension for multiple subdomains. This helps increase the maximum number of certificates by approx 100-fold.

A properly prepared certification service can be quickly put in the existing or new environment, ensuring an automatic supply of secure SSL certificates.

Our Experts
/ Knowledge Shared


Composable Architecture Use Case / Healthcare B2B Marketplace


Composable architecture is often the “go to” suggestion for many businesses but… why is that? Instead of talking about the vague benefits of ‘composability’, let’s talk real world value. Specifically, this composability means that we can implement entirely new channels, using existing infrastructure and/or core necessities, while maintaining...


How Do Chatbots Work? 

Artificial Intelligence

For many businesses worldwide, chatbots represent some of most strategic benefits of Artificial Intelligence (AI).  Whether you want to use them for lead generation, customer support or even acting as a virtual personal assistant, chatbots have a lot to offer. They can become the face of your company, acting as a polylingual, 24/7 customer service...


Mastering B2B Pricing Strategies / A Comprehensive Guide for Blending Online and Offline Channels


In the highly competitive realm of B2B commerce, the significance of pricing strategies transcends mere numbers—it shapes profitability, defines market positioning, and determines the overall success of businesses. With the advent of digital channels, these strategies have become even more complex yet crucial, as companies must navigate both online and...

Expert Knowledge
For Your Business

As you can see, we've gained a lot of knowledge over the years - and we love to share! Let's talk about how we can help you.

Contact us