Free SSL certificates for test and development environments

If you have developed an application and are now facing a challenge of configuring your SSL in test environments, this article is just for you. Read on to learn how to:

  • provide your environments with LetsEncrypt certificates
  • automate their generation and renewal
  • elegantly circumvent the limitations of test and development environments.

Many an application developer faces a challenge when configuring SSL in test environments. Paid certificates unnecessarily increase the development cost. Wildcard certificates are often unavailable or the client/ the owner does not allow their use outside his production systems. Self-signed certificates, on the other hand, spoil impressions at test application presentations.

LetsEncrypt is a free of charge certification authority for creating and renewing free X.509 certificates. Offered since 2016, it has become widely popular and has been rolled out in many implementations, integrating it with popular WWW servers and applications terminating SSL.

LetsEncrypt certificates are very useful in development and staging environments. Due to their short life (90 days), they necessitate automation, which happens to be difficult due to a non-homogeneous environment often inaccessible from the Internet.

An impediment may also be posed by the applicable limits, which enable – at the time of writing – a maximum of 20 domain certificates to be generated per week.

In this article, we will take a look at the methods which can be applied to circumvent these limitations, ensure encrypted communication regardless of whether the environment is accessible from the Internet or not, and which application terminates SSL. We will also present a pseudocode for implementation and solutions which can be used to roll out your own solution.

Methods of authentication  (challenge types)

A standard method of validating certification requests is the http-01 ACME protocol, which uses verification by means of a temporary file with the name and content specified by the ACME server (e.g.  LetsEncrypt.org). This method is leveraged by most WWW server certification automation tools, certbot being the most popular of them.

This solution has two major drawbacks:

  • The implementation method depends on the WWW server used.
  • External facing applications may interfere with the web application used – if, for example, you have an automated redirection adding a www prefix to the address, you will have to switch it off for the time of certificate generation without a prefix.
  • The certified website must be available on the Internet, which is often unviable for purely development environments.

It is possible to carry out validation without initiating traffic to the WWW server. This is provided by the dns-01 ACME mechanism. The authentication is performed by means of TXT records in DNS, hence:

  • It can be used regardless of the WWW server used.
  • No interference with a web application is possible.
  • The certified website does not have to be open to the Internet, and what’s more – the certified domain does not have to exist at all, as long as you have control over the parent domain.

Illustrative architecture

The diagram below presents a communication model in certification performed by means of the dns-01 method:

Only the DNS server for the service of the desired domain and certification service are directly involved in the process.

Any service can serve as the DNS server as long as it enables the dynamic editing of records. It can, for example, be a DNS server serviced by API (Amazon Route53 or CloudFlare), and any server servicing RFC2136 protocol (Microsoft DNS, Bind 8, or Bind 9).

The certification service initiates communication with LetsEncrypt, carrying out validation by editing servers and – upon receipt of certificates – it installs them on web servers, as well as reloading them with a view to downloading data.

What is worth noting, however, is that certification service may work separately and service all the WWW servers, but it can also be installed in each WWW server as a separate process – as long as the policy of traffic in the private subnet allows outbound traffic.

Implementation

The pseudocode of certification service may be as follows:


domeny=pobierz_liste_domen()
challenge=zainicjuj_komunikacje_letsencrypt(domeny)
wprowadz_zmiany_w_dns(challenge)
while sprawdz_challenge(challenge):
  time.sleep(5)
zapisz_certyfikat_i_klucz()
przeladuj_serwer_www()
domeny=pobierz_liste_domen()
challenge=zainicjuj_komunikacje_letsencrypt(domeny)
wprowadz_zmiany_w_dns(challenge)
while sprawdz_challenge(challenge):
  time.sleep(5)
zapisz_certyfikat_i_klucz()
przeladuj_serwer_www()

If your server services RFC2136, you can use the nsupdate tool for updates:

$ nsupdate -d -k klucz
server dns.example.org
zone example.org.
update delete _acme-challenge.dev.projekt.example.org.
update add _acme-challenge.dev.projekt.example.org. 3600 TXT “LOREM IPSUM”
send

or rely on many available implementations, e.g. dns modules available in Python:


def doDNSUpdate(server, zone, record, value):
  keyRing, keyAlgo = getDNSKey(DNS_KEYFILE)
  update = dns.update.Update(zone, keyring=keyRing)
  if value is not None:
    update.replace(record, 5, "TXT", value)
  else:
    update.delete(record)
  dns.query.tcp(update, server)

If your DNS server does not service dynamic changes in DNS, you can always try to use their API – it may prove necessary in the case of AWS Route53, for example.

The implementation of the ACME protocol may prove time consuming and as such it is worth relying on ready-made solutions, e.g. acme-tiny.

To wrap up…

Implementing automated website certification is particularly useful in mixed development environments where many projects are developed in diverse technologies. The solutions, as proposed, can be applied regardless of whether the application is built on Java, Ruby on Rails or PHP. Quite importantly, they don’t require opening up development environments to the world.

Establishing a separate certificate generation service is also a way to overcome the capacity limitations of LetsEncrypt, provided you allow the use of one certificate with an SAN extension for multiple subdomains. This helps increase the maximum number of certificates by approx 100-fold.

A properly prepared certification service can be quickly put in the existing or new environment, ensuring an automatic supply of secure SSL certificates.

Our Experts
/ Knowledge Shared

14.09.2021

QlikSense vs Power BI / A Not So Unbiased BI Software Comparison

Power BI

The Business Intelligence market is vast – there are many options and it’s estimated that no one solution owns more than 20% of the market. In other words, there’s no clear winner – but are there losers? Well, as the title suggests, we want to use this space to talk about QlikSense vs Power BI (the former being the...

07.09.2021

Digital Accessibility & Usability / Adapting to the Customer

E-Commerce

In our previous post, we discussed the challenges of making websites more accessible for people with vision impairments and (spoiler) how to solve them. This time, we want to expand on the concept of usability as a whole, to show how businesses can better make their products and services accessible for all. This time, we want to talk about:...

31.08.2021

Digital Accessibility & Usability / A Visual Overhaul

E-Commerce

Nearly every industry these days has an online element – in some cases, it’s the predominant channel. And that’s great – if you don’t have any accessibility requirements.  But as more and more of the world moves online, we need to consider the wider needs that different people may...

Expert Knowledge
For Your Business

As you can see, we've gained a lot of knowledge over the years - and we love to share! Let's talk about how we can help you.

Contact us

<dialogue.opened>