Free SSL certificates for test and development environments

If you have developed an application and are now facing a challenge of configuring your SSL in test environments, this article is just for you. Read on to learn how to:

  • provide your environments with LetsEncrypt certificates
  • automate their generation and renewal
  • elegantly circumvent the limitations of test and development environments.

Many an application developer faces a challenge when configuring SSL in test environments. Paid certificates unnecessarily increase the development cost. Wildcard certificates are often unavailable or the client/ the owner does not allow their use outside his production systems. Self-signed certificates, on the other hand, spoil impressions at test application presentations.

LetsEncrypt is a free of charge certification authority for creating and renewing free X.509 certificates. Offered since 2016, it has become widely popular and has been rolled out in many implementations, integrating it with popular WWW servers and applications terminating SSL.

LetsEncrypt certificates are very useful in development and staging environments. Due to their short life (90 days), they necessitate automation, which happens to be difficult due to a non-homogeneous environment often inaccessible from the Internet.

An impediment may also be posed by the applicable limits, which enable – at the time of writing – a maximum of 20 domain certificates to be generated per week.

In this article, we will take a look at the methods which can be applied to circumvent these limitations, ensure encrypted communication regardless of whether the environment is accessible from the Internet or not, and which application terminates SSL. We will also present a pseudocode for implementation and solutions which can be used to roll out your own solution.

Methods of authentication  (challenge types)

A standard method of validating certification requests is the http-01 ACME protocol, which uses verification by means of a temporary file with the name and content specified by the ACME server (e.g.  LetsEncrypt.org). This method is leveraged by most WWW server certification automation tools, certbot being the most popular of them.

This solution has two major drawbacks:

  • The implementation method depends on the WWW server used.
  • External facing applications may interfere with the web application used – if, for example, you have an automated redirection adding a www prefix to the address, you will have to switch it off for the time of certificate generation without a prefix.
  • The certified website must be available on the Internet, which is often unviable for purely development environments.

It is possible to carry out validation without initiating traffic to the WWW server. This is provided by the dns-01 ACME mechanism. The authentication is performed by means of TXT records in DNS, hence:

  • It can be used regardless of the WWW server used.
  • No interference with a web application is possible.
  • The certified website does not have to be open to the Internet, and what’s more – the certified domain does not have to exist at all, as long as you have control over the parent domain.

Illustrative architecture

The diagram below presents a communication model in certification performed by means of the dns-01 method:

Only the DNS server for the service of the desired domain and certification service are directly involved in the process.

Any service can serve as the DNS server as long as it enables the dynamic editing of records. It can, for example, be a DNS server serviced by API (Amazon Route53 or CloudFlare), and any server servicing RFC2136 protocol (Microsoft DNS, Bind 8, or Bind 9).

The certification service initiates communication with LetsEncrypt, carrying out validation by editing servers and – upon receipt of certificates – it installs them on web servers, as well as reloading them with a view to downloading data.

What is worth noting, however, is that certification service may work separately and service all the WWW servers, but it can also be installed in each WWW server as a separate process – as long as the policy of traffic in the private subnet allows outbound traffic.

Implementation

The pseudocode of certification service may be as follows:


domeny=pobierz_liste_domen()
challenge=zainicjuj_komunikacje_letsencrypt(domeny)
wprowadz_zmiany_w_dns(challenge)
while sprawdz_challenge(challenge):
  time.sleep(5)
zapisz_certyfikat_i_klucz()
przeladuj_serwer_www()
domeny=pobierz_liste_domen()
challenge=zainicjuj_komunikacje_letsencrypt(domeny)
wprowadz_zmiany_w_dns(challenge)
while sprawdz_challenge(challenge):
  time.sleep(5)
zapisz_certyfikat_i_klucz()
przeladuj_serwer_www()

If your server services RFC2136, you can use the nsupdate tool for updates:

$ nsupdate -d -k klucz
server dns.example.org
zone example.org.
update delete _acme-challenge.dev.projekt.example.org.
update add _acme-challenge.dev.projekt.example.org. 3600 TXT “LOREM IPSUM”
send

or rely on many available implementations, e.g. dns modules available in Python:


def doDNSUpdate(server, zone, record, value):
  keyRing, keyAlgo = getDNSKey(DNS_KEYFILE)
  update = dns.update.Update(zone, keyring=keyRing)
  if value is not None:
    update.replace(record, 5, "TXT", value)
  else:
    update.delete(record)
  dns.query.tcp(update, server)

If your DNS server does not service dynamic changes in DNS, you can always try to use their API – it may prove necessary in the case of AWS Route53, for example.

The implementation of the ACME protocol may prove time consuming and as such it is worth relying on ready-made solutions, e.g. acme-tiny.

To wrap up…

Implementing automated website certification is particularly useful in mixed development environments where many projects are developed in diverse technologies. The solutions, as proposed, can be applied regardless of whether the application is built on Java, Ruby on Rails or PHP. Quite importantly, they don’t require opening up development environments to the world.

Establishing a separate certificate generation service is also a way to overcome the capacity limitations of LetsEncrypt, provided you allow the use of one certificate with an SAN extension for multiple subdomains. This helps increase the maximum number of certificates by approx 100-fold.

A properly prepared certification service can be quickly put in the existing or new environment, ensuring an automatic supply of secure SSL certificates.

Our Experts
/ Knowledge Shared

02.12.2022

Top 10 Sales Development Trends / Furniture Industry

E-Commerce

For the furniture industry, the optimization of various sales channels both online and offline, is of critical importance. 2023 is a good time to put certain areas and processes in order, plan support activities, and develop e-commerce sales. To help you prepare for future growth, take advantage of upcoming opportunities and anticipate challenges, we...

E-Commerce Development in 2023 – Trends and Expert Tips
17.11.2022

E-Commerce Development in 2023 / Trends and Expert Tips

E-Commerce

Due to the anticipated crisis, 2023 will be a tough year, which will undoubtedly affect the operations of many companies. After the difficult two-year pandemic, which disorganized or even crushed many businesses around the world, we will probably face such challenges as rampant inflation, energy problems and disrupted supply chains. The economic and...

Inventory Management and Forecasting for supermarkets
10.11.2022

How to Better Forecast Demand in a Supermarket. Meet Inventory Optimization System.

Data Analytics & Machine Learning

Modern inventory optimization system automatically and accurately predicts supermarket demand. Find out...

Expert Knowledge
For Your Business

As you can see, we've gained a lot of knowledge over the years - and we love to share! Let's talk about how we can help you.

Contact us

<dialogue.opened>