Free SSL certificates for test and development environments

If you have developed an application and are now facing a challenge of configuring your SSL in test environments, this article is just for you. Read on to learn how to:

  • provide your environments with LetsEncrypt certificates
  • automate their generation and renewal
  • elegantly circumvent the limitations of test and development environments.

Many an application developer faces a challenge when configuring SSL in test environments. Paid certificates unnecessarily increase the development cost. Wildcard certificates are often unavailable or the client/ the owner does not allow their use outside his production systems. Self-signed certificates, on the other hand, spoil impressions at test application presentations.

LetsEncrypt is a free of charge certification authority for creating and renewing free X.509 certificates. Offered since 2016, it has become widely popular and has been rolled out in many implementations, integrating it with popular WWW servers and applications terminating SSL.

LetsEncrypt certificates are very useful in development and staging environments. Due to their short life (90 days), they necessitate automation, which happens to be difficult due to a non-homogeneous environment often inaccessible from the Internet.

An impediment may also be posed by the applicable limits, which enable – at the time of writing – a maximum of 20 domain certificates to be generated per week.

In this article, we will take a look at the methods which can be applied to circumvent these limitations, ensure encrypted communication regardless of whether the environment is accessible from the Internet or not, and which application terminates SSL. We will also present a pseudocode for implementation and solutions which can be used to roll out your own solution.

Methods of authentication  (challenge types)

A standard method of validating certification requests is the http-01 ACME protocol, which uses verification by means of a temporary file with the name and content specified by the ACME server (e.g.  LetsEncrypt.org). This method is leveraged by most WWW server certification automation tools, certbot being the most popular of them.

This solution has two major drawbacks:

  • The implementation method depends on the WWW server used.
  • External facing applications may interfere with the web application used – if, for example, you have an automated redirection adding a www prefix to the address, you will have to switch it off for the time of certificate generation without a prefix.
  • The certified website must be available on the Internet, which is often unviable for purely development environments.

It is possible to carry out validation without initiating traffic to the WWW server. This is provided by the dns-01 ACME mechanism. The authentication is performed by means of TXT records in DNS, hence:

  • It can be used regardless of the WWW server used.
  • No interference with a web application is possible.
  • The certified website does not have to be open to the Internet, and what’s more – the certified domain does not have to exist at all, as long as you have control over the parent domain.

Illustrative architecture

The diagram below presents a communication model in certification performed by means of the dns-01 method:

Only the DNS server for the service of the desired domain and certification service are directly involved in the process.

Any service can serve as the DNS server as long as it enables the dynamic editing of records. It can, for example, be a DNS server serviced by API (Amazon Route53 or CloudFlare), and any server servicing RFC2136 protocol (Microsoft DNS, Bind 8, or Bind 9).

The certification service initiates communication with LetsEncrypt, carrying out validation by editing servers and – upon receipt of certificates – it installs them on web servers, as well as reloading them with a view to downloading data.

What is worth noting, however, is that certification service may work separately and service all the WWW servers, but it can also be installed in each WWW server as a separate process – as long as the policy of traffic in the private subnet allows outbound traffic.

Implementation

The pseudocode of certification service may be as follows:


domeny=pobierz_liste_domen()
challenge=zainicjuj_komunikacje_letsencrypt(domeny)
wprowadz_zmiany_w_dns(challenge)
while sprawdz_challenge(challenge):
  time.sleep(5)
zapisz_certyfikat_i_klucz()
przeladuj_serwer_www()
domeny=pobierz_liste_domen()
challenge=zainicjuj_komunikacje_letsencrypt(domeny)
wprowadz_zmiany_w_dns(challenge)
while sprawdz_challenge(challenge):
  time.sleep(5)
zapisz_certyfikat_i_klucz()
przeladuj_serwer_www()

If your server services RFC2136, you can use the nsupdate tool for updates:

$ nsupdate -d -k klucz
server dns.example.org
zone example.org.
update delete _acme-challenge.dev.projekt.example.org.
update add _acme-challenge.dev.projekt.example.org. 3600 TXT “LOREM IPSUM”
send

or rely on many available implementations, e.g. dns modules available in Python:


def doDNSUpdate(server, zone, record, value):
  keyRing, keyAlgo = getDNSKey(DNS_KEYFILE)
  update = dns.update.Update(zone, keyring=keyRing)
  if value is not None:
    update.replace(record, 5, "TXT", value)
  else:
    update.delete(record)
  dns.query.tcp(update, server)

If your DNS server does not service dynamic changes in DNS, you can always try to use their API – it may prove necessary in the case of AWS Route53, for example.

The implementation of the ACME protocol may prove time consuming and as such it is worth relying on ready-made solutions, e.g. acme-tiny.

To wrap up…

Implementing automated website certification is particularly useful in mixed development environments where many projects are developed in diverse technologies. The solutions, as proposed, can be applied regardless of whether the application is built on Java, Ruby on Rails or PHP. Quite importantly, they don’t require opening up development environments to the world.

Establishing a separate certificate generation service is also a way to overcome the capacity limitations of LetsEncrypt, provided you allow the use of one certificate with an SAN extension for multiple subdomains. This helps increase the maximum number of certificates by approx 100-fold.

A properly prepared certification service can be quickly put in the existing or new environment, ensuring an automatic supply of secure SSL certificates.

Our Experts
/ Knowledge Shared

16.02.2021

Why Should You Develop Mobile Applications with AWS?

Mobile Solutions

Today’s mobile apps have a lot of requirements, increasingly in the areas of performance, scalability and, of course, cost-efficiency. In these areas, we need a sophisticated infrastructure to support the app.   After all, the frontend of the app is already based on the user’s hardware, but the backend is where we have the most control....

02.02.2021

The 7 Deadly Signs of Digital Debt

Industries

Previously, we spoke about the rising awareness of Digital Debt thanks to recent events. This time, we want to help point out the most common signs of Digital Debt in your own company or operations.  After all, there’s a good chance the issues that produce such debt have gradually become part of day-to-day business. So much so, in fact,...

26.01.2021

Digital Debt / The Business Killer That’s Spreading

Industries

Some businesses were happy with being offline… until they were not. Recent events have pushed the issue of digital debt into the cold light of day.  The hard truth is simple: companies and other entities have suddenly found themselves in a reality where offline operations are no longer the backbone to rely on. This shift was significantly...

Expert Knowledge
For Your Business

As you can see, we've gained a lot of knowledge over the years - and we love to share! Let's talk about how we can help you.

Contact us

<dialogue.opened>