AAA: An ACME Agent for AWS 2016/01/22 @ HDE MTS #18 TANABE Ken-ichi

ACME Protocol and Let’s Encrypt Project

How ACME (Let’s Encrypt) works 1. Register your account 2. Present a possession of your domain 3. Request LE to issue a certificate 4. Download the certificate 5. Renew the certificate periodically within 90 days All things CAN be automated via RESTful API All things MUST be automated, or you will be stuck

Things we should resolve ● DNS integration ● Key store integration ● Automated renewal process integration ● ChatOps integration Answer: https://github.com/nabeken/aaa

AAA’s Goal (for fun): Fully utilize AWS ● Server-less architecture by AWS Lambda ● State-less architecture by AWS S3 ● Server-side-Encryption by AWS S3 SSE-KMS ● Server-less domain validation by AWS Route53 ● ChatOps integration by AWS API Gateway No server, No state, fully automated and Secure It’s super cool...

How AAA Works ● Core logic written in Go as CLI app ● CLI app does the tricks ● Lambda Function just wraps it ● Build as a single ZIP and ship it to 3 Lambda Functions

Let’s Encrypt opens the door… YESTERDAY!!!!

DEMO: If you see this, I failed to show you demo

One more thing…

AWS Certificate Management (ACM) released TODAY ● TODAY (OMG!!) ● Certificates issued by ACM are FREE ● Integrated with ELB and CloudFront (for now) ● Only available for us-east-1 for now

Quick comparision: Let’s Encrypt vs ACM Let’s Encrypt ACM Pricing FREE FREE Application No limitation ELB and CloudFront Type DV certificate DV certificate Period 3 months 13 months Wildcard certificate Not Available Available Multiple domains (SAN) Available Available Validation methods HTTP, DNS Email Certificate algorithm RSA 2048, 4096 bits ECDSA (P-256, …?) RSA 2048 bits