Upgrade to Pro — share decks privately, control downloads, hide ads and more …

入門Let's Encrypt

Hirokazu Sugiuchi
January 15, 2016
2
2.3k

入門Let's Encrypt

2016/01/15に社内勉強会で使用した資料です。内容の補足記事はこちら http://tech.feedforce.jp/study-letsencrypt.html

Hirokazu Sugiuchi

January 15, 2016
Tweet

More Decks by Hirokazu Sugiuchi

See All by Hirokazu Sugiuchi
FFLT_12.pdf
critical_alert
0
70
AWS認定 ソリューションアーキテクトアソシエイトを受けてきた話
critical_alert
1
360
Hue で始める おうちハック入門
critical_alert
1
2.1k
Blue/Green deploymentへの道のり
critical_alert
1
120
Mackerelでサーバ監視はじめた話
critical_alert
0
1.7k

Featured

See All Featured
Testing 201, or: Great Expectations
jmmastey
40
7.1k
Embracing the Ebb and Flow
colly
84
4.5k
Into the Great Unknown - MozCon
thekraken
33
1.5k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
2
170
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Writing Fast Ruby
sferik
628
61k
Being A Developer After 40
akosma
87
590k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Thoughts on Productivity
jonyablonski
67
4.4k
Building Your Own Lightsaber
phodgson
103
6.1k

Transcript

  1. ೖ໳Let's Encrypt 2016/01/15 feedforce Inc. / ਿ಺޿࿨

  2. ࣗݾ঺հ

  3. @critical-alert @critical_alert • ϑΟʔυϑΥʔεͰ͸ΠϯϑϥΤϯδχΞͱ͠ ͯಇ͍͍ͯ·͢ • ͸͡ΊͯLinuxʹ৮Εͯ8೥͘Β͍Ͱ͢ • SNSͷID͕΍΍͍͜͠Ͱ͢

  4. Let's Encryptͱࢲ

  5. Let’s Encryptͱ͸ͳΜͰ͔͢

  6. SSL/TLSαʔόূ໌ॻΛແྉ Ͱൃߦͯ͘͠ΕΔCA(ೝূہ)

  7. SSL

  8. None

  9. SSL͋Δ͋Δ • झຯͰwebαʔϏε࡞͚ͬͨͲϩάΠϯػೳ ͚͔ͭͨΒSSLʹ͍ͨ͠ • Ͱ΋ূ໌ॻߴ͍ɻɻɻ • ͕͢͞ʹΦϨΦϨূ໌ॻ͸ແ͍Θʔ • ͱ͍͏͔ͦ΋ͦ΋औΓํΑ͘Θ͔ΒΜɻɻ

  10. Let’s Encryptͱ͸ͳΜͰ͔͢ • SSLূ໌ॻΛແྉͰൃߦ͢Δͱͱ΋ʹɺূ໌ॻ ͷൃߦɺΠϯετʔϧɺߋ৽ΛࣗಈԽ͠ HTTPSͷීٴΛ໨తͱ͍ͯ͠Δ • ΞϝϦΧ߹ऺࠃେखೝূہʢCAʣͰ͋Δ IdenTrust ࣾͷϧʔτূ໌ॻ͔ΒνΣʔϯͰ͖

    ΔΫϩεϧʔτূ໌ॻ

  11. Let’s Encryptͱ͸ͳΜͰ͔͢ • ISRGʢInternet Security Research Groupʣɹ ͱ͍͏ඇӦརஂମ͕ӡӦ͍ͯ͠Δ • γείɺAkamaiɺMozillaͳͲ͕εϙϯαʔͰ

    ࢧԉ͍ͯ͠Δ

  12. ൃߦɺΠϯετʔϧɺߋ৽Λ ࣗಈԽ͠

  13. ࣗಈԽ͠

  14. ࣗಈԽ!!!!!!

  15. Let’s Encryptͷূ໌ॻ • DV(Domain Validation): υϝΠϯͷॴ༗Λ֬ೝͯ͠ൃߦ • OV(Organization Validation): ૊৫ͷ࣮ࡏͷ֬ೝΛͯ͠ൃߦ

    • EV(Extended Validation): OVΑΓݫີͳ࣮ࡏ֬ೝΛͯ͠ൃߦ • Let's Encrypt͸͜ͷ͏ͪυϝΠϯͷॴ༗Λ֬ೝͯ͠ൃߦ͢Δ
 DV SSLΛൃߦ͢Δ

  16. Let’s Encryptͷূ໌ॻ • DV(Domain Validation): υϝΠϯͷॴ༗Λ֬ೝͯ͠ൃߦ • OV(Organization Validation): ૊৫ͷ࣮ࡏͷ֬ೝΛͯ͠ൃߦ

    • EV(Extended Validation): OVΑΓݫີͳ࣮ࡏ֬ೝΛͯ͠ൃߦ • Let's Encrypt͸͜ͷ͏ͪυϝΠϯͷॴ༗Λ֬ೝͯ͠ൃߦ͢Δ
 DV SSLΛൃߦ͢Δ

  17. ͖ͬࣗ͞ಈԽͬͯݴ͚ͬͨͲ ͳΜͰخ͍͠ͷ͔

  18. طଘͷূ໌ॻͷൃߦ/ߋ৽ʹ͸ ࣗಈԽͮ͠Β͍ཧ༝͕͋Δ

  19. ཧ༝ • ূ໌ॻ͸༗ྉͳͷͰࢧ෷͍ϓϩηε͕ඞཁ • ূ໌ॻ͸ൃߦػؔ(CA)͝ͱʹਃ੥ϓϩηε͕ҧ͏ • ূ໌ॻ͸खಈͰൃߦ͢Δ(ঝೝํ๏͕ϝʔϧͰདྷ Δ) • ূ໌ॻ͸αʔόʹઃఆͯ͠࠶ىಈ͕ඞཁ

  20. εςοϓʹ͢Δͱ͜Μͳײ͡ • 1 ൿີ伴Λ࡞੒ • 2 ൿີ伴ΛݩʹɺCSRʢূ໌ॻΛൃߦ͢ΔͨΊͷॺ໊ཁٻʣΛੜ੒ • 3 ೝূہͷαΠτʹϩάΠϯͯ͠CSRΛϑΥʔϜ͔Βૹ৴

    • 4 ূ໌ॻͷྉۚΛࢧ෷͏(ΫϨδοτΧʔυorۜߦৼࠐ) • 5 ೝূہ͔ΒυϝΠϯॴ༗ऀ΁֬ೝϝʔϧ͕ಧ͘ͷͰঝೝ͢Δ • 6 ೝূہ͔Βূ໌ॻ͕ϝʔϧͳͲͰಧ͘ • 7 ূ໌ॻΛαʔόʹઃఆ
  21. None

  22. ख࡞ۀʹΑΔ෦෼͕ଟࣗ͘ಈ Խ΍ɺφ΢͍σϓϩΠϑϩʔ ʹऔΓࠐΈͮΒ͍

  23. DVূ໌ॻͷൃߦʹඞཁͳ͜ͱ ͸͜Ε͚ͩ

  24. ʮূ໌ॻΛൃߦ͍ͨ͠υϝΠϯ ͷॴ࣋ऀ͔Ͳ͏͔ʯ

  25. ຊਓ֬ೝ • औಘ͠Α͏ͱ͍ͯ͠ΔυϝΠϯͷॴ࣋ऀ͔Ͳ ͏͔ΛνΣοΫͰ͖Ε͹ྑ͍ • υϝΠϯॴ࣋ऀ͔͠Ͱ͖ͳ͍Α͏ͳΞΫγϣ ϯΛཁٻ͞ΕΔ

  26. ຊਓͰ͔͢ʁ • ॴ͍࣋ͯ͠ΔυϝΠϯʹHTTPܦ༝Ͱಛఆͷ৔ॴʹϑΝΠϧΛઃ ஔ͠Let’s Encrypt͔ΒΞΫηεͤ͞Δ • (ଞʹ΋ೝূํ๏͕͋Δ͚Ͳࠓճ͸औΓѻΘͳ͍) • GoogleAppsͱ͔ͰɺಛఆͷHTMLΛొ࿥͍ͨ͠υϝΠϯͷweb αʔόʹΞοϓϩʔυͯ֬͠ೝ͢ΔతͳΞϨͱಉ͡

    • ͦΕΛletsencryptΫϥΠΞϯτ͕CUIϕʔεͰࣗಈԽͯ͘͠ΕΔ

  27. ਤʹ͢Δͱ Ҿ༻ݩɿhttps://http2.try-and-test.net/letsencrypt.html

  28. Ҿ༻ݩΑΓ • ᶃ·ͣ͸ɺൿີ伴ͱCSRΛੜ੒͠ɺൿີ伴͸ϩʔΧϧϑΝΠϧʹอଘ͠·͢ɻ • ͜Ε͸ɺΤʔδΣϯτʢΫϥΠΞϯτιϑτ)͕ੜ੒ͯ͠΋͍͍Ͱ͢͠ɺผ్OpenSSLͰ४උͯ͠΋͍Ͱ ͢ɻ • ᶄΤʔδΣϯτ(ΫϥΠΞϯτιϑτ)͸ɺLet'sEncryptͷACMEαʔόʹ઀ଓ͠CSRΛૹΓ·͢ɻ • ᶅACMEαʔό͸ɺnonceͱݺ͹ΕΔೝূ༻ͷ৘ใΛΤʔδΣϯτιϑτʹฦ͠·͢ɻ

    • ᶆΤʔδΣϯτ͸ɺnonce͔Βɺೝূ༻ͷϑΝΠϧΛੜ੒͠ɺhtdocs഑ԼͷಛఆͷσΟϨΫτʹ഑ஔ͠·͢ɻ • ᶇ४උ͕੔ͬͨͱ͜ΖͰɺΤʔδΣϯτ͸ɺACMEαʔόʹʹೝূνϟϨϯδΛཁٻ͠·͢ɻ • ᶈACMEαʔό͸ɺࢦఆͷυϝΠϯʹೝূ༻ͷϑΝΠϧ͕ઃஔ͞Ε͍ͯΔ͔ɺWebαʔό(HTTPD)ʹ֬ೝ͠ʹ ͍͖·͢ɻ • ᶉACMEαʔό͕ɺظ଴ͨ͠௨Γͷೝূ༻ϑΝΠϧΛμ΢ϯϩʔυͰ͖Ε͹ɺαʔόূ໌ॻΛൃߦ͠ɺᶊͰ ΤʔδΣϯτʹૹ෇͠·͢ɻ

  29. ACMEϓϩτίϧ

  30. ACME • ACMEͱ͸
 Automated
 Certificate
 Management
 Environment
 ͷུ • ͖ͬ͞ͷೝূํ๏͕ϓϩτίϧԽ͞Ε͍ͯΔ

  31. letsencryptΫϥΠΞϯτ • ACMEϓϩτίϧʹैͬͯূ໌ॻΛൃߦɺΠ ϯετʔϧɺߋ৽Λߦ͏ΫϥΠΞϯτ͕ެ։ ͞Ε͍ͯΔ • https://github.com/letsencrypt/letsencrypt

  32. ࢖ͬͯΈΔ

  33. ࢖ͬͯΈΔ $ git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt $ ./letsencrypt-auto

  34. letsencrypt-auto • letsencrypt-auto ͱ͍͏εΫϦϓτ͕༻ҙ͞Ε ͍ͯͯɺॳճ͸ΫϥΠΞϯτΛ࣮ߦ͢ΔͨΊ ͷϥΠϒϥϦͳͲΛΠϯετʔϧ͢Δ • OSΛࣗಈ൑ఆͯ͠pythonͷΠϯετʔϧ΍ gccɺopensslͷΠϯετʔϧͳͲΛ͍ͯ͠ Δɻpython͸virtualenvͰΠϯετʔϧ͞ΕΔ

  35. ূ໌ॻऔಘίϚϯυ ./letsencrypt-auto certonly -t \ -d letsen.critical-alert.net \ --webroot —-webroot-path=/var/www/html/

    \ --rsa-key-size 2048

  36. Φϓγϣϯ͕௕͍ • certonly • ূ໌ॻͷऔಘͷΈΛߦ͏ • -d • ূ໌ॻΛऔಘ͢ΔυϝΠϯΛࢦఆ͢Δ

  37. Φϓγϣϯ͕௕͍2 • --webroot • ApacheͳͲwebαʔόͷυΩϡϝϯτϧʔ τʹೝূ༻ͷϑΝΠϧΛੜ੒͢Δ • --webroot-path • υΩϡϝϯτϧʔτͷύεΛࢦఆ͢Δ

  38. letsencrypt-auto • ͪΌΜͱऔಘͰ͖͍ͯΕ͹Լهʹ഑ஔ͞Ε·͢ • /etc/letsencrypt/live/{domain}/ • cert.pem -> ূ໌ॻ •

    chain.pem -> தؒূ໌ॻ • fullchain.pem -> ূ໌ॻͱதؒূ໌ॻΛͭͳ͛ͨ΋ͷ • privkey.pem -> ൿີ伴

  39. ͋ͱ͸ؾ߹ͱσϞͰ͕Μ͹Δ (࣌ؒʹ༨༟͕͋Ε͹)

  40. ߋ৽͸ʁ • جຊతʹऔಘ࣌ͱಉ͡ίϚϯυΛ࣮ߦ͢Ε͹ ߋ৽ • --renew-by-default • ͜ͷΦϓγϣϯΛ͚ͭΔͱ্ॻ͖͢Δ͔ฉ ͔Εͳ͍ͷͰ͚ͭΔ

  41. ߋ৽͸ʁ • --renew-by-defaultΛ͚ͭͯcronʹ࢓ࠐΉ • ౰વɺߋ৽͞ΕͨλΠϛϯάͰwebαʔόΛreloadͯ͠ূ໌ ॻಡΈ௚͞ͳ͍ͱ͍͚ͳ͍ͷͰ && systemctl reload httpd

    ͷΑ͏ʹ͢Δ • ূ໌ॻͷ༗ޮظؒ͸90೔ʹͳ͍ͬͯΔͷͰ(ηΩϡϦςΟత ͳҙຯ߹͍΍ɺࣗಈߋ৽͕લఏͷͨΊ)1ϲ݄ʹ1ճcronͰ࣮ ߦ͢ΔΑ͏ʹ͢Ε͹OK

  42. ·ͱΊ • ϕʔλͳ͕Β΋΄ͱΜͲͷϞμϯͳ؀ڥͰ༗ޮͳূ໌ॻ͕ແྉͰऔಘͰ͖Δ • ։ൃதͷΞϓϦέʔγϣϯ΍ɺݸਓͰ࡞੒ͨ͠ΞϓϦέʔγϣϯͷSSLԽʹ ༗ޮ • CUIͰ׬݁͢Δͷ͸ྑ͍ͱࢥ͏ • ELBͱ͔ͷ؀ڥͰ࢖͏ʹ͸…ʁ

    • ׬શͳΔࣗಈԽʹ͸·͔͔ͩΓͦ͏ • ߋ৽͸cronͩͬͨΓͶ

  43. ࢀߟϦϯΫ • Let's Encrypt ૯߹ϙʔλϧ • https://letsencrypt.jp/ • Apache 2.4ܥͰHTTP/2αʔόΛߏஙͯ͠ΈΔςετɻ

    • https://http2.try-and-test.net/letsencrypt.html • GoݴޠͰLet's EncryptͷACMEΛཧղ͢Δ • http://deeeet.com/writing/2015/12/01/go-letsencrypt-acme/