Upgrade to Pro — share decks privately, control downloads, hide ads and more …

入門Let's Encrypt

Avatar for Hirokazu Sugiuchi Hirokazu Sugiuchi
January 15, 2016
2
2.4k

入門Let's Encrypt

2016/01/15に社内勉強会で使用した資料です。内容の補足記事はこちら http://tech.feedforce.jp/study-letsencrypt.html

Avatar for Hirokazu Sugiuchi

Hirokazu Sugiuchi

January 15, 2016
Tweet

More Decks by Hirokazu Sugiuchi

See All by Hirokazu Sugiuchi
FFLT_12.pdf
Avatar for Hirokazu Sugiuchi critical_alert
0
74
AWS認定 ソリューションアーキテクトアソシエイトを受けてきた話
Avatar for Hirokazu Sugiuchi critical_alert
1
400
Hue で始める おうちハック入門
Avatar for Hirokazu Sugiuchi critical_alert
1
2.2k
Blue/Green deploymentへの道のり
Avatar for Hirokazu Sugiuchi critical_alert
1
130
Mackerelでサーバ監視はじめた話
Avatar for Hirokazu Sugiuchi critical_alert
0
1.7k

Featured

See All Featured
Scaling GitHub
Avatar for Zach Holman holman
463
140k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.6k
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
379
70k
Facilitating Awesome Meetings
Avatar for Lara Hogan lara
57
6.6k
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
57
5.9k
Into the Great Unknown - MozCon
Avatar for Noah Learner thekraken
40
2.1k
Designing for humans not robots
Avatar for Tammie Lister tammielis
254
26k
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
65
7.9k
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
135
9.6k
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
16k
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
79
6.6k
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
411
23k

Transcript

  1. ೖ໳Let's Encrypt 2016/01/15 feedforce Inc. / ਿ಺޿࿨

  2. ࣗݾ঺հ

  3. @critical-alert @critical_alert • ϑΟʔυϑΥʔεͰ͸ΠϯϑϥΤϯδχΞͱ͠ ͯಇ͍͍ͯ·͢ • ͸͡ΊͯLinuxʹ৮Εͯ8೥͘Β͍Ͱ͢ • SNSͷID͕΍΍͍͜͠Ͱ͢

  4. Let's Encryptͱࢲ

  5. Let’s Encryptͱ͸ͳΜͰ͔͢

  6. SSL/TLSαʔόূ໌ॻΛແྉ Ͱൃߦͯ͘͠ΕΔCA(ೝূہ)

  7. SSL

  8. None

  9. SSL͋Δ͋Δ • झຯͰwebαʔϏε࡞͚ͬͨͲϩάΠϯػೳ ͚͔ͭͨΒSSLʹ͍ͨ͠ • Ͱ΋ূ໌ॻߴ͍ɻɻɻ • ͕͢͞ʹΦϨΦϨূ໌ॻ͸ແ͍Θʔ • ͱ͍͏͔ͦ΋ͦ΋औΓํΑ͘Θ͔ΒΜɻɻ

  10. Let’s Encryptͱ͸ͳΜͰ͔͢ • SSLূ໌ॻΛແྉͰൃߦ͢Δͱͱ΋ʹɺূ໌ॻ ͷൃߦɺΠϯετʔϧɺߋ৽ΛࣗಈԽ͠ HTTPSͷීٴΛ໨తͱ͍ͯ͠Δ • ΞϝϦΧ߹ऺࠃେखೝূہʢCAʣͰ͋Δ IdenTrust ࣾͷϧʔτূ໌ॻ͔ΒνΣʔϯͰ͖

    ΔΫϩεϧʔτূ໌ॻ

  11. Let’s Encryptͱ͸ͳΜͰ͔͢ • ISRGʢInternet Security Research Groupʣɹ ͱ͍͏ඇӦརஂମ͕ӡӦ͍ͯ͠Δ • γείɺAkamaiɺMozillaͳͲ͕εϙϯαʔͰ

    ࢧԉ͍ͯ͠Δ

  12. ൃߦɺΠϯετʔϧɺߋ৽Λ ࣗಈԽ͠

  13. ࣗಈԽ͠

  14. ࣗಈԽ!!!!!!

  15. Let’s Encryptͷূ໌ॻ • DV(Domain Validation): υϝΠϯͷॴ༗Λ֬ೝͯ͠ൃߦ • OV(Organization Validation): ૊৫ͷ࣮ࡏͷ֬ೝΛͯ͠ൃߦ

    • EV(Extended Validation): OVΑΓݫີͳ࣮ࡏ֬ೝΛͯ͠ൃߦ • Let's Encrypt͸͜ͷ͏ͪυϝΠϯͷॴ༗Λ֬ೝͯ͠ൃߦ͢Δ
 DV SSLΛൃߦ͢Δ

  16. Let’s Encryptͷূ໌ॻ • DV(Domain Validation): υϝΠϯͷॴ༗Λ֬ೝͯ͠ൃߦ • OV(Organization Validation): ૊৫ͷ࣮ࡏͷ֬ೝΛͯ͠ൃߦ

    • EV(Extended Validation): OVΑΓݫີͳ࣮ࡏ֬ೝΛͯ͠ൃߦ • Let's Encrypt͸͜ͷ͏ͪυϝΠϯͷॴ༗Λ֬ೝͯ͠ൃߦ͢Δ
 DV SSLΛൃߦ͢Δ

  17. ͖ͬࣗ͞ಈԽͬͯݴ͚ͬͨͲ ͳΜͰخ͍͠ͷ͔

  18. طଘͷূ໌ॻͷൃߦ/ߋ৽ʹ͸ ࣗಈԽͮ͠Β͍ཧ༝͕͋Δ

  19. ཧ༝ • ূ໌ॻ͸༗ྉͳͷͰࢧ෷͍ϓϩηε͕ඞཁ • ূ໌ॻ͸ൃߦػؔ(CA)͝ͱʹਃ੥ϓϩηε͕ҧ͏ • ূ໌ॻ͸खಈͰൃߦ͢Δ(ঝೝํ๏͕ϝʔϧͰདྷ Δ) • ূ໌ॻ͸αʔόʹઃఆͯ͠࠶ىಈ͕ඞཁ

  20. εςοϓʹ͢Δͱ͜Μͳײ͡ • 1 ൿີ伴Λ࡞੒ • 2 ൿີ伴ΛݩʹɺCSRʢূ໌ॻΛൃߦ͢ΔͨΊͷॺ໊ཁٻʣΛੜ੒ • 3 ೝূہͷαΠτʹϩάΠϯͯ͠CSRΛϑΥʔϜ͔Βૹ৴

    • 4 ূ໌ॻͷྉۚΛࢧ෷͏(ΫϨδοτΧʔυorۜߦৼࠐ) • 5 ೝূہ͔ΒυϝΠϯॴ༗ऀ΁֬ೝϝʔϧ͕ಧ͘ͷͰঝೝ͢Δ • 6 ೝূہ͔Βূ໌ॻ͕ϝʔϧͳͲͰಧ͘ • 7 ূ໌ॻΛαʔόʹઃఆ
  21. None

  22. ख࡞ۀʹΑΔ෦෼͕ଟࣗ͘ಈ Խ΍ɺφ΢͍σϓϩΠϑϩʔ ʹऔΓࠐΈͮΒ͍

  23. DVূ໌ॻͷൃߦʹඞཁͳ͜ͱ ͸͜Ε͚ͩ

  24. ʮূ໌ॻΛൃߦ͍ͨ͠υϝΠϯ ͷॴ࣋ऀ͔Ͳ͏͔ʯ

  25. ຊਓ֬ೝ • औಘ͠Α͏ͱ͍ͯ͠ΔυϝΠϯͷॴ࣋ऀ͔Ͳ ͏͔ΛνΣοΫͰ͖Ε͹ྑ͍ • υϝΠϯॴ࣋ऀ͔͠Ͱ͖ͳ͍Α͏ͳΞΫγϣ ϯΛཁٻ͞ΕΔ

  26. ຊਓͰ͔͢ʁ • ॴ͍࣋ͯ͠ΔυϝΠϯʹHTTPܦ༝Ͱಛఆͷ৔ॴʹϑΝΠϧΛઃ ஔ͠Let’s Encrypt͔ΒΞΫηεͤ͞Δ • (ଞʹ΋ೝূํ๏͕͋Δ͚Ͳࠓճ͸औΓѻΘͳ͍) • GoogleAppsͱ͔ͰɺಛఆͷHTMLΛొ࿥͍ͨ͠υϝΠϯͷweb αʔόʹΞοϓϩʔυͯ֬͠ೝ͢ΔతͳΞϨͱಉ͡

    • ͦΕΛletsencryptΫϥΠΞϯτ͕CUIϕʔεͰࣗಈԽͯ͘͠ΕΔ

  27. ਤʹ͢Δͱ Ҿ༻ݩɿhttps://http2.try-and-test.net/letsencrypt.html

  28. Ҿ༻ݩΑΓ • ᶃ·ͣ͸ɺൿີ伴ͱCSRΛੜ੒͠ɺൿີ伴͸ϩʔΧϧϑΝΠϧʹอଘ͠·͢ɻ • ͜Ε͸ɺΤʔδΣϯτʢΫϥΠΞϯτιϑτ)͕ੜ੒ͯ͠΋͍͍Ͱ͢͠ɺผ్OpenSSLͰ४උͯ͠΋͍Ͱ ͢ɻ • ᶄΤʔδΣϯτ(ΫϥΠΞϯτιϑτ)͸ɺLet'sEncryptͷACMEαʔόʹ઀ଓ͠CSRΛૹΓ·͢ɻ • ᶅACMEαʔό͸ɺnonceͱݺ͹ΕΔೝূ༻ͷ৘ใΛΤʔδΣϯτιϑτʹฦ͠·͢ɻ

    • ᶆΤʔδΣϯτ͸ɺnonce͔Βɺೝূ༻ͷϑΝΠϧΛੜ੒͠ɺhtdocs഑ԼͷಛఆͷσΟϨΫτʹ഑ஔ͠·͢ɻ • ᶇ४උ͕੔ͬͨͱ͜ΖͰɺΤʔδΣϯτ͸ɺACMEαʔόʹʹೝূνϟϨϯδΛཁٻ͠·͢ɻ • ᶈACMEαʔό͸ɺࢦఆͷυϝΠϯʹೝূ༻ͷϑΝΠϧ͕ઃஔ͞Ε͍ͯΔ͔ɺWebαʔό(HTTPD)ʹ֬ೝ͠ʹ ͍͖·͢ɻ • ᶉACMEαʔό͕ɺظ଴ͨ͠௨Γͷೝূ༻ϑΝΠϧΛμ΢ϯϩʔυͰ͖Ε͹ɺαʔόূ໌ॻΛൃߦ͠ɺᶊͰ ΤʔδΣϯτʹૹ෇͠·͢ɻ

  29. ACMEϓϩτίϧ

  30. ACME • ACMEͱ͸
 Automated
 Certificate
 Management
 Environment
 ͷུ • ͖ͬ͞ͷೝূํ๏͕ϓϩτίϧԽ͞Ε͍ͯΔ

  31. letsencryptΫϥΠΞϯτ • ACMEϓϩτίϧʹैͬͯূ໌ॻΛൃߦɺΠ ϯετʔϧɺߋ৽Λߦ͏ΫϥΠΞϯτ͕ެ։ ͞Ε͍ͯΔ • https://github.com/letsencrypt/letsencrypt

  32. ࢖ͬͯΈΔ

  33. ࢖ͬͯΈΔ $ git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt $ ./letsencrypt-auto

  34. letsencrypt-auto • letsencrypt-auto ͱ͍͏εΫϦϓτ͕༻ҙ͞Ε ͍ͯͯɺॳճ͸ΫϥΠΞϯτΛ࣮ߦ͢ΔͨΊ ͷϥΠϒϥϦͳͲΛΠϯετʔϧ͢Δ • OSΛࣗಈ൑ఆͯ͠pythonͷΠϯετʔϧ΍ gccɺopensslͷΠϯετʔϧͳͲΛ͍ͯ͠ Δɻpython͸virtualenvͰΠϯετʔϧ͞ΕΔ

  35. ূ໌ॻऔಘίϚϯυ ./letsencrypt-auto certonly -t \ -d letsen.critical-alert.net \ --webroot —-webroot-path=/var/www/html/

    \ --rsa-key-size 2048

  36. Φϓγϣϯ͕௕͍ • certonly • ূ໌ॻͷऔಘͷΈΛߦ͏ • -d • ূ໌ॻΛऔಘ͢ΔυϝΠϯΛࢦఆ͢Δ

  37. Φϓγϣϯ͕௕͍2 • --webroot • ApacheͳͲwebαʔόͷυΩϡϝϯτϧʔ τʹೝূ༻ͷϑΝΠϧΛੜ੒͢Δ • --webroot-path • υΩϡϝϯτϧʔτͷύεΛࢦఆ͢Δ

  38. letsencrypt-auto • ͪΌΜͱऔಘͰ͖͍ͯΕ͹Լهʹ഑ஔ͞Ε·͢ • /etc/letsencrypt/live/{domain}/ • cert.pem -> ূ໌ॻ •

    chain.pem -> தؒূ໌ॻ • fullchain.pem -> ূ໌ॻͱதؒূ໌ॻΛͭͳ͛ͨ΋ͷ • privkey.pem -> ൿີ伴

  39. ͋ͱ͸ؾ߹ͱσϞͰ͕Μ͹Δ (࣌ؒʹ༨༟͕͋Ε͹)

  40. ߋ৽͸ʁ • جຊతʹऔಘ࣌ͱಉ͡ίϚϯυΛ࣮ߦ͢Ε͹ ߋ৽ • --renew-by-default • ͜ͷΦϓγϣϯΛ͚ͭΔͱ্ॻ͖͢Δ͔ฉ ͔Εͳ͍ͷͰ͚ͭΔ

  41. ߋ৽͸ʁ • --renew-by-defaultΛ͚ͭͯcronʹ࢓ࠐΉ • ౰વɺߋ৽͞ΕͨλΠϛϯάͰwebαʔόΛreloadͯ͠ূ໌ ॻಡΈ௚͞ͳ͍ͱ͍͚ͳ͍ͷͰ && systemctl reload httpd

    ͷΑ͏ʹ͢Δ • ূ໌ॻͷ༗ޮظؒ͸90೔ʹͳ͍ͬͯΔͷͰ(ηΩϡϦςΟత ͳҙຯ߹͍΍ɺࣗಈߋ৽͕લఏͷͨΊ)1ϲ݄ʹ1ճcronͰ࣮ ߦ͢ΔΑ͏ʹ͢Ε͹OK

  42. ·ͱΊ • ϕʔλͳ͕Β΋΄ͱΜͲͷϞμϯͳ؀ڥͰ༗ޮͳূ໌ॻ͕ແྉͰऔಘͰ͖Δ • ։ൃதͷΞϓϦέʔγϣϯ΍ɺݸਓͰ࡞੒ͨ͠ΞϓϦέʔγϣϯͷSSLԽʹ ༗ޮ • CUIͰ׬݁͢Δͷ͸ྑ͍ͱࢥ͏ • ELBͱ͔ͷ؀ڥͰ࢖͏ʹ͸…ʁ

    • ׬શͳΔࣗಈԽʹ͸·͔͔ͩΓͦ͏ • ߋ৽͸cronͩͬͨΓͶ

  43. ࢀߟϦϯΫ • Let's Encrypt ૯߹ϙʔλϧ • https://letsencrypt.jp/ • Apache 2.4ܥͰHTTP/2αʔόΛߏஙͯ͠ΈΔςετɻ

    • https://http2.try-and-test.net/letsencrypt.html • GoݴޠͰLet's EncryptͷACMEΛཧղ͢Δ • http://deeeet.com/writing/2015/12/01/go-letsencrypt-acme/