Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
入門Let's Encrypt
Search
Hirokazu Sugiuchi
January 15, 2016
2
2.1k
入門Let's Encrypt
2016/01/15に社内勉強会で使用した資料です。内容の補足記事はこちら
http://tech.feedforce.jp/study-letsencrypt.html
Hirokazu Sugiuchi
January 15, 2016
Tweet
Share
More Decks by Hirokazu Sugiuchi
See All by Hirokazu Sugiuchi
FFLT_12.pdf
critical_alert
0
67
AWS認定 ソリューションアーキテクトアソシエイトを受けてきた話
critical_alert
1
310
Hue で始める おうちハック入門
critical_alert
1
2k
Blue/Green deploymentへの道のり
critical_alert
1
120
Mackerelでサーバ監視はじめた話
critical_alert
0
1.6k
Featured
See All Featured
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
121
39k
Unsuck your backbone
ammeep
663
57k
A Philosophy of Restraint
colly
197
16k
GraphQLの誤解/rethinking-graphql
sonatard
50
9.2k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
244
20k
Practical Orchestrator
shlominoach
182
9.7k
Agile that works and the tools we love
rasmusluckow
325
20k
What’s in a name? Adding method to the madness
productmarketing
PRO
16
2.6k
Why Our Code Smells
bkeepers
PRO
331
56k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Transcript
ೖLet's Encrypt 2016/01/15 feedforce Inc. / ਿ
ࣗݾհ
@critical-alert @critical_alert • ϑΟʔυϑΥʔεͰΠϯϑϥΤϯδχΞͱ͠ ͯಇ͍͍ͯ·͢ • ͡ΊͯLinuxʹ৮Εͯ8͘Β͍Ͱ͢ • SNSͷID͕͍͜͠Ͱ͢
Let's Encryptͱࢲ
Let’s EncryptͱͳΜͰ͔͢
SSL/TLSαʔόূ໌ॻΛແྉ Ͱൃߦͯ͘͠ΕΔCA(ೝূہ)
SSL
None
SSL͋Δ͋Δ • झຯͰwebαʔϏε࡞͚ͬͨͲϩάΠϯػೳ ͚͔ͭͨΒSSLʹ͍ͨ͠ • Ͱূ໌ॻߴ͍ɻɻɻ • ͕͢͞ʹΦϨΦϨূ໌ॻແ͍Θʔ • ͱ͍͏͔ͦͦऔΓํΑ͘Θ͔ΒΜɻɻ
Let’s EncryptͱͳΜͰ͔͢ • SSLূ໌ॻΛແྉͰൃߦ͢Δͱͱʹɺূ໌ॻ ͷൃߦɺΠϯετʔϧɺߋ৽ΛࣗಈԽ͠ HTTPSͷීٴΛతͱ͍ͯ͠Δ • ΞϝϦΧ߹ऺࠃେखೝূہʢCAʣͰ͋Δ IdenTrust ࣾͷϧʔτূ໌ॻ͔ΒνΣʔϯͰ͖
ΔΫϩεϧʔτূ໌ॻ
Let’s EncryptͱͳΜͰ͔͢ • ISRGʢInternet Security Research Groupʣɹ ͱ͍͏ඇӦརஂମ͕ӡӦ͍ͯ͠Δ • γείɺAkamaiɺMozillaͳͲ͕εϙϯαʔͰ
ࢧԉ͍ͯ͠Δ
ൃߦɺΠϯετʔϧɺߋ৽Λ ࣗಈԽ͠
ࣗಈԽ͠
ࣗಈԽ!!!!!!
Let’s Encryptͷূ໌ॻ • DV(Domain Validation): υϝΠϯͷॴ༗Λ֬ೝͯ͠ൃߦ • OV(Organization Validation): ৫ͷ࣮ࡏͷ֬ೝΛͯ͠ൃߦ
• EV(Extended Validation): OVΑΓݫີͳ࣮ࡏ֬ೝΛͯ͠ൃߦ • Let's Encrypt͜ͷ͏ͪυϝΠϯͷॴ༗Λ֬ೝͯ͠ൃߦ͢Δ DV SSLΛൃߦ͢Δ
Let’s Encryptͷূ໌ॻ • DV(Domain Validation): υϝΠϯͷॴ༗Λ֬ೝͯ͠ൃߦ • OV(Organization Validation): ৫ͷ࣮ࡏͷ֬ೝΛͯ͠ൃߦ
• EV(Extended Validation): OVΑΓݫີͳ࣮ࡏ֬ೝΛͯ͠ൃߦ • Let's Encrypt͜ͷ͏ͪυϝΠϯͷॴ༗Λ֬ೝͯ͠ൃߦ͢Δ DV SSLΛൃߦ͢Δ
͖ͬࣗ͞ಈԽͬͯݴ͚ͬͨͲ ͳΜͰخ͍͠ͷ͔
طଘͷূ໌ॻͷൃߦ/ߋ৽ʹ ࣗಈԽͮ͠Β͍ཧ༝͕͋Δ
ཧ༝ • ূ໌ॻ༗ྉͳͷͰࢧ͍ϓϩηε͕ඞཁ • ূ໌ॻൃߦػؔ(CA)͝ͱʹਃϓϩηε͕ҧ͏ • ূ໌ॻखಈͰൃߦ͢Δ(ঝೝํ๏͕ϝʔϧͰདྷ Δ) • ূ໌ॻαʔόʹઃఆͯ͠࠶ىಈ͕ඞཁ
εςοϓʹ͢Δͱ͜Μͳײ͡ • 1 ൿີ伴Λ࡞ • 2 ൿີ伴ΛݩʹɺCSRʢূ໌ॻΛൃߦ͢ΔͨΊͷॺ໊ཁٻʣΛੜ • 3 ೝূہͷαΠτʹϩάΠϯͯ͠CSRΛϑΥʔϜ͔Βૹ৴
• 4 ূ໌ॻͷྉۚΛࢧ͏(ΫϨδοτΧʔυorۜߦৼࠐ) • 5 ೝূہ͔ΒυϝΠϯॴ༗ऀ֬ೝϝʔϧ͕ಧ͘ͷͰঝೝ͢Δ • 6 ೝূہ͔Βূ໌ॻ͕ϝʔϧͳͲͰಧ͘ • 7 ূ໌ॻΛαʔόʹઃఆ
None
ख࡞ۀʹΑΔ෦͕ଟࣗ͘ಈ Խɺφ͍σϓϩΠϑϩʔ ʹऔΓࠐΈͮΒ͍
DVূ໌ॻͷൃߦʹඞཁͳ͜ͱ ͜Ε͚ͩ
ʮূ໌ॻΛൃߦ͍ͨ͠υϝΠϯ ͷॴ࣋ऀ͔Ͳ͏͔ʯ
ຊਓ֬ೝ • औಘ͠Α͏ͱ͍ͯ͠ΔυϝΠϯͷॴ࣋ऀ͔Ͳ ͏͔ΛνΣοΫͰ͖Εྑ͍ • υϝΠϯॴ࣋ऀ͔͠Ͱ͖ͳ͍Α͏ͳΞΫγϣ ϯΛཁٻ͞ΕΔ
ຊਓͰ͔͢ʁ • ॴ͍࣋ͯ͠ΔυϝΠϯʹHTTPܦ༝ͰಛఆͷॴʹϑΝΠϧΛઃ ஔ͠Let’s Encrypt͔ΒΞΫηεͤ͞Δ • (ଞʹೝূํ๏͕͋Δ͚ͲࠓճऔΓѻΘͳ͍) • GoogleAppsͱ͔ͰɺಛఆͷHTMLΛొ͍ͨ͠υϝΠϯͷweb αʔόʹΞοϓϩʔυͯ֬͠ೝ͢ΔతͳΞϨͱಉ͡
• ͦΕΛletsencryptΫϥΠΞϯτ͕CUIϕʔεͰࣗಈԽͯ͘͠ΕΔ
ਤʹ͢Δͱ Ҿ༻ݩɿhttps://http2.try-and-test.net/letsencrypt.html
Ҿ༻ݩΑΓ • ᶃ·ͣɺൿີ伴ͱCSRΛੜ͠ɺൿີ伴ϩʔΧϧϑΝΠϧʹอଘ͠·͢ɻ • ͜ΕɺΤʔδΣϯτʢΫϥΠΞϯτιϑτ)͕ੜ͍͍ͯ͠Ͱ͢͠ɺผ్OpenSSLͰ४උ͍ͯ͠Ͱ ͢ɻ • ᶄΤʔδΣϯτ(ΫϥΠΞϯτιϑτ)ɺLet'sEncryptͷACMEαʔόʹଓ͠CSRΛૹΓ·͢ɻ • ᶅACMEαʔόɺnonceͱݺΕΔೝূ༻ͷใΛΤʔδΣϯτιϑτʹฦ͠·͢ɻ
• ᶆΤʔδΣϯτɺnonce͔Βɺೝূ༻ͷϑΝΠϧΛੜ͠ɺhtdocsԼͷಛఆͷσΟϨΫτʹஔ͠·͢ɻ • ᶇ४උ͕ͬͨͱ͜ΖͰɺΤʔδΣϯτɺACMEαʔόʹʹೝূνϟϨϯδΛཁٻ͠·͢ɻ • ᶈACMEαʔόɺࢦఆͷυϝΠϯʹೝূ༻ͷϑΝΠϧ͕ઃஔ͞Ε͍ͯΔ͔ɺWebαʔό(HTTPD)ʹ֬ೝ͠ʹ ͍͖·͢ɻ • ᶉACMEαʔό͕ɺظͨ͠௨Γͷೝূ༻ϑΝΠϧΛμϯϩʔυͰ͖Εɺαʔόূ໌ॻΛൃߦ͠ɺᶊͰ ΤʔδΣϯτʹૹ͠·͢ɻ
ACMEϓϩτίϧ
ACME • ACMEͱ Automated Certificate Management Environment ͷུ • ͖ͬ͞ͷೝূํ๏͕ϓϩτίϧԽ͞Ε͍ͯΔ
letsencryptΫϥΠΞϯτ • ACMEϓϩτίϧʹैͬͯূ໌ॻΛൃߦɺΠ ϯετʔϧɺߋ৽Λߦ͏ΫϥΠΞϯτ͕ެ։ ͞Ε͍ͯΔ • https://github.com/letsencrypt/letsencrypt
ͬͯΈΔ
ͬͯΈΔ $ git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt $ ./letsencrypt-auto
letsencrypt-auto • letsencrypt-auto ͱ͍͏εΫϦϓτ͕༻ҙ͞Ε ͍ͯͯɺॳճΫϥΠΞϯτΛ࣮ߦ͢ΔͨΊ ͷϥΠϒϥϦͳͲΛΠϯετʔϧ͢Δ • OSΛࣗಈఆͯ͠pythonͷΠϯετʔϧ gccɺopensslͷΠϯετʔϧͳͲΛ͍ͯ͠ ΔɻpythonvirtualenvͰΠϯετʔϧ͞ΕΔ
ূ໌ॻऔಘίϚϯυ ./letsencrypt-auto certonly -t \ -d letsen.critical-alert.net \ --webroot —-webroot-path=/var/www/html/
\ --rsa-key-size 2048
Φϓγϣϯ͕͍ • certonly • ূ໌ॻͷऔಘͷΈΛߦ͏ • -d • ূ໌ॻΛऔಘ͢ΔυϝΠϯΛࢦఆ͢Δ
Φϓγϣϯ͕͍2 • --webroot • ApacheͳͲwebαʔόͷυΩϡϝϯτϧʔ τʹೝূ༻ͷϑΝΠϧΛੜ͢Δ • --webroot-path • υΩϡϝϯτϧʔτͷύεΛࢦఆ͢Δ
letsencrypt-auto • ͪΌΜͱऔಘͰ͖͍ͯΕԼهʹஔ͞Ε·͢ • /etc/letsencrypt/live/{domain}/ • cert.pem -> ূ໌ॻ •
chain.pem -> தؒূ໌ॻ • fullchain.pem -> ূ໌ॻͱதؒূ໌ॻΛͭͳ͛ͨͷ • privkey.pem -> ൿີ伴
͋ͱؾ߹ͱσϞͰ͕ΜΔ (࣌ؒʹ༨༟͕͋Ε)
ߋ৽ʁ • جຊతʹऔಘ࣌ͱಉ͡ίϚϯυΛ࣮ߦ͢Ε ߋ৽ • --renew-by-default • ͜ͷΦϓγϣϯΛ͚ͭΔͱ্ॻ͖͢Δ͔ฉ ͔Εͳ͍ͷͰ͚ͭΔ
ߋ৽ʁ • --renew-by-defaultΛ͚ͭͯcronʹࠐΉ • વɺߋ৽͞ΕͨλΠϛϯάͰwebαʔόΛreloadͯ͠ূ໌ ॻಡΈ͞ͳ͍ͱ͍͚ͳ͍ͷͰ && systemctl reload httpd
ͷΑ͏ʹ͢Δ • ূ໌ॻͷ༗ޮظؒ90ʹͳ͍ͬͯΔͷͰ(ηΩϡϦςΟత ͳҙຯ߹͍ɺࣗಈߋ৽͕લఏͷͨΊ)1ϲ݄ʹ1ճcronͰ࣮ ߦ͢ΔΑ͏ʹ͢ΕOK
·ͱΊ • ϕʔλͳ͕Β΄ͱΜͲͷϞμϯͳڥͰ༗ޮͳূ໌ॻ͕ແྉͰऔಘͰ͖Δ • ։ൃதͷΞϓϦέʔγϣϯɺݸਓͰ࡞ͨ͠ΞϓϦέʔγϣϯͷSSLԽʹ ༗ޮ • CUIͰ݁͢Δͷྑ͍ͱࢥ͏ • ELBͱ͔ͷڥͰ͏ʹ…ʁ
• શͳΔࣗಈԽʹ·͔͔ͩΓͦ͏ • ߋ৽cronͩͬͨΓͶ
ࢀߟϦϯΫ • Let's Encrypt ૯߹ϙʔλϧ • https://letsencrypt.jp/ • Apache 2.4ܥͰHTTP/2αʔόΛߏஙͯ͠ΈΔςετɻ
• https://http2.try-and-test.net/letsencrypt.html • GoݴޠͰLet's EncryptͷACMEΛཧղ͢Δ • http://deeeet.com/writing/2015/12/01/go-letsencrypt-acme/