Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AAA: An ACME Agent for AWS environment

AAA: An ACME Agent for AWS environment


TANABE Ken-ichi

January 22, 2016

More Decks by TANABE Ken-ichi

Other Decks in Technology


  1. AAA: An ACME Agent for AWS 2016/01/22 @ HDE MTS

    #18 TANABE Ken-ichi
  2. ACME Protocol and Let’s Encrypt Project

  3. How ACME (Let’s Encrypt) works 1. Register your account 2.

    Present a possession of your domain 3. Request LE to issue a certificate 4. Download the certificate 5. Renew the certificate periodically within 90 days All things CAN be automated via RESTful API All things MUST be automated, or you will be stuck
  4. Things we should resolve • DNS integration • Key store

    integration • Automated renewal process integration • ChatOps integration Answer: https://github.com/nabeken/aaa
  5. AAA’s Goal (for fun): Fully utilize AWS • Server-less architecture

    by AWS Lambda • State-less architecture by AWS S3 • Server-side-Encryption by AWS S3 SSE-KMS • Server-less domain validation by AWS Route53 • ChatOps integration by AWS API Gateway No server, No state, fully automated and Secure It’s super cool...
  6. How AAA Works • Core logic written in Go as

    CLI app • CLI app does the tricks • Lambda Function just wraps it • Build as a single ZIP and ship it to 3 Lambda Functions
  7. Let’s Encrypt opens the door… YESTERDAY!!!!

  8. DEMO: If you see this, I failed to show you

  9. One more thing…

  10. AWS Certificate Management (ACM) released TODAY • TODAY (OMG!!) •

    Certificates issued by ACM are FREE • Integrated with ELB and CloudFront (for now) • Only available for us-east-1 for now
  11. Quick comparision: Let’s Encrypt vs ACM Let’s Encrypt ACM Pricing

    FREE FREE Application No limitation ELB and CloudFront Type DV certificate DV certificate Period 3 months 13 months Wildcard certificate Not Available Available Multiple domains (SAN) Available Available Validation methods HTTP, DNS Email Certificate algorithm RSA 2048, 4096 bits ECDSA (P-256, …?) RSA 2048 bits