Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[MidDevCon 2018] Let's Encrypt All The Things: HTTPS At Scale

Philip Sharp
July 13, 2018
Programming
0
61

[MidDevCon 2018] Let's Encrypt All The Things: HTTPS At Scale

The push for a more secure web got a boost two years ago when Let’s Encrypt—a free, automated certificate authority–was made available to everyone. It only takes a command line tool and a few keystrokes to securely serve almost any website. But what does it take to secure 10,000 websites? Let’s see what it takes while detailing the available tools, the changes in process and architecture needed to handle a large number of domains, and the inevitable surprises that appear.

Philip Sharp

July 13, 2018
Tweet

More Decks by Philip Sharp

See All by Philip Sharp
[PHPDetroit 2018] Let's Encrypt All The Things: HTTPS At Scale
philipsharp
1
160

Other Decks in Programming

See All in Programming
GitHub Actionsで泣かないためにやっておきたい設定 / Recommended GHA settings to avoid crying
pinkumohikan
3
540
0→1と1→10の狭間で Javaという技術選定を振り返る/Reflecting on the Decision to Choose Java Between Scaling from 0 to 1 and 1 to 10
jaguar_imo
2
380
dbtのドメイン分割による データ基盤の改善とDigdagとの連携
sakama
0
360
Kotlin Multiplatform at Stable and Beyond (Android Makers 2024)
zsmb
0
290
ONE WEDGE_company_guide
1wedge_one
0
490
Git Lint
bkuhlmann
4
750
Milestoner
bkuhlmann
1
410
Git Rebase
bkuhlmann
11
1.6k
Behind VS Code Extensions for JavaScript / TypeScript Linnting and Formatting
unvalley
5
930
Let's learn code review
riofujimon
2
430
SIMD Parallel Programming with the Vector API
josepaumard
0
180
try! Swift Tokyo 2024 参加報告 / try! Swift Tokyo 2024 Report
hironytic
0
210

Featured

See All Featured
The Pragmatic Product Professional
lauravandoore
25
5.8k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
17
1.4k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
17
6.4k
Imperfection Machines: The Place of Print at Facebook
scottboms
260
12k
Product Roadmaps are Hard
iamctodd
44
9.7k
Agile that works and the tools we love
rasmusluckow
325
20k
Large-scale JavaScript Application Architecture
addyosmani
504
110k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
274
13k
Docker and Python
trallard
34
2.7k
Bash Introduction
62gerente
604
210k
The Illustrated Children's Guide to Kubernetes
chrisshort
31
46k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k

Transcript

  1. None

  2. Let’s Encrypt All The Things HTTPS At Scale Philip Sharp

    @philipsharp Mid-Atlantic Developer Conference 2018

  3. Why HTTPS? Why HTTPS? “why?” by Art Poskanzer (https://www.flickr.com/photos/posk/8333973575/)

  4. Yahoo! Homepage in 1994 (https://www.flickr.com/photos/yodelanecdotal/3740158785)

  5. Netscape Navigator, v1.0, 1994

  6. Security “Locks and Lockers” by AL.Eyad (https://www.flickr.com/photos/linda_lila/23303173449/)

  7. Privacy “security camera” by CWCS Managed Hosting (https://www.flickr.com/photos/122969584@N07/13844066275/)

  8. https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html

  9. None

  10. Your Twitter Handle Here

  11. None

  12. HTTP/2 Your Twitter Handle Here

  13. What does HTTPS mean? “Double Rainbow” by Sharada Prasad (https://www.flickr.com/photos/sharadaprasad/9397813949/)

  14. “keys” by drea fournier (https://www.flickr.com/photos/dreafournier/42880176712/) Encryption

  15. Authentication “Purple Envelope with Gold Sealing Wax” by sk (https://www.flickr.com/photos/irisphotos/27135391951/)

  16. Certificate X.509 in PEM format

  17. 1. Public Key 2. Subject 3. Signature There’s no outline

    view...

  18. Web of Trust “Web” by AJ Cann (https://www.flickr.com/photos/ajc1/15491327276)

  19. Authority “Queen” by Ovidiu Borlean (https://www.flickr.com/photos/ovidiu_borlean/3878029087/)

  20. Getting Certificates “Paperwork” by Camilo Rueda López (https://www.flickr.com/photos/kozumel/2228603119/)

  21. Your Twitter Handle Here

  22. ACME “coyote at sunrise” by Jared Tarbell (https://www.flickr.com/photos/generated/5375935769/)

  23. Automated “teeth” by artethgray (https://www.flickr.com/photos/36397453@N00/4857336929/)

  24. sudo certbot --apache Your Twitter Handle Here

  25. 12 6,18 * * * certbot renew -q Your Twitter

    Handle Here

  26. Scaling “Diving Maldives: Large school of Kashmir Snapper” by Mal

    B (https://www.flickr.com/photos/mal-b/6834470100/)

  27. Distinguished Name Your Twitter Handle Here

  28. CN = www.microsoft.com OU = Microsoft Corporation O = Microsoft

    Corporation L = Redmond ST = WA C = US Your Twitter Handle Here

  29. Subject Alternative Name Your Twitter Handle Here

  30. Common Name Your Twitter Handle Here

  31. 4 2 2 NaN 2

  32. Tooling “old vintage stuff” by spline splinson (https://www.flickr.com/photos/splinson/28062883398/)

  33. Acme PHP Your Twitter Handle Here

  34. [example.com, ...] ↓ new-cert ↓ authz ↓ complete Your Twitter

    Handle Here

  35. [example.com, ...] ↓ new-authz ↓ new-cert Your Twitter Handle Here

  36. None

  37. Challenges Domain Queue Acme PHP Certificate Queue Issuance

  38. Renewals ‘Rebuilding” by Jo Elphick (https://www.flickr.com/photos/joelphick/27132941018/)

  39. 1 5 9 13 17 21 25 29 33 37

    41 45 49 53 57 61 65 69 73 77 81 85 89 93 97 101 105 109 113 117 0 2000 4000 6000 8000 10000 12000 Day Domains

  40. Rate Limits “southbound I-15 – speed limit 80 mph” by

    Garrett (https://www.flickr.com/photos/countylemonade/5916416464/)

  41. The Gotchas “Cliffs of Moher, Liscannor, Ireland” by Giuseppe Milo

    (https://www.flickr.com/photos/giuseppemilo/13972911980/)

  42. Chekhov “Portrait of Anton Pavlovich Chekhov” (1898) by Osip Braz

  43. invalid_hostname.example.com Your Twitter Handle Here

  44. 18.234.20.119 Your Twitter Handle Here

  45. Certificate Authority Authorization Your Twitter Handle Here

  46. subdomain.example.com CNAME custom.example.net example.com CAA 0 issue "legacyca.com" custom.example.net A

    18.234.20.119 CAA 0 issue "letsencrypt.org"

  47. DNSSEC Your Twitter Handle Here

  48. subdomain.example.com DNSKEY [public key] example.com DS [signature for subdomain.example.com] DNSKEY

    [public key] com DS [signature for example.com] DNSKEY [public key]

  49. Google safe browsing

  50. unboundtest.com letsdebug.net Your Twitter Handle Here

  51. - Me https://twitter.com/philipsharp/status/959536858488287234

  52. What’s Next “Falcon Heavy Demo Mission” by Official SpaceX Photos

    (https://www.flickr.com/photos/spacex/40126461851)

  53. Recap “Snow Capped” by Richard Walker (https://www.flickr.com/photos/richardwalkerphotography/8550310861/)

  54. Lessons 1. Scaling means different problems. 2. Custom hostnames are

    user input.
  55. None

  56. Thank You https://joind.in/talk/28389 Image Credit goes here Let’s Encrypt All

    The Things HTTPS At Scale Philip Sharp @philipsharp www.philipsharp.com Slide design based on “A white-label slide deck” by Alice Bartlett (http://alicebartlett.co.uk/blog/how-to-do-ok-at-slides). Fonts: Source Sans Pro, Source Code Pro All photos public domain or licensed under Creative Commons. See individual photos for credits.