Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[PHPDetroit 2018] Let's Encrypt All The Things: HTTPS At Scale

[PHPDetroit 2018] Let's Encrypt All The Things: HTTPS At Scale

The push for a more secure web got a boost two years ago when Let’s Encrypt--a free, automated certificate authority--was made available to everyone. It only takes a command-line tool and a few keystrokes to securely serve almost any website. But what does it take to secure 10,000 websites? Let’s see what it takes while detailing the available PHP tools, the changes in process and architecture needed to handle a large number of domains, and the inevitable surprises that appear.


Philip Sharp

July 27, 2018


  1. None
  2. Let’s Encrypt All The Things HTTPS At Scale Philip Sharp

    @philipsharp PHPDetroit Conference 2018
  3. Why HTTPS? Why HTTPS? “why?” by Art Poskanzer (https://www.flickr.com/photos/posk/8333973575/)

  4. Security “Locks and Lockers” by AL.Eyad (https://www.flickr.com/photos/linda_lila/23303173449/)

  5. Privacy “security camera” by CWCS Managed Hosting (https://www.flickr.com/photos/122969584@N07/13844066275/)

  6. https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html

  7. None
  8. Your Twitter Handle Here

  9. HTTP/2 Your Twitter Handle Here

  10. What does HTTPS mean? “Double Rainbow” by Sharada Prasad (https://www.flickr.com/photos/sharadaprasad/9397813949/)

  11. “keys” by drea fournier (https://www.flickr.com/photos/dreafournier/42880176712/) Encryption

  12. Authentication “Purple Envelope with Gold Sealing Wax” by sk (https://www.flickr.com/photos/irisphotos/27135391951/)

  13. Certificate X.509 in PEM format

  14. 1. Public Key 2. Subject 3. Signature There’s no outline

  15. Web of Trust “Web” by AJ Cann (https://www.flickr.com/photos/ajc1/15491327276)

  16. Authority “Queen” by Ovidiu Borlean (https://www.flickr.com/photos/ovidiu_borlean/3878029087/)

  17. Getting Certificates “Paperwork” by Camilo Rueda López (https://www.flickr.com/photos/kozumel/2228603119/)

  18. Your Twitter Handle Here

  19. ACME “coyote at sunrise” by Jared Tarbell (https://www.flickr.com/photos/generated/5375935769/)

  20. Automated “teeth” by artethgray (https://www.flickr.com/photos/36397453@N00/4857336929/)

  21. sudo certbot --apache Your Twitter Handle Here

  22. 12 6,18 * * * certbot renew -q Your Twitter

    Handle Here
  23. Scaling “Diving Maldives: Large school of Kashmir Snapper” by Mal

    B (https://www.flickr.com/photos/mal-b/6834470100/)
  24. Distinguished Name Your Twitter Handle Here

  25. CN = www.microsoft.com OU = Microsoft Corporation O = Microsoft

    Corporation L = Redmond ST = WA C = US Your Twitter Handle Here
  26. Subject Alternative Name Your Twitter Handle Here

  27. Common Name Your Twitter Handle Here

  28. 4 2 2 NaN 2

  29. Tooling “old vintage stuff” by spline splinson (https://www.flickr.com/photos/splinson/28062883398/)

  30. Acme PHP Your Twitter Handle Here

  31. [photos.kerzap.com, ...] ↓ new-cert ↓ authz ↓ complete Your Twitter

    Handle Here
  32. [photos.kerzap.com, ...] ↓ new-authz ↓ new-cert Your Twitter Handle Here

  33. None
  34. Challenges Domain Queue Acme PHP Certificate Queue Issuance

  35. Renewals ‘Rebuilding” by Jo Elphick (https://www.flickr.com/photos/joelphick/27132941018/)

  36. 1 5 9 13 17 21 25 29 33 37

    41 45 49 53 57 61 65 69 73 77 81 85 89 93 97 101 105 109 113 117 0 2000 4000 6000 8000 10000 12000 Day Domains
  37. Rate Limits “southbound I-15 – speed limit 80 mph” by

    Garrett (https://www.flickr.com/photos/countylemonade/5916416464/)
  38. The Gotchas “Cliffs of Moher, Liscannor, Ireland” by Giuseppe Milo

  39. All The Things That Can Go Wrong When Trying To

    Get A Certificate For Someone Else’s Domain “Cliffs of Moher, Liscannor, Ireland” by Giuseppe Milo (https://www.flickr.com/photos/giuseppemilo/13972911980/)
  40. Chekhov “Portrait of Anton Pavlovich Chekhov” (1898) by Osip Braz

  41. invalid_hostname.kerzap.com Your Twitter Handle Here

  42. $ host photos.kerzap.com photos.kerzap.com is an alias for domains.example.com. domains.example.com

    has address domains.example.com has address domains.example.com has address Your Twitter Handle Here
  43. Certificate Authority Authorization Your Twitter Handle Here

  44. photos.kerzap.com CNAME domains.example.com kerzap.com CAA 0 issue "legacyca.com" domains.example.com A CAA 0 issue "letsencrypt.org"
  45. DNSSEC Your Twitter Handle Here

  46. photos.kerzap.com DNSKEY [public key] kerzap.com DS [signature for photos.kerzap.com] DNSKEY

    [public key] com DS [signature for kerzap.com] DNSKEY [public key]
  47. Google safe browsing

  48. unboundtest.com letsdebug.net Your Twitter Handle Here

  49. - Me https://twitter.com/philipsharp/status/959536858488287234

  50. What’s Next “Falcon Heavy Demo Mission” by Official SpaceX Photos

  51. Recap “Snow Capped” by Richard Walker (https://www.flickr.com/photos/richardwalkerphotography/8550310861/)

  52. Lessons 1. Scaling means different problems. 2. Custom hostnames are

    user input.
  53. Thank You https://joind.in/talk/2f870 Image Credit goes here Let’s Encrypt All

    The Things HTTPS At Scale Philip Sharp @philipsharp www.philipsharp.com Slide design based on “A white-label slide deck” by Alice Bartlett (http://alicebartlett.co.uk/blog/how-to-do-ok-at-slides). Fonts: Source Sans Pro, Source Code Pro All photos public domain or licensed under Creative Commons. See individual photos for credits.