Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[PHPDetroit 2018] Let's Encrypt All The Things: HTTPS At Scale

Philip Sharp
July 27, 2018
Programming
1
160

[PHPDetroit 2018] Let's Encrypt All The Things: HTTPS At Scale

The push for a more secure web got a boost two years ago when Let’s Encrypt--a free, automated certificate authority--was made available to everyone. It only takes a command-line tool and a few keystrokes to securely serve almost any website. But what does it take to secure 10,000 websites? Let’s see what it takes while detailing the available PHP tools, the changes in process and architecture needed to handle a large number of domains, and the inevitable surprises that appear.

Philip Sharp

July 27, 2018
Tweet

More Decks by Philip Sharp

See All by Philip Sharp
[MidDevCon 2018] Let's Encrypt All The Things: HTTPS At Scale
philipsharp
0
61

Other Decks in Programming

See All in Programming
Goのエラースタックトレースの歴史と今後
sonatard
7
1.2k
Azure OpenAI Serviceのプロンプトエンジニアリング入門
tomokusaba
3
680
単体テストを書かない技術 #phpcon_odawara
o0h
PRO
26
8.2k
Random\Randomizer クラスで日常のあれこれを解決しよう! / Random\Randomizer class solves familiar trouble
cocoeyes02
0
230
Blue/Greenデプロイの導入による 運用フローの改善
kudoas
1
370
SwiftUIで使いやすいToastの作り方 / How to build a Toast system which is easy to use in SwiftUI
lovee
3
140
Ruby Pattern Matching
bkuhlmann
0
920
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
190
[技育CAMPアカデミア]アイディアを形に!【超入門】スマホアプリ開発〜リリースまでの流れをご紹介
teamlab
PRO
0
360
エンターテイメント業界で利用されるAWS
demuyan
0
210
冗長なエラーログを削減し、スタックトレースを手に入れる / Reducing Verbose Error Logs and Obtaining Stack Traces
upamune
0
510
ゆるい個人開発のススメ
kuroppe1819
10
990

Featured

See All Featured
Why Our Code Smells
bkeepers
PRO
331
56k
BBQ
matthewcrist
80
8.8k
The Cult of Friendly URLs
andyhume
74
5.7k
Producing Creativity
orderedlist
PRO
337
39k
How GitHub (no longer) Works
holman
304
140k
Building Your Own Lightsaber
phodgson
99
5.7k
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
How STYLIGHT went responsive
nonsquared
92
4.8k
A Modern Web Designer's Workflow
chriscoyier
689
190k
Git: the NoSQL Database
bkeepers
PRO
422
63k
Code Reviewing Like a Champion
maltzj
514
39k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
2
1.3k

Transcript

  1. None

  2. Let’s Encrypt All The Things HTTPS At Scale Philip Sharp

    @philipsharp PHPDetroit Conference 2018

  3. Why HTTPS? Why HTTPS? “why?” by Art Poskanzer (https://www.flickr.com/photos/posk/8333973575/)

  4. Security “Locks and Lockers” by AL.Eyad (https://www.flickr.com/photos/linda_lila/23303173449/)

  5. Privacy “security camera” by CWCS Managed Hosting (https://www.flickr.com/photos/122969584@N07/13844066275/)

  6. https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html

  7. None

  8. Your Twitter Handle Here

  9. HTTP/2 Your Twitter Handle Here

  10. What does HTTPS mean? “Double Rainbow” by Sharada Prasad (https://www.flickr.com/photos/sharadaprasad/9397813949/)

  11. “keys” by drea fournier (https://www.flickr.com/photos/dreafournier/42880176712/) Encryption

  12. Authentication “Purple Envelope with Gold Sealing Wax” by sk (https://www.flickr.com/photos/irisphotos/27135391951/)

  13. Certificate X.509 in PEM format

  14. 1. Public Key 2. Subject 3. Signature There’s no outline

    view...

  15. Web of Trust “Web” by AJ Cann (https://www.flickr.com/photos/ajc1/15491327276)

  16. Authority “Queen” by Ovidiu Borlean (https://www.flickr.com/photos/ovidiu_borlean/3878029087/)

  17. Getting Certificates “Paperwork” by Camilo Rueda López (https://www.flickr.com/photos/kozumel/2228603119/)

  18. Your Twitter Handle Here

  19. ACME “coyote at sunrise” by Jared Tarbell (https://www.flickr.com/photos/generated/5375935769/)

  20. Automated “teeth” by artethgray (https://www.flickr.com/photos/36397453@N00/4857336929/)

  21. sudo certbot --apache Your Twitter Handle Here

  22. 12 6,18 * * * certbot renew -q Your Twitter

    Handle Here

  23. Scaling “Diving Maldives: Large school of Kashmir Snapper” by Mal

    B (https://www.flickr.com/photos/mal-b/6834470100/)

  24. Distinguished Name Your Twitter Handle Here

  25. CN = www.microsoft.com OU = Microsoft Corporation O = Microsoft

    Corporation L = Redmond ST = WA C = US Your Twitter Handle Here

  26. Subject Alternative Name Your Twitter Handle Here

  27. Common Name Your Twitter Handle Here

  28. 4 2 2 NaN 2

  29. Tooling “old vintage stuff” by spline splinson (https://www.flickr.com/photos/splinson/28062883398/)

  30. Acme PHP Your Twitter Handle Here

  31. [photos.kerzap.com, ...] ↓ new-cert ↓ authz ↓ complete Your Twitter

    Handle Here

  32. [photos.kerzap.com, ...] ↓ new-authz ↓ new-cert Your Twitter Handle Here

  33. None

  34. Challenges Domain Queue Acme PHP Certificate Queue Issuance

  35. Renewals ‘Rebuilding” by Jo Elphick (https://www.flickr.com/photos/joelphick/27132941018/)

  36. 1 5 9 13 17 21 25 29 33 37

    41 45 49 53 57 61 65 69 73 77 81 85 89 93 97 101 105 109 113 117 0 2000 4000 6000 8000 10000 12000 Day Domains

  37. Rate Limits “southbound I-15 – speed limit 80 mph” by

    Garrett (https://www.flickr.com/photos/countylemonade/5916416464/)

  38. The Gotchas “Cliffs of Moher, Liscannor, Ireland” by Giuseppe Milo

    (https://www.flickr.com/photos/giuseppemilo/13972911980/)

  39. All The Things That Can Go Wrong When Trying To

    Get A Certificate For Someone Else’s Domain “Cliffs of Moher, Liscannor, Ireland” by Giuseppe Milo (https://www.flickr.com/photos/giuseppemilo/13972911980/)

  40. Chekhov “Portrait of Anton Pavlovich Chekhov” (1898) by Osip Braz

  41. invalid_hostname.kerzap.com Your Twitter Handle Here

  42. $ host photos.kerzap.com photos.kerzap.com is an alias for domains.example.com. domains.example.com

    has address 18.234.20.125 domains.example.com has address 18.234.20.121 domains.example.com has address 18.234.20.119 Your Twitter Handle Here

  43. Certificate Authority Authorization Your Twitter Handle Here

  44. photos.kerzap.com CNAME domains.example.com kerzap.com CAA 0 issue "legacyca.com" domains.example.com A

    18.234.20.119 CAA 0 issue "letsencrypt.org"

  45. DNSSEC Your Twitter Handle Here

  46. photos.kerzap.com DNSKEY [public key] kerzap.com DS [signature for photos.kerzap.com] DNSKEY

    [public key] com DS [signature for kerzap.com] DNSKEY [public key]

  47. Google safe browsing

  48. unboundtest.com letsdebug.net Your Twitter Handle Here

  49. - Me https://twitter.com/philipsharp/status/959536858488287234

  50. What’s Next “Falcon Heavy Demo Mission” by Official SpaceX Photos

    (https://www.flickr.com/photos/spacex/40126461851)

  51. Recap “Snow Capped” by Richard Walker (https://www.flickr.com/photos/richardwalkerphotography/8550310861/)

  52. Lessons 1. Scaling means different problems. 2. Custom hostnames are

    user input.

  53. Thank You https://joind.in/talk/2f870 Image Credit goes here Let’s Encrypt All

    The Things HTTPS At Scale Philip Sharp @philipsharp www.philipsharp.com Slide design based on “A white-label slide deck” by Alice Bartlett (http://alicebartlett.co.uk/blog/how-to-do-ok-at-slides). Fonts: Source Sans Pro, Source Code Pro All photos public domain or licensed under Creative Commons. See individual photos for credits.