Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[PHPDetroit 2018] Let's Encrypt All The Things: HTTPS At Scale

[PHPDetroit 2018] Let's Encrypt All The Things: HTTPS At Scale

The push for a more secure web got a boost two years ago when Let’s Encrypt--a free, automated certificate authority--was made available to everyone. It only takes a command-line tool and a few keystrokes to securely serve almost any website. But what does it take to secure 10,000 websites? Let’s see what it takes while detailing the available PHP tools, the changes in process and architecture needed to handle a large number of domains, and the inevitable surprises that appear.

Philip Sharp

July 27, 2018
Tweet

More Decks by Philip Sharp

Other Decks in Programming

Transcript

  1. Let’s Encrypt All The Things
    HTTPS At Scale
    Philip Sharp
    @philipsharp
    PHPDetroit Conference 2018

    View full-size slide

  2. Why HTTPS?
    Why HTTPS?
    “why?” by Art Poskanzer (https://www.flickr.com/photos/posk/8333973575/)

    View full-size slide

  3. Security
    “Locks and Lockers” by AL.Eyad (https://www.flickr.com/photos/linda_lila/23303173449/)

    View full-size slide

  4. Privacy
    “security camera” by CWCS Managed Hosting (https://www.flickr.com/photos/122969584@N07/13844066275/)

    View full-size slide

  5. https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html

    View full-size slide

  6. Your Twitter Handle Here

    View full-size slide

  7. HTTP/2
    Your Twitter Handle Here

    View full-size slide

  8. What does HTTPS mean?
    “Double Rainbow” by Sharada Prasad (https://www.flickr.com/photos/sharadaprasad/9397813949/)

    View full-size slide

  9. “keys” by drea fournier (https://www.flickr.com/photos/dreafournier/42880176712/)
    Encryption

    View full-size slide

  10. Authentication
    “Purple Envelope with Gold Sealing Wax” by sk (https://www.flickr.com/photos/irisphotos/27135391951/)

    View full-size slide

  11. Certificate
    X.509 in PEM format

    View full-size slide

  12. 1. Public Key
    2. Subject
    3. Signature
    There’s no outline view...

    View full-size slide

  13. Web of
    Trust
    “Web” by AJ Cann (https://www.flickr.com/photos/ajc1/15491327276)

    View full-size slide

  14. Authority
    “Queen” by Ovidiu Borlean (https://www.flickr.com/photos/ovidiu_borlean/3878029087/)

    View full-size slide

  15. Getting
    Certificates
    “Paperwork” by Camilo Rueda López (https://www.flickr.com/photos/kozumel/2228603119/)

    View full-size slide

  16. Your Twitter Handle Here

    View full-size slide

  17. ACME
    “coyote at sunrise” by Jared Tarbell (https://www.flickr.com/photos/generated/5375935769/)

    View full-size slide

  18. Automated
    “teeth” by artethgray (https://www.flickr.com/photos/36397453@N00/4857336929/)

    View full-size slide

  19. sudo certbot --apache
    Your Twitter Handle Here

    View full-size slide

  20. 12 6,18 * * * certbot renew -q
    Your Twitter Handle Here

    View full-size slide

  21. Scaling
    “Diving Maldives: Large school of Kashmir Snapper” by Mal B (https://www.flickr.com/photos/mal-b/6834470100/)

    View full-size slide

  22. Distinguished
    Name
    Your Twitter Handle Here

    View full-size slide

  23. CN = www.microsoft.com
    OU = Microsoft Corporation
    O = Microsoft Corporation
    L = Redmond
    ST = WA
    C = US
    Your Twitter Handle Here

    View full-size slide

  24. Subject
    Alternative
    Name
    Your Twitter Handle Here

    View full-size slide

  25. Common Name
    Your Twitter Handle Here

    View full-size slide

  26. Tooling
    “old vintage stuff” by spline splinson (https://www.flickr.com/photos/splinson/28062883398/)

    View full-size slide

  27. Acme PHP
    Your Twitter Handle Here

    View full-size slide

  28. [photos.kerzap.com, ...]

    new-cert

    authz

    complete
    Your Twitter Handle Here

    View full-size slide

  29. [photos.kerzap.com, ...]

    new-authz

    new-cert
    Your Twitter Handle Here

    View full-size slide

  30. Challenges
    Domain
    Queue
    Acme PHP
    Certificate
    Queue
    Issuance

    View full-size slide

  31. Renewals
    ‘Rebuilding” by Jo Elphick (https://www.flickr.com/photos/joelphick/27132941018/)

    View full-size slide

  32. 1 5 9 13 17 21 25 29 33 37 41 45 49 53 57 61 65 69 73 77 81 85 89 93 97
    101
    105
    109
    113
    117
    0
    2000
    4000
    6000
    8000
    10000
    12000
    Day
    Domains

    View full-size slide

  33. Rate Limits
    “southbound I-15 – speed limit 80 mph” by Garrett (https://www.flickr.com/photos/countylemonade/5916416464/)

    View full-size slide

  34. The Gotchas
    “Cliffs of Moher, Liscannor, Ireland” by Giuseppe Milo (https://www.flickr.com/photos/giuseppemilo/13972911980/)

    View full-size slide

  35. All The Things That Can Go
    Wrong When Trying To Get A
    Certificate For Someone Else’s
    Domain
    “Cliffs of Moher, Liscannor, Ireland” by Giuseppe Milo (https://www.flickr.com/photos/giuseppemilo/13972911980/)

    View full-size slide

  36. Chekhov
    “Portrait of Anton Pavlovich Chekhov” (1898) by Osip Braz

    View full-size slide

  37. invalid_hostname.kerzap.com
    Your Twitter Handle Here

    View full-size slide

  38. $ host photos.kerzap.com
    photos.kerzap.com is an alias for domains.example.com.
    domains.example.com has address 18.234.20.125
    domains.example.com has address 18.234.20.121
    domains.example.com has address 18.234.20.119
    Your Twitter Handle Here

    View full-size slide

  39. Certificate
    Authority
    Authorization
    Your Twitter Handle Here

    View full-size slide

  40. photos.kerzap.com
    CNAME domains.example.com
    kerzap.com
    CAA 0 issue "legacyca.com"
    domains.example.com
    A 18.234.20.119
    CAA 0 issue "letsencrypt.org"

    View full-size slide

  41. DNSSEC
    Your Twitter Handle Here

    View full-size slide

  42. photos.kerzap.com
    DNSKEY [public key]
    kerzap.com
    DS [signature for photos.kerzap.com]
    DNSKEY [public key]
    com
    DS [signature for kerzap.com]
    DNSKEY [public key]

    View full-size slide

  43. Google safe browsing

    View full-size slide

  44. unboundtest.com
    letsdebug.net
    Your Twitter Handle Here

    View full-size slide

  45. - Me
    https://twitter.com/philipsharp/status/959536858488287234

    View full-size slide

  46. What’s Next
    “Falcon Heavy Demo Mission” by Official SpaceX Photos (https://www.flickr.com/photos/spacex/40126461851)

    View full-size slide

  47. Recap
    “Snow Capped” by Richard Walker (https://www.flickr.com/photos/richardwalkerphotography/8550310861/)

    View full-size slide

  48. Lessons
    1. Scaling means different problems.
    2. Custom hostnames are user input.

    View full-size slide

  49. Thank You
    https://joind.in/talk/2f870
    Image Credit goes here
    Let’s Encrypt All The Things
    HTTPS At Scale
    Philip Sharp
    @philipsharp
    www.philipsharp.com
    Slide design based on “A white-label slide deck” by Alice Bartlett
    (http://alicebartlett.co.uk/blog/how-to-do-ok-at-slides).
    Fonts: Source Sans Pro, Source Code Pro
    All photos public domain or licensed under Creative Commons.
    See individual photos for credits.

    View full-size slide