Acmesmith (http2study8)

Slide 1

Slide 1 text

acmesmith: An effective ACME client @sorah http2study #8 / May 30, 2016

Slide 2

Slide 2 text

@sorah (ͦΒ͸) • https://sorah.jp/ • https://github.com/sorah • https://twitter.com/sora_h • Cookpad Inc. ΠϯϑϥετϥΫνϟʔ෦ • Ruby committer

Slide 3

Slide 3 text

ACME protorol • Automated Certiﬁcate Management Environment • Let’s encrypt https://letsencrypt.org/ ͷͨΊʹ࡞ΒΕͨ API ࢓༷ • https://letsencrypt.org/how-it-works/  https://github.com/letsencrypt/acme-spec • HTTP/DNS/TLS-SNIΛ௨ͨ͠ॴ༗֬ೝɺূ໌ॻͷൃߦΛࣗಈԽ

Slide 4

Slide 4 text

ACME client • ࣮ࡍʹ ACME server ͱ΍ΓͱΓͯ͠ TLS ূ໌ॻΛऔಘͯ͘͠ΕΔΫ ϥΠΞϯτ • ެࣜ https://github.com/certbot/certbot (چ letsencrypt) • https://github.com/certbot/certbot/wiki/Links

Slide 5

Slide 5 text

ެࣜ

Slide 6

Slide 6 text

ެࣜ • ΘΓͱ୭Ͱ΋࢖͑ͦ͏ͳײ͡ʹΏΔ͘࡞ΒΕ͍ͯΔ • ศར͡ΌΜ

Slide 7

Slide 7 text

ެࣜ

Slide 8

Slide 8 text

ެࣜ • nginx/apache/haproxy ͱ͔ͱ͍͍ײ͡ʹ࿈ܞͯ͠উखʹઃఆͯ͘͠ ΕΔΒ͍͠ɺศར

Slide 9

Slide 9 text

໰୊఺ • ৴༻Ͱ͖ͳ͍ڍಈ • ͓અհͳڍಈ • Ωʔ؅ཧ໰୊

Slide 10

Slide 10 text

৴༻Ͱ͖ͳ͍໰୊ • ·ͣ͸͜ͷεΫγϣΛݟͯ͘Ε

Slide 11

Slide 11 text

৴༻Ͱ͖ͳ͍໰୊

Slide 12

Slide 12 text

৴༻Ͱ͖ͳ͍໰୊ • Manual installation ͷ৔߹ͩͱಥવ sudo apt-get install (΍ Gentoo ͳΒ sudo emerge) Λୟ͖ग़͢໰୊ • sudo -k ͠ͱ͚͹େৎ෉! • ͍ͯ͏͔ help ୟ͍͚ͨͩͳΜͰ͚͢Ͳ… • ϚδͰ…?

Slide 13

Slide 13 text

͓અհͳ໰୊ • Θͨ͠͸αʔόʔΛϓϩϏδϣχϯάπʔϧΛ࢖ͬͯ៉ྷʹͱͱͷ͑ ͍ͯΔ • ͦΕͳΓʹϚτϞͳ nginx ౳Ͱͷ TLS ͷઃఆ΋Ͱ͖Δ͠ɺπʔϧͭ ͔ͬͯ៉ྷʹ؅ཧͯ͠Δ • উखʹαʔόʔͷઃఆΛ࿔Βͳ͍Ͱ΄͍͠ɻ͓અհͰ͋Δɻ • ͦ͏͍͏Ϟʔυ΋͋Δ͚ͲɺͳΜ͔͜͏͍͏ڍಈͯ͠Δ࣌఺Ͱ৴ ༻͕ͳΒͳ͍

Slide 14

Slide 14 text

Ωʔ؅ཧ໰୊ • ൃߦͨ͠ূ໌ॻ΍ͦͷΩʔϖΞɺ͓Αͼ account key ͷ؅ཧ͸͖ͬ ͪΓ΍Γ͍ͨ • Θͨ͠ͷखݩʹ͸ෳ਺ͷαʔόʔ͕͋Δ • certbot ͩͱ /etc/letsencrypt ͱ͔ʹࡶʹஔ͔Εͯࣗ෼Ͱ؅ཧ͢Δ ඞཁ͕͋Δ (ΊΜͲ͍)ɻ

Slide 15

Slide 15 text

ͳΜͱ͔͍ͨ͠

Slide 16

Slide 16 text

ͭ͘Γ·ͨ͠ • https://github.com/sorah/acmesmith • Acmesmith: An effective ACME client to operate on multiple servers environment with the cloud

Slide 17

Slide 17 text

sorah/acmesmith • ACME client designed to work on multiple servers • ACME registration, domain authorization, certiﬁcate requests • Tested against Let's encrypt • Storing keys in several ways (Currently AWS S3 is supported) • Challenge responses (Currently dns-01 with AWS Route 53 is supported)

Slide 18

Slide 18 text

sorah/acmesmith • Ruby ੡ • ࣗಈߋ৽ (ࢦఆ೔਺ະຬͷূ໌ॻΛ୳͖ͯͯ͠ request ͠ͳ͓͢); Ͳ ͔͜1ՕॴͰcronͰճͤ͹ok • (ಉࠝͯ͠Δ S3 plugin) ͸γϯϓϧͳߏ଄Ͱূ໌ॻ΍ΩʔΛอଘ͢Δ ͷͰɺαʔόʔ্Ͱ͸ aws-cli ͳͲͰ伴ɾূ໌ॻΛऔಘ͢Ε͹ OK

Slide 19

Slide 19 text

sorah/acmesmith • ϓϥΨϒϧͳػߏͰ challenge responder ΍ storage Λ௥ՃͰ͖Δ • ͓અհ͸͠ͳ͍ • Θͨ͠ͷधཁʹ߹Θͤͯ࡞ͬͨͷͰݱঢ় AWS S3 + Route53 ͷΈ • (ݱঢ় OpenStack ͷ Designate (DNSaaS) ޲͚ͷ gem ͕͋Γ·͢)

Slide 20

Slide 20 text

Acmesmith (S3+Route53) • acmesmith register CONTACT • acmesmith authorize test.example.org • acmesmith request test.example.org • acmesmith show-certiﬁcate test.example.org

Slide 21

Slide 21 text

ิ଍: Identiﬁer Validation Challenges • ACME ϓϩτίϧʹ͓͍ͯυϝΠϯͷॴ༗ऀ֬ೝΛ͢ΔͨΊͷϑϩʔ • http-01: ࢦఆ͞Εͨύεʹࢦఆ͞ΕͨจࣈྻΛ account key Ͱॺ໊ɺ഑ஔͯ͠ೝূ • tls-sni-02: SNI Ͱܨ͍ͩ࣌ʹฦ͢ূ໌ॻͷ SAN ʹ *.acme.invalid ͷܗͰࢦఆ͞Εͨจࣈྻʹ ॺ໊ͨ͠σʔλΛؚ·ͤͯೝূ • dns-01: ࢦఆ͞ΕͨจࣈྻΛॺ໊ͯ͠σʔλΛυϝΠϯͷԼʹTXTϨίʔυͱͯ͠ઃఆͯ͠ೝ ূ • oob-01: out of band, ࣗಈԽ͞Ε͍ͯͳ͍ೝূ༻ • Acmesmith ͸ݱঢ় out of the box Ͱ͸ Route 53 + dns-01 ʹରԠ

Slide 22

Slide 22 text

sorah/acmesmith • ·ͩग़དྷ͍ͯͳ͍ࣄ • post issuance hook (ൃߦޙࣗಈͰαʔόʔʹ഑ஔ͍ͨ͠) • AWS S3, Route53 Ҏ֎΁ͷରԠ (୭͔΍ͬͯ͘Εʙ) • ϓϥάΠϯճΓͷυΩϡϝϯςʔγϣϯ