Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Let's Encrypt & ACME Overview (hbstyle-2015-1112)
Search
rrreeeyyy
November 12, 2015
Technology
2
1.3k
Let's Encrypt & ACME Overview (hbstyle-2015-1112)
hbstyle20151112 で Let's Encrypt と ACME について雑に喋りました
rrreeeyyy
November 12, 2015
Tweet
Share
More Decks by rrreeeyyy
See All by rrreeeyyy
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
An Efficient Incident Response Training with AI / SRE NEXT 2024 Sponsor Session
rrreeeyyy
1
3.4k
カンファレンスから見る SRE トレンド 2024 / SRE Trends from Conferences in 2024 #SRE_Findy
rrreeeyyy
4
2.2k
信頼性の育て方 / mackerel-meetup-15
rrreeeyyy
9
2.4k
SRE の歩き方・進め方 / sre-walk-through-procedure
rrreeeyyy
0
8.5k
「信頼性」を保ちつつ大規模サービスをリニューアルする / cookpad-tech-kitchen-service-embedded-sres
rrreeeyyy
11
12k
Cookpad and Prometheus
rrreeeyyy
6
20k
SRE-Lounge-8-Cookpad-Microservice-Architecture-Overview
rrreeeyyy
5
5.2k
A survey of anomaly detection methodologies for web system
rrreeeyyy
5
1.2k
Other Decks in Technology
See All in Technology
Platform Engineering for Software Developers and Architects
syntasso
1
520
iOSチームとAndroidチームでブランチ運用が違ったので整理してます
sansantech
PRO
0
130
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
2
1.7k
エンジニア人生の拡張性を高める 「探索型キャリア設計」の提案
tenshoku_draft
1
120
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
適材適所の技術選定 〜GraphQL・REST API・tRPC〜 / Optimal Technology Selection
kakehashi
1
170
SSMRunbook作成の勘所_20241120
koichiotomo
2
130
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
870
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
470
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
300
Terraform未経験の御様に対してどの ように導⼊を進めていったか
tkikuchi
2
430
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
3.2k
Featured
See All Featured
GraphQLとの向き合い方2022年版
quramy
43
13k
Building a Modern Day E-commerce SEO Strategy
aleyda
38
6.9k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.3k
BBQ
matthewcrist
85
9.3k
Designing for Performance
lara
604
68k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
GitHub's CSS Performance
jonrohan
1030
460k
What's in a price? How to price your products and services
michaelherold
243
12k
Transcript
Let's Encrypt & ACME Overview hbstyle20151112 - Yoshikawa Ryota (
@rrreeeyyy ) 2015/11/12 1
Let's Encrypt hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12
2
Let's Encrypt • ҎԼͷࣄ߲Λओٛͱ͢Δೝূہ • Free • Automatic • Secure
• Transparent • Open • Cooperative • ఏڙ͍ͯ͠Δͷ Internet Security Research Group (ISRG) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 3
Let's Encrypt • ແྉͰ SSL αʔό ূ໌ॻ(DV)Λೖख͢Δ͜ͱ͕ग़དྷΔ • ൃߦ͞Εͨূ໌ॻͷ༗ޮظݶ 90
ؒ • ཧ༝: https://letsencrypt.org/2015/11/09/why-90-days.html • πʔϧͷॆ࣮ͱڞʹߋʹ͘͢Δ༧ఆΒ͍͠ • Domain validation ACME ͱ͍͏ϓϩτίϧʹै͍ߦΘΕΔ • ACME(Automatic Certificate Management Environment) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 4
ACME (Automatic Certificate Management Environment) hbstyle20151112 - Yoshikawa Ryota (
@rrreeeyyy ) 2015/11/12 5
ACME • Internet draft (- 2016/1/22) • https://letsencrypt.github.io/acme-spec/ • αʔό/ΫϥΠΞϯτؒͰͷূ໌ॻൃߦͷखଓ͖Λࡦఆ
• ࣮ࡍʹূ໌ॻΛൃߦ(ഁغ)͢Δ·Ͱʹେମ࣍ͷΑ͏ͳखଓ͖͕ඞཁ • Register • Authorizations • New Cert (Revoke-cert) • ΫϥΠΞϯτଆͷ࣮ https://github.com/letsencrypt/letsencrypt (Python) • CA ଆͷ࣮ https://github.com/letsencrypt/boulder (Golang) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 6
Directory • ͦΕͧΕͷखଓ͖ʹඞཁͳ endpoint Λ directory Ͱఏڙ • ΫϥΠΞϯτ·ͣ͜͜Λݟͯ endpoint
ΛѲ͢Δ ✗ curl -sSL https://acme-v01.api.letsencrypt.org/directory | jq . { "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg", "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert" } hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 7
Register • ·ͣ ACME Server ଆʹΫϥΠΞϯτͷొΛߦ͏ • ࣍ͷΑ͏ͳ "contact" ϑΟʔϧυΛؚΜͩ
JSON ΛૹΔ • JWS(JSON Web Signature) Ͱॺ໊Λ͚Δඞཁ͕͋Δ { "resource": "new-reg", "contact": [ "mailto:
[email protected]
", "tel:+12025551212" ], } /* Signed as JWS */ • "key" ΛؚΜͩϨεϙϯε͕ฦͬͯ͘ΔͷͰҎ߱ͷखଓ͖ͦΕΛͬͯ signature Λ࡞Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 8
Authorization • ূ໌ॻൃߦͷೝՄΛߦ͏खଓ͖ • Domain validation ΛͲ͏ߦ͏͔Λࢦఆ͢Δ • ࣍ͷΑ͏ͳํ๏͕બΔ •
SimpleHttp • DNS • DVSNI • Proof of possession of a prior key • ෳͷํ๏Λ "combinations" ͷྻͰࢦఆ͢Δ͜ͱ͕ग़དྷΔ • combination ͷશͯΛຬͨͨ͠߹ʹ valid ͱ͢Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 9
• ϦΫΤετͷྫ { "status": "pending", "identifier": { "type": "dns", "value":
"example.org" }, "challenges": [ { "type": "simpleHttp", "uri": "https://example.com/authz/asdf/0", "token": "IlirfxKKXAsHtmzK29Pj8A" }, { "type": "dns", "uri": "https://example.com/authz/asdf/1" "token": "DGyRejmCefe7v4NfDGDKfA" } }, "combinations": [ [0, 2], [1, 2] ] } hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 10
Authorization (Challenges SimpleHttp/DNS) • SimpleHttp • HTTP(S) ʹͯΞΫηεΛߦ͍υϝΠϯॴ༗Λ֬ೝ͢Δ • ΞΫηεΛߦ͏ઌ
A Ϩίʔυ͘͠ AAAA Ϩίʔυ͔Βܾఆ͞ΕΔ • ΞΫηεઌͷ .well-known/acme-challenge/${TOKEN} ΛݟΔ • தʹॴఆͷ JSON ΛೖΕ͓ͯ͘ • DNS • DNS ϨίʔυΛ༻͍ͯυϝΠϯॴ༗Λ֬ೝ͢Δ • _acme-challenge αϒυϝΠϯͷ TXT ϨίʔυΛ༻͢Δ • Λ TOKEN ʹ͢Δ • ex.) _acme-challenge.example.com. 300 IN TXT "gfj9Xq...Rg85nM" hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 11
New Cert (Revoke-cert) • લड़ͷ Authorization ͷ status ͕ valid
ͳ߹ͷΈϦΫΤετͰ͖Δ • valid ͡Όͳ͍ͱ͖ 403 ͱ͔͕ฦΔ • New Cert /acme/new-cert ʹ CSR ΛૹΓ͚ͭΔ • JWS Ͱॺ໊͢Δඞཁ͕͋Δ • ৭ʑ͋ͬͨޙ DER ܗࣜͷূ໌ॻΛऔಘͰ͖Δ • Revoke /acme/revoke-cert ʹূ໌ॻΛૹΓ͚ͭΔ • CRL/OCSP ʹࣦޮใ͕ެ։͞ΕΔ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 12
letsencrypt hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 13
letsencrypt • લड़ͷ ACME ͷॾʑΛͬͯ͘ΕΔίϚϯυ(python) • جຊతʹ SimpleHttp ʹΑΔ Challenge
Λఆ͍ͯ͠Δ༷ • ҾϕʔεͰυϝΠϯͷύϥϝʔλΛઃఆ͢Δ • Apache Nginx ͷઃఆΛύʔεͨ͠Γॻ͖͑ͨΓग़དྷΔ • Nginx experimental, buggy and not installed by default ͱͷ͜ͱ • standalone Λࢦఆ͢Δͱ BaseHTTPServer(http.server) Λͬͯ Challenge Λߦ͏ • 80 ൪ϙʔτΛ LISTEN ग़དྷΔඞཁ͕͋Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 14
letsencrypt-auto • letsencrypt ίϚϯυͷϥούʔ • ࣮ߦ͢Δ͚ͩͰॾʑͬͯ͘ΕΔ • ڥߏங(yum/apt/brewͱ͔ virtualenv ͱ͔
pip ͱ͔) • ( _gentoo_common.sh ͋ͬͨ) • Virtualenv ͷ activate ͱ͔ͬͯ͘ΕΔ • ެࣜυΩϡϝϯτͰ͜ΕΛ͏͜ͱʹͳͬͯͨ • ຖճ pip install Ͱ࠷৽͔Ͳ͏͔νΣοΫͨ͠Γͯ͠एׯॏ͍ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 15
letsencrypt-auto • standalone Ͱূ໌ॻΛऔಘͯ͠ΈΔ • -d Λෳࢦఆ͢Δ͜ͱͰ SANs ʹෳͷυϝΠϯ͕ॻ͔ΕΔ༷ •
৭ʑ͋ͬͨ͋ͱ /etc/letsencrypt/ Լʹ༷ʑͳσΟϨΫτϦ͕ੜ͞ΕΔ • ࠷৽ͷূ໌ॻ /etc/letsencrypt/live/${DOMAIN_NAME} Լʹஔ͔ΕΔ • /etc/letsencrypt/archive ԼͷͷͷγϯϘϦοΫϦϯΫ ./letsencrypt-auto \ -a standalone \ -d example.com \ -d www.example.com \ --server https://acme-v01.api.letsencrypt.org/directory \ --agree-dev-preview \ auth hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 16
letsencrypt • ssl_certificate ʹ fullchain.pem Λࢦఆ͢Δ • ssl_certificate_key ʹ privkey.pem
Λࢦఆ͢Δ • વ͕ͩ Postfix/Dovecot ͰͪΌΜͱ͍͑ͯΔ • iPhone/Android ͔ΒΤϥʔແ͘ଓͰ͖͍ͯΔ • smtpd_tls_(cert|key)_file ʹಉ༷ʹࢦఆ͢Δ͚ͩ • (ډͳ͍ͱࢥ͏͕) ݹʔ͍ dovecot Ͱ͏ࡍ݁߹ॱʹҙ͕ඞཁ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 17
ॴײ • ແྉͰ DV ূ໌ॻ͕ೖखͰ͖ΔͳΜͯྑ͍࣌ • ௨ৗͷূ໌ॻͱԿΒ૬ҧແ͘ར༻Ͱ͖͍ͯΔ • ༗ޮظݶ͕ΊͳͷͰߋ৽ࣗಈԽඞਢͳؾ͕͢Δ •
ACME ϓϩτίϧͷੑ্࣭ DNSSEC ʹରԠͨ͠Γͨ͠ํ͕ྑͦ͞͏ • https://letsencrypt.github.io/acme-spec/#integrity-of-authorizations • Ͳ͏Ͱ͍͍͚Ͳ࠷ۙͷ CloudFlare ϫϯΫϦοΫͰ DNSSEC ͬͯ͘ΕΔ • https://blog.cloudflare.com/introducing-universal-dnssec hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 18
ࢀߟࢿྉ • https://letsencrypt.org • https://letsencrypt.org/about • https://letsencrypt.org/howitworks/technology • https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html •
https://letsencrypt.org/2015/11/09/why-90-days.html • https://letsencrypt.github.io/acme-spec/ • https://github.com/letsencrypt/boulder • https://github.com/letsencrypt/letsencrypt • https://acme-v01.api.letsencrypt.org/directory • https://letsencrypt.github.io/acme-spec/#integrity-of-authorizations • http://jxck.hatenablog.com/entry/letsencrypt-acme hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 19
rrreeeyyy
syntasso
sansantech
kamina_zzz
tenshoku_draft
lmi
kakehashi
koichiotomo
fujiwara3
iotengineer22
sugamasao
tkikuchi
oracle4engineer
quramy
aleyda
chriscoyier
honnibal
kevinliebholz
matthewcrist
lara
productmarketing
maggiecrowley
denniskardys
jonrohan
michaelherold
