Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

Let's Encrypt & ACME Overview (hbstyle-2015-1112)

Avatar for rrreeeyyy rrreeeyyy
November 12, 2015
Technology
2
1.4k

Let's Encrypt & ACME Overview (hbstyle-2015-1112)

hbstyle20151112 で Let's Encrypt と ACME について雑に喋りました

Avatar for rrreeeyyy

rrreeeyyy

November 12, 2015
Tweet

More Decks by rrreeeyyy

See All by rrreeeyyy
Rethinking Incident Response: Context-Aware AI in Practice - Incident Buddy Edition -
Avatar for rrreeeyyy rrreeeyyy
0
180
Rethinking Incident Response: Context-Aware AI in Practice
Avatar for rrreeeyyy rrreeeyyy
3
2.2k
Incident Response Practices: Waroom's Features and Future Challenges
Avatar for rrreeeyyy rrreeeyyy
0
250
An Efficient Incident Response Training with AI / SRE NEXT 2024 Sponsor Session
Avatar for rrreeeyyy rrreeeyyy
1
5.7k
カンファレンスから見る SRE トレンド 2024 / SRE Trends from Conferences in 2024 #SRE_Findy
Avatar for rrreeeyyy rrreeeyyy
4
2.5k
信頼性の育て方 / mackerel-meetup-15
Avatar for rrreeeyyy rrreeeyyy
10
2.8k
SRE の歩き方・進め方 / sre-walk-through-procedure
Avatar for rrreeeyyy rrreeeyyy
0
8.9k
「信頼性」を保ちつつ大規模サービスをリニューアルする / cookpad-tech-kitchen-service-embedded-sres
Avatar for rrreeeyyy rrreeeyyy
11
13k
Cookpad and Prometheus
Avatar for rrreeeyyy rrreeeyyy
6
21k

Other Decks in Technology

See All in Technology
【保存版】「ガチャ」からの脱却:Gemini × Veoで作る、意図を反映するAI動画制作ワークフロー
Avatar for 月ねこAI nekoailab
0
110
GitHub を組織的に使いこなすために ソニーが実践した全社展開のプラクティス
Avatar for ソニー株式会社 sony
14
8.2k
Pandocでmd→pptx便利すぎワロタwww
Avatar for meow meow_noisy
2
1k
Kill the Vibe? Architecture in the age of AI
Avatar for Stefan Toth stoth
1
120
Codeer.LowCode.Blazor 紹介と成長録
Avatar for wada-wada wadawada
0
100
Datadog LLM Observabilityで実現するLLMOps実践事例 / practical-llm-observability-with-datadog
Avatar for 逆井(さかさい) k6s4i53rx
0
180
Introduction to Sansan, inc / Sansan Global Development Center, Inc.
Avatar for Sansan, Inc. sansan33
PRO
0
2.9k
MAP-7thplaceSolution
Avatar for yukichi0403 yukichi0403
2
170
その意思決定、まだ続けるんですか? ~痛みを超えて未来を作る、AI時代の撤退とピボットの技術~
Avatar for Michiru Kato applism118
42
24k
ページの可視領域を算出する方法について整理する
Avatar for yamatai12 yamatai1212
0
100
一億総業務改善を支える社内AIエージェント基盤の要諦
Avatar for Yuku Kotani yukukotani
4
1.9k
都市スケールAR制作で気をつけること
Avatar for segur segur
0
210

Featured

See All Featured
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
27k
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
659
61k
Designing Experiences People Love
Avatar for Jonathan Moore moore
142
24k
For a Future-Friendly Web
Avatar for Brad Frost brad_frost
180
10k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
55
3.1k
Designing for Performance
Avatar for Lara Hogan lara
610
69k
Why You Should Never Use an ORM
Avatar for John Nunemaker jnunemaker
PRO
60
9.6k
BBQ
Avatar for Matthew Crist matthewcrist
89
9.9k
Faster Mobile Websites
Avatar for Dean Hume deanohume
310
31k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
508
140k
A Modern Web Designer's Workflow
Avatar for Chris Coyier chriscoyier
697
190k
Fashionably flexible responsive web design (full day workshop)
Avatar for Andy Clarke malarkey
407
66k

Transcript

  1. Let's Encrypt & ACME Overview hbstyle20151112 - Yoshikawa Ryota (

    @rrreeeyyy ) 2015/11/12 1

  2. Let's Encrypt hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12

    2

  3. Let's Encrypt • ҎԼͷࣄ߲Λओٛͱ͢Δೝূہ • Free • Automatic • Secure

    • Transparent • Open • Cooperative • ఏڙ͍ͯ͠Δͷ͸ Internet Security Research Group (ISRG) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 3

  4. Let's Encrypt • ແྉͰ SSL αʔό ূ໌ॻ(DV)Λೖख͢Δ͜ͱ͕ग़དྷΔ • ൃߦ͞Εͨূ໌ॻͷ༗ޮظݶ͸ 90

    ೔ؒ • ཧ༝: https://letsencrypt.org/2015/11/09/why-90-days.html • πʔϧͷॆ࣮ͱڞʹߋʹ୹͘͢Δ༧ఆΒ͍͠ • Domain validation ͸ ACME ͱ͍͏ϓϩτίϧʹै͍ߦΘΕΔ • ACME(Automatic Certificate Management Environment) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 4

  5. ACME (Automatic Certificate Management Environment) hbstyle20151112 - Yoshikawa Ryota (

    @rrreeeyyy ) 2015/11/12 5

  6. ACME • Internet draft (- 2016/1/22) • https://letsencrypt.github.io/acme-spec/ • αʔό/ΫϥΠΞϯτؒͰͷূ໌ॻൃߦͷखଓ͖Λࡦఆ

    • ࣮ࡍʹূ໌ॻΛൃߦ(ഁغ)͢Δ·Ͱʹେମ࣍ͷΑ͏ͳखଓ͖͕ඞཁ • Register • Authorizations • New Cert (Revoke-cert) • ΫϥΠΞϯτଆͷ࣮૷͸ https://github.com/letsencrypt/letsencrypt (Python) • CA ଆͷ࣮૷͸ https://github.com/letsencrypt/boulder (Golang) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 6

  7. Directory • ͦΕͧΕͷखଓ͖ʹඞཁͳ endpoint Λ directory Ͱఏڙ • ΫϥΠΞϯτ͸·ͣ͜͜Λݟͯ endpoint

    Λ೺Ѳ͢Δ ✗ curl -sSL https://acme-v01.api.letsencrypt.org/directory | jq . { "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg", "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert" } hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 7

  8. Register • ·ͣ ACME Server ଆʹΫϥΠΞϯτͷొ࿥Λߦ͏ • ࣍ͷΑ͏ͳ "contact" ϑΟʔϧυΛؚΜͩ

    JSON ΛૹΔ • JWS(JSON Web Signature) Ͱॺ໊Λ෇͚Δඞཁ͕͋Δ { "resource": "new-reg", "contact": [ "mailto:[email protected]", "tel:+12025551212" ], } /* Signed as JWS */ • "key" ΛؚΜͩϨεϙϯε͕ฦͬͯ͘ΔͷͰҎ߱ͷखଓ͖͸ͦΕΛ࢖ͬͯ signature Λ࡞Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 8

  9. Authorization • ূ໌ॻൃߦͷೝՄΛߦ͏खଓ͖ • Domain validation ΛͲ͏ߦ͏͔౳Λࢦఆ͢Δ • ࣍ͷΑ͏ͳํ๏͕બ΂Δ •

    SimpleHttp • DNS • DVSNI • Proof of possession of a prior key • ෳ਺ͷํ๏Λ "combinations" ͷ഑ྻͰࢦఆ͢Δ͜ͱ͕ग़དྷΔ • combination ͷશͯΛຬͨͨ͠৔߹ʹ valid ͱ͢Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 9

  10. • ϦΫΤετͷྫ { "status": "pending", "identifier": { "type": "dns", "value":

    "example.org" }, "challenges": [ { "type": "simpleHttp", "uri": "https://example.com/authz/asdf/0", "token": "IlirfxKKXAsHtmzK29Pj8A" }, { "type": "dns", "uri": "https://example.com/authz/asdf/1" "token": "DGyRejmCefe7v4NfDGDKfA" } }, "combinations": [ [0, 2], [1, 2] ] } hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 10

  11. Authorization (Challenges SimpleHttp/DNS) • SimpleHttp • HTTP(S) ʹͯΞΫηεΛߦ͍υϝΠϯॴ༗Λ֬ೝ͢Δ • ΞΫηεΛߦ͏ઌ͸

    A Ϩίʔυ΋͘͠͸ AAAA Ϩίʔυ͔Βܾఆ͞ΕΔ • ΞΫηεઌͷ .well-known/acme-challenge/${TOKEN} ΛݟΔ • த਎ʹ͸ॴఆͷ JSON ΛೖΕ͓ͯ͘ • DNS • DNS ϨίʔυΛ༻͍ͯυϝΠϯॴ༗Λ֬ೝ͢Δ • _acme-challenge αϒυϝΠϯͷ TXT ϨίʔυΛ࢖༻͢Δ • ஋Λ TOKEN ʹ͢Δ • ex.) _acme-challenge.example.com. 300 IN TXT "gfj9Xq...Rg85nM" hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 11

  12. New Cert (Revoke-cert) • લड़ͷ Authorization ͷ status ͕ valid

    ͳ৔߹ͷΈϦΫΤετͰ͖Δ • valid ͡Όͳ͍ͱ͖͸ 403 ͱ͔͕ฦΔ • New Cert ͸ /acme/new-cert ʹ CSR ΛૹΓ͚ͭΔ • ໪࿦ JWS Ͱॺ໊͢Δඞཁ͕͋Δ • ৭ʑ͋ͬͨޙ DER ܗࣜͷূ໌ॻΛऔಘͰ͖Δ • Revoke ͸ /acme/revoke-cert ʹূ໌ॻΛૹΓ͚ͭΔ • CRL/OCSP ౳ʹࣦޮ৘ใ͕ެ։͞ΕΔ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 12

  13. letsencrypt hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 13

  14. letsencrypt • લड़ͷ ACME ͷॾʑΛ΍ͬͯ͘ΕΔίϚϯυ(python) • جຊతʹ SimpleHttp ʹΑΔ Challenge

    Λ૝ఆ͍ͯ͠Δ໛༷ • Ҿ਺ϕʔεͰυϝΠϯ౳ͷύϥϝʔλΛઃఆ͢Δ • Apache ΍ Nginx ͷઃఆΛύʔεͨ͠Γॻ͖׵͑ͨΓ΋ग़དྷΔ • Nginx ͸ experimental, buggy and not installed by default ͱͷ͜ͱ • standalone Λࢦఆ͢Δͱ BaseHTTPServer(http.server) Λ࢖ͬͯ Challenge Λߦ͏ • 80 ൪ϙʔτΛ LISTEN ग़དྷΔඞཁ͕͋Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 14

  15. letsencrypt-auto • letsencrypt ίϚϯυͷϥούʔ • ࣮ߦ͢Δ͚ͩͰॾʑ΍ͬͯ͘ΕΔ • ؀ڥߏங(yum/apt/brewͱ͔ virtualenv ͱ͔

    pip ͱ͔) • ( _gentoo_common.sh ΋͋ͬͨ) • Virtualenv ͷ activate ͱ͔΋΍ͬͯ͘ΕΔ • ެࣜυΩϡϝϯτͰ͸͜ΕΛ࢖͏͜ͱʹͳͬͯͨ • ຖճ pip install Ͱ࠷৽͔Ͳ͏͔νΣοΫͨ͠Γͯ͠एׯॏ͍ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 15

  16. letsencrypt-auto • standalone Ͱূ໌ॻΛऔಘͯ͠ΈΔ • -d Λෳ਺ࢦఆ͢Δ͜ͱͰ SANs ʹෳ਺ͷυϝΠϯ͕ॻ͔ΕΔ໛༷ •

    ৭ʑ͋ͬͨ͋ͱ /etc/letsencrypt/ ഑Լʹ༷ʑͳσΟϨΫτϦ͕ੜ੒͞ΕΔ • ࠷৽ͷূ໌ॻ͸ /etc/letsencrypt/live/${DOMAIN_NAME} ഑Լʹஔ͔ΕΔ • /etc/letsencrypt/archive ഑Լͷ΋ͷͷγϯϘϦοΫϦϯΫ ./letsencrypt-auto \ -a standalone \ -d example.com \ -d www.example.com \ --server https://acme-v01.api.letsencrypt.org/directory \ --agree-dev-preview \ auth hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 16

  17. letsencrypt • ssl_certificate ʹ͸ fullchain.pem Λࢦఆ͢Δ • ssl_certificate_key ʹ͸ privkey.pem

    Λࢦఆ͢Δ • ౰વ͕ͩ Postfix/Dovecot Ͱ΋ͪΌΜͱ࢖͍͑ͯΔ • iPhone/Android ͔Β΋Τϥʔແ͘઀ଓͰ͖͍ͯΔ • smtpd_tls_(cert|key)_file ౳ʹಉ༷ʹࢦఆ͢Δ͚ͩ • (ډͳ͍ͱࢥ͏͕) ݹʔ͍ dovecot Ͱ࢖͏ࡍ͸݁߹ॱʹ஫ҙ͕ඞཁ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 17

  18. ॴײ • ແྉͰ DV ূ໌ॻ͕ೖखͰ͖ΔͳΜͯྑ͍࣌୅ • ௨ৗͷূ໌ॻͱԿΒ૬ҧແ͘ར༻Ͱ͖͍ͯΔ • ༗ޮظݶ͕୹ΊͳͷͰߋ৽ࣗಈԽ͸ඞਢͳؾ͕͢Δ •

    ACME ϓϩτίϧͷੑ্࣭ DNSSEC ʹରԠͨ͠Γͨ͠ํ͕ྑͦ͞͏ • https://letsencrypt.github.io/acme-spec/#integrity-of-authorizations • Ͳ͏Ͱ΋͍͍͚Ͳ࠷ۙͷ CloudFlare ͸ϫϯΫϦοΫͰ DNSSEC ΍ͬͯ͘ΕΔ • https://blog.cloudflare.com/introducing-universal-dnssec hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 18

  19. ࢀߟࢿྉ • https://letsencrypt.org • https://letsencrypt.org/about • https://letsencrypt.org/howitworks/technology • https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html •

    https://letsencrypt.org/2015/11/09/why-90-days.html • https://letsencrypt.github.io/acme-spec/ • https://github.com/letsencrypt/boulder • https://github.com/letsencrypt/letsencrypt • https://acme-v01.api.letsencrypt.org/directory • https://letsencrypt.github.io/acme-spec/#integrity-of-authorizations • http://jxck.hatenablog.com/entry/letsencrypt-acme hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 19