Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Let's Encrypt & ACME Overview (hbstyle-2015-1112)
Search
rrreeeyyy
November 12, 2015
Technology
2
1.2k
Let's Encrypt & ACME Overview (hbstyle-2015-1112)
hbstyle20151112 で Let's Encrypt と ACME について雑に喋りました
rrreeeyyy
November 12, 2015
Tweet
Share
More Decks by rrreeeyyy
See All by rrreeeyyy
カンファレンスから見る SRE トレンド 2024 / SRE Trends from Conferences in 2024 #SRE_Findy
rrreeeyyy
3
1.6k
信頼性の育て方 / mackerel-meetup-15
rrreeeyyy
9
1.9k
SRE の歩き方・進め方 / sre-walk-through-procedure
rrreeeyyy
0
8.3k
「信頼性」を保ちつつ大規模サービスをリニューアルする / cookpad-tech-kitchen-service-embedded-sres
rrreeeyyy
11
11k
Cookpad and Prometheus
rrreeeyyy
6
20k
SRE-Lounge-8-Cookpad-Microservice-Architecture-Overview
rrreeeyyy
5
4.9k
A survey of anomaly detection methodologies for web system
rrreeeyyy
5
1.1k
エンジニアリングをちゃんとやる あるいは 人類の平和 について / wsa02-rrreeeyyy
rrreeeyyy
13
2.8k
「自立」したWebシステムを創る。自分の好きなことをする世界を目指して。/ ipsj-one-2018-rrreeeyyy
rrreeeyyy
3
1.7k
Other Decks in Technology
See All in Technology
OpenStack再入門「アーキテクチャ編」
kajinamit
0
250
Microsoft Fabric 開発ガイド
ryomaru0825
6
2.7k
B+木入門:PHPで理解する データベースインデックスの仕組み/b-plus-tree-101
hanhan1978
5
2.8k
SREのキャリア、 あるいは生態 / #ya8
cohalz
10
1k
『LeanとDevOpsの科学』をきちんと解読する 〜Four Keys だけじゃ絶対もったいなくなる話〜
bonotake
27
6.6k
スケジュール指定のFargate Spotと友達になれた話
news_it_enj
0
240
S3成長記録@Storage-JAWS#3
p0n
0
130
新卒1年目がプロジェクトを進めるときにコケたポイント
ryunakayama
1
110
調整さんの調整結果をカレンダーへ登録するGPTsを作った話
hrsano645
1
160
[AWS Expert Online for JAWS-UG]AWS SAW を使ったトラブルシューティング効率化のススメ
furuton
0
170
OCI Data Science Service 製品概要
oracle4engineer
PRO
0
110
ISUCON入門以前_ISUNARABE_LT#1
sadnessojisan
13
2.5k
Featured
See All Featured
WebSockets: Embracing the real-time Web
robhawkes
59
6.9k
Being A Developer After 40
akosma
56
580k
Facilitating Awesome Meetings
lara
39
5.5k
Clear Off the Table
cherdarchuk
82
310k
Pencils Down: Stop Designing & Start Developing
hursman
115
11k
Code Reviewing Like a Champion
maltzj
512
39k
Why You Should Never Use an ORM
jnunemaker
PRO
50
8.5k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
8
8.2k
The Mythical Team-Month
searls
214
42k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
6
930
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.8k
Debugging Ruby Performance
tmm1
68
11k
Transcript
Let's Encrypt & ACME Overview hbstyle20151112 - Yoshikawa Ryota (
@rrreeeyyy ) 2015/11/12 1
Let's Encrypt hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12
2
Let's Encrypt • ҎԼͷࣄ߲Λओٛͱ͢Δೝূہ • Free • Automatic • Secure
• Transparent • Open • Cooperative • ఏڙ͍ͯ͠Δͷ Internet Security Research Group (ISRG) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 3
Let's Encrypt • ແྉͰ SSL αʔό ূ໌ॻ(DV)Λೖख͢Δ͜ͱ͕ग़དྷΔ • ൃߦ͞Εͨূ໌ॻͷ༗ޮظݶ 90
ؒ • ཧ༝: https://letsencrypt.org/2015/11/09/why-90-days.html • πʔϧͷॆ࣮ͱڞʹߋʹ͘͢Δ༧ఆΒ͍͠ • Domain validation ACME ͱ͍͏ϓϩτίϧʹै͍ߦΘΕΔ • ACME(Automatic Certificate Management Environment) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 4
ACME (Automatic Certificate Management Environment) hbstyle20151112 - Yoshikawa Ryota (
@rrreeeyyy ) 2015/11/12 5
ACME • Internet draft (- 2016/1/22) • https://letsencrypt.github.io/acme-spec/ • αʔό/ΫϥΠΞϯτؒͰͷূ໌ॻൃߦͷखଓ͖Λࡦఆ
• ࣮ࡍʹূ໌ॻΛൃߦ(ഁغ)͢Δ·Ͱʹେମ࣍ͷΑ͏ͳखଓ͖͕ඞཁ • Register • Authorizations • New Cert (Revoke-cert) • ΫϥΠΞϯτଆͷ࣮ https://github.com/letsencrypt/letsencrypt (Python) • CA ଆͷ࣮ https://github.com/letsencrypt/boulder (Golang) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 6
Directory • ͦΕͧΕͷखଓ͖ʹඞཁͳ endpoint Λ directory Ͱఏڙ • ΫϥΠΞϯτ·ͣ͜͜Λݟͯ endpoint
ΛѲ͢Δ ✗ curl -sSL https://acme-v01.api.letsencrypt.org/directory | jq . { "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg", "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert" } hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 7
Register • ·ͣ ACME Server ଆʹΫϥΠΞϯτͷొΛߦ͏ • ࣍ͷΑ͏ͳ "contact" ϑΟʔϧυΛؚΜͩ
JSON ΛૹΔ • JWS(JSON Web Signature) Ͱॺ໊Λ͚Δඞཁ͕͋Δ { "resource": "new-reg", "contact": [ "mailto:
[email protected]
", "tel:+12025551212" ], } /* Signed as JWS */ • "key" ΛؚΜͩϨεϙϯε͕ฦͬͯ͘ΔͷͰҎ߱ͷखଓ͖ͦΕΛͬͯ signature Λ࡞Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 8
Authorization • ূ໌ॻൃߦͷೝՄΛߦ͏खଓ͖ • Domain validation ΛͲ͏ߦ͏͔Λࢦఆ͢Δ • ࣍ͷΑ͏ͳํ๏͕બΔ •
SimpleHttp • DNS • DVSNI • Proof of possession of a prior key • ෳͷํ๏Λ "combinations" ͷྻͰࢦఆ͢Δ͜ͱ͕ग़དྷΔ • combination ͷશͯΛຬͨͨ͠߹ʹ valid ͱ͢Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 9
• ϦΫΤετͷྫ { "status": "pending", "identifier": { "type": "dns", "value":
"example.org" }, "challenges": [ { "type": "simpleHttp", "uri": "https://example.com/authz/asdf/0", "token": "IlirfxKKXAsHtmzK29Pj8A" }, { "type": "dns", "uri": "https://example.com/authz/asdf/1" "token": "DGyRejmCefe7v4NfDGDKfA" } }, "combinations": [ [0, 2], [1, 2] ] } hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 10
Authorization (Challenges SimpleHttp/DNS) • SimpleHttp • HTTP(S) ʹͯΞΫηεΛߦ͍υϝΠϯॴ༗Λ֬ೝ͢Δ • ΞΫηεΛߦ͏ઌ
A Ϩίʔυ͘͠ AAAA Ϩίʔυ͔Βܾఆ͞ΕΔ • ΞΫηεઌͷ .well-known/acme-challenge/${TOKEN} ΛݟΔ • தʹॴఆͷ JSON ΛೖΕ͓ͯ͘ • DNS • DNS ϨίʔυΛ༻͍ͯυϝΠϯॴ༗Λ֬ೝ͢Δ • _acme-challenge αϒυϝΠϯͷ TXT ϨίʔυΛ༻͢Δ • Λ TOKEN ʹ͢Δ • ex.) _acme-challenge.example.com. 300 IN TXT "gfj9Xq...Rg85nM" hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 11
New Cert (Revoke-cert) • લड़ͷ Authorization ͷ status ͕ valid
ͳ߹ͷΈϦΫΤετͰ͖Δ • valid ͡Όͳ͍ͱ͖ 403 ͱ͔͕ฦΔ • New Cert /acme/new-cert ʹ CSR ΛૹΓ͚ͭΔ • JWS Ͱॺ໊͢Δඞཁ͕͋Δ • ৭ʑ͋ͬͨޙ DER ܗࣜͷূ໌ॻΛऔಘͰ͖Δ • Revoke /acme/revoke-cert ʹূ໌ॻΛૹΓ͚ͭΔ • CRL/OCSP ʹࣦޮใ͕ެ։͞ΕΔ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 12
letsencrypt hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 13
letsencrypt • લड़ͷ ACME ͷॾʑΛͬͯ͘ΕΔίϚϯυ(python) • جຊతʹ SimpleHttp ʹΑΔ Challenge
Λఆ͍ͯ͠Δ༷ • ҾϕʔεͰυϝΠϯͷύϥϝʔλΛઃఆ͢Δ • Apache Nginx ͷઃఆΛύʔεͨ͠Γॻ͖͑ͨΓग़དྷΔ • Nginx experimental, buggy and not installed by default ͱͷ͜ͱ • standalone Λࢦఆ͢Δͱ BaseHTTPServer(http.server) Λͬͯ Challenge Λߦ͏ • 80 ൪ϙʔτΛ LISTEN ग़དྷΔඞཁ͕͋Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 14
letsencrypt-auto • letsencrypt ίϚϯυͷϥούʔ • ࣮ߦ͢Δ͚ͩͰॾʑͬͯ͘ΕΔ • ڥߏங(yum/apt/brewͱ͔ virtualenv ͱ͔
pip ͱ͔) • ( _gentoo_common.sh ͋ͬͨ) • Virtualenv ͷ activate ͱ͔ͬͯ͘ΕΔ • ެࣜυΩϡϝϯτͰ͜ΕΛ͏͜ͱʹͳͬͯͨ • ຖճ pip install Ͱ࠷৽͔Ͳ͏͔νΣοΫͨ͠Γͯ͠एׯॏ͍ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 15
letsencrypt-auto • standalone Ͱূ໌ॻΛऔಘͯ͠ΈΔ • -d Λෳࢦఆ͢Δ͜ͱͰ SANs ʹෳͷυϝΠϯ͕ॻ͔ΕΔ༷ •
৭ʑ͋ͬͨ͋ͱ /etc/letsencrypt/ Լʹ༷ʑͳσΟϨΫτϦ͕ੜ͞ΕΔ • ࠷৽ͷূ໌ॻ /etc/letsencrypt/live/${DOMAIN_NAME} Լʹஔ͔ΕΔ • /etc/letsencrypt/archive ԼͷͷͷγϯϘϦοΫϦϯΫ ./letsencrypt-auto \ -a standalone \ -d example.com \ -d www.example.com \ --server https://acme-v01.api.letsencrypt.org/directory \ --agree-dev-preview \ auth hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 16
letsencrypt • ssl_certificate ʹ fullchain.pem Λࢦఆ͢Δ • ssl_certificate_key ʹ privkey.pem
Λࢦఆ͢Δ • વ͕ͩ Postfix/Dovecot ͰͪΌΜͱ͍͑ͯΔ • iPhone/Android ͔ΒΤϥʔແ͘ଓͰ͖͍ͯΔ • smtpd_tls_(cert|key)_file ʹಉ༷ʹࢦఆ͢Δ͚ͩ • (ډͳ͍ͱࢥ͏͕) ݹʔ͍ dovecot Ͱ͏ࡍ݁߹ॱʹҙ͕ඞཁ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 17
ॴײ • ແྉͰ DV ূ໌ॻ͕ೖखͰ͖ΔͳΜͯྑ͍࣌ • ௨ৗͷূ໌ॻͱԿΒ૬ҧແ͘ར༻Ͱ͖͍ͯΔ • ༗ޮظݶ͕ΊͳͷͰߋ৽ࣗಈԽඞਢͳؾ͕͢Δ •
ACME ϓϩτίϧͷੑ্࣭ DNSSEC ʹରԠͨ͠Γͨ͠ํ͕ྑͦ͞͏ • https://letsencrypt.github.io/acme-spec/#integrity-of-authorizations • Ͳ͏Ͱ͍͍͚Ͳ࠷ۙͷ CloudFlare ϫϯΫϦοΫͰ DNSSEC ͬͯ͘ΕΔ • https://blog.cloudflare.com/introducing-universal-dnssec hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 18
ࢀߟࢿྉ • https://letsencrypt.org • https://letsencrypt.org/about • https://letsencrypt.org/howitworks/technology • https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html •
https://letsencrypt.org/2015/11/09/why-90-days.html • https://letsencrypt.github.io/acme-spec/ • https://github.com/letsencrypt/boulder • https://github.com/letsencrypt/letsencrypt • https://acme-v01.api.letsencrypt.org/directory • https://letsencrypt.github.io/acme-spec/#integrity-of-authorizations • http://jxck.hatenablog.com/entry/letsencrypt-acme hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 19