Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Let's Encrypt & ACME Overview (hbstyle-2015-1112)

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for rrreeeyyy rrreeeyyy
November 12, 2015
Technology
2
1.4k

Let's Encrypt & ACME Overview (hbstyle-2015-1112)

hbstyle20151112 で Let's Encrypt と ACME について雑に喋りました

Avatar for rrreeeyyy

rrreeeyyy

November 12, 2015
Tweet

More Decks by rrreeeyyy

See All by rrreeeyyy
Rethinking Incident Response: Context-Aware AI in Practice - Incident Buddy Edition -
Avatar for rrreeeyyy rrreeeyyy
0
210
Rethinking Incident Response: Context-Aware AI in Practice
Avatar for rrreeeyyy rrreeeyyy
3
2.3k
Incident Response Practices: Waroom's Features and Future Challenges
Avatar for rrreeeyyy rrreeeyyy
0
280
An Efficient Incident Response Training with AI / SRE NEXT 2024 Sponsor Session
Avatar for rrreeeyyy rrreeeyyy
1
5.9k
カンファレンスから見る SRE トレンド 2024 / SRE Trends from Conferences in 2024 #SRE_Findy
Avatar for rrreeeyyy rrreeeyyy
4
2.5k
信頼性の育て方 / mackerel-meetup-15
Avatar for rrreeeyyy rrreeeyyy
10
2.8k
SRE の歩き方・進め方 / sre-walk-through-procedure
Avatar for rrreeeyyy rrreeeyyy
0
8.9k
「信頼性」を保ちつつ大規模サービスをリニューアルする / cookpad-tech-kitchen-service-embedded-sres
Avatar for rrreeeyyy rrreeeyyy
11
13k
Cookpad and Prometheus
Avatar for rrreeeyyy rrreeeyyy
6
21k

Other Decks in Technology

See All in Technology
プロジェクトマネジメントをチームに宿す -ゼロからはじめるチームプロジェクトマネジメントは活動1年未満のチームの教科書です- / 20260304 Shigeki Morizane
Avatar for SHIFT EVOLVE shift_evolve
PRO
1
250
20260311 技術SWG活動報告(デジタルアイデンティティ人材育成推進WG Ph2 活動報告会)
Avatar for OpenID Foundation Japan oidfj
0
290
vLLM Community Meetup Tokyo #3 オープニングトーク
Avatar for jpishikawa jpishikawa
0
320
AI は "道具" から "同僚" へ 自律型 AI エージェントの最前線と、AI 時代の人材の在り方 / Colleague in the AI Era - Autonomous AI Seminar 2026 at Niigata
Avatar for geeawa gawa
0
120
AWS DevOps Agent vs SRE俺 / AWS DevOps Agent vs me, the SRE
Avatar for SMS tech sms_tech
3
540
マルチアカウント環境でSecurity Hubの運用!導入の苦労とポイント / JAWS DAYS 2026
Avatar for GENDA genda
0
500
JAWSDAYS2026_A-6_現場SEが語る 回せるセキュリティ運用~設計で可視化、AIで加速する「楽に回る」運用設計のコツ~
Avatar for s-hata shoki_hata
0
3k
DevOpsエージェントで実現する!! AWS Well-Architected(W-A) を実現するシステム設計 / 20260307 Masaki Okuda
Avatar for SHIFT EVOLVE shift_evolve
PRO
3
600
Abuse report だけじゃない。AWS から緊急連絡が来る状況とは?昨今の攻撃や被害の事例の紹介と備えておきたい考え方について
Avatar for kazzpapa3 kazzpapa3
1
510
タスク管理も1on1も、もう「管理」じゃない ― KiroとBedrock AgentCoreで変わった"判断の仕事"
Avatar for Yusuke Shimizu yusukeshimizu
5
2.6k
Security Diaries of an Open Source IAM
Avatar for Alexander Schwartz ahus1
0
210
堅牢.py#2 LT資料
Avatar for t3tra t3tra
0
130

Featured

See All Featured
Statistics for Hackers
Avatar for Jake VanderPlas jakevdp
799
230k
Everyday Curiosity
Avatar for Cassini Nazir cassininazir
0
160
How to build an LLM SEO readiness audit: a practical framework
Avatar for Nick Samuel nmsamuel
1
670
Utilizing Notion as your number one productivity tool
Avatar for Mfonobong Umondia mfonobong
4
250
The #1 spot is gone: here's how to win anyway
Avatar for Tamara Novitovic tamaranovitovic
2
980
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
Avatar for mongodb mongodb
49
9.9k
Automating Front-end Workflow
Avatar for Addy Osmani addyosmani
1370
200k
Music & Morning Musume
Avatar for Bryan Veloso bryan
47
7.1k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.7k
コードの90%をAIが書く世界で何が待っているのか / What awaits us in a world where 90% of the code is written by AI
Avatar for r-kagaya rkaga
60
42k
How to optimise 3,500 product descriptions for ecommerce in one day using ChatGPT
Avatar for Katarina Dahlin katarinadahlin
PRO
1
3.5k
Future Trends and Review - Lecture 12 - Web Technologies (1019888BNR)
Avatar for Beat Signer signer
PRO
0
3.3k

Transcript

  1. Let's Encrypt & ACME Overview hbstyle20151112 - Yoshikawa Ryota (

    @rrreeeyyy ) 2015/11/12 1

  2. Let's Encrypt hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12

    2

  3. Let's Encrypt • ҎԼͷࣄ߲Λओٛͱ͢Δೝূہ • Free • Automatic • Secure

    • Transparent • Open • Cooperative • ఏڙ͍ͯ͠Δͷ͸ Internet Security Research Group (ISRG) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 3

  4. Let's Encrypt • ແྉͰ SSL αʔό ূ໌ॻ(DV)Λೖख͢Δ͜ͱ͕ग़དྷΔ • ൃߦ͞Εͨূ໌ॻͷ༗ޮظݶ͸ 90

    ೔ؒ • ཧ༝: https://letsencrypt.org/2015/11/09/why-90-days.html • πʔϧͷॆ࣮ͱڞʹߋʹ୹͘͢Δ༧ఆΒ͍͠ • Domain validation ͸ ACME ͱ͍͏ϓϩτίϧʹै͍ߦΘΕΔ • ACME(Automatic Certificate Management Environment) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 4

  5. ACME (Automatic Certificate Management Environment) hbstyle20151112 - Yoshikawa Ryota (

    @rrreeeyyy ) 2015/11/12 5

  6. ACME • Internet draft (- 2016/1/22) • https://letsencrypt.github.io/acme-spec/ • αʔό/ΫϥΠΞϯτؒͰͷূ໌ॻൃߦͷखଓ͖Λࡦఆ

    • ࣮ࡍʹূ໌ॻΛൃߦ(ഁغ)͢Δ·Ͱʹେମ࣍ͷΑ͏ͳखଓ͖͕ඞཁ • Register • Authorizations • New Cert (Revoke-cert) • ΫϥΠΞϯτଆͷ࣮૷͸ https://github.com/letsencrypt/letsencrypt (Python) • CA ଆͷ࣮૷͸ https://github.com/letsencrypt/boulder (Golang) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 6

  7. Directory • ͦΕͧΕͷखଓ͖ʹඞཁͳ endpoint Λ directory Ͱఏڙ • ΫϥΠΞϯτ͸·ͣ͜͜Λݟͯ endpoint

    Λ೺Ѳ͢Δ ✗ curl -sSL https://acme-v01.api.letsencrypt.org/directory | jq . { "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg", "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert" } hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 7

  8. Register • ·ͣ ACME Server ଆʹΫϥΠΞϯτͷొ࿥Λߦ͏ • ࣍ͷΑ͏ͳ "contact" ϑΟʔϧυΛؚΜͩ

    JSON ΛૹΔ • JWS(JSON Web Signature) Ͱॺ໊Λ෇͚Δඞཁ͕͋Δ { "resource": "new-reg", "contact": [ "mailto:[email protected]", "tel:+12025551212" ], } /* Signed as JWS */ • "key" ΛؚΜͩϨεϙϯε͕ฦͬͯ͘ΔͷͰҎ߱ͷखଓ͖͸ͦΕΛ࢖ͬͯ signature Λ࡞Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 8

  9. Authorization • ূ໌ॻൃߦͷೝՄΛߦ͏खଓ͖ • Domain validation ΛͲ͏ߦ͏͔౳Λࢦఆ͢Δ • ࣍ͷΑ͏ͳํ๏͕બ΂Δ •

    SimpleHttp • DNS • DVSNI • Proof of possession of a prior key • ෳ਺ͷํ๏Λ "combinations" ͷ഑ྻͰࢦఆ͢Δ͜ͱ͕ग़དྷΔ • combination ͷશͯΛຬͨͨ͠৔߹ʹ valid ͱ͢Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 9

  10. • ϦΫΤετͷྫ { "status": "pending", "identifier": { "type": "dns", "value":

    "example.org" }, "challenges": [ { "type": "simpleHttp", "uri": "https://example.com/authz/asdf/0", "token": "IlirfxKKXAsHtmzK29Pj8A" }, { "type": "dns", "uri": "https://example.com/authz/asdf/1" "token": "DGyRejmCefe7v4NfDGDKfA" } }, "combinations": [ [0, 2], [1, 2] ] } hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 10

  11. Authorization (Challenges SimpleHttp/DNS) • SimpleHttp • HTTP(S) ʹͯΞΫηεΛߦ͍υϝΠϯॴ༗Λ֬ೝ͢Δ • ΞΫηεΛߦ͏ઌ͸

    A Ϩίʔυ΋͘͠͸ AAAA Ϩίʔυ͔Βܾఆ͞ΕΔ • ΞΫηεઌͷ .well-known/acme-challenge/${TOKEN} ΛݟΔ • த਎ʹ͸ॴఆͷ JSON ΛೖΕ͓ͯ͘ • DNS • DNS ϨίʔυΛ༻͍ͯυϝΠϯॴ༗Λ֬ೝ͢Δ • _acme-challenge αϒυϝΠϯͷ TXT ϨίʔυΛ࢖༻͢Δ • ஋Λ TOKEN ʹ͢Δ • ex.) _acme-challenge.example.com. 300 IN TXT "gfj9Xq...Rg85nM" hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 11

  12. New Cert (Revoke-cert) • લड़ͷ Authorization ͷ status ͕ valid

    ͳ৔߹ͷΈϦΫΤετͰ͖Δ • valid ͡Όͳ͍ͱ͖͸ 403 ͱ͔͕ฦΔ • New Cert ͸ /acme/new-cert ʹ CSR ΛૹΓ͚ͭΔ • ໪࿦ JWS Ͱॺ໊͢Δඞཁ͕͋Δ • ৭ʑ͋ͬͨޙ DER ܗࣜͷূ໌ॻΛऔಘͰ͖Δ • Revoke ͸ /acme/revoke-cert ʹূ໌ॻΛૹΓ͚ͭΔ • CRL/OCSP ౳ʹࣦޮ৘ใ͕ެ։͞ΕΔ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 12

  13. letsencrypt hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 13

  14. letsencrypt • લड़ͷ ACME ͷॾʑΛ΍ͬͯ͘ΕΔίϚϯυ(python) • جຊతʹ SimpleHttp ʹΑΔ Challenge

    Λ૝ఆ͍ͯ͠Δ໛༷ • Ҿ਺ϕʔεͰυϝΠϯ౳ͷύϥϝʔλΛઃఆ͢Δ • Apache ΍ Nginx ͷઃఆΛύʔεͨ͠Γॻ͖׵͑ͨΓ΋ग़དྷΔ • Nginx ͸ experimental, buggy and not installed by default ͱͷ͜ͱ • standalone Λࢦఆ͢Δͱ BaseHTTPServer(http.server) Λ࢖ͬͯ Challenge Λߦ͏ • 80 ൪ϙʔτΛ LISTEN ग़དྷΔඞཁ͕͋Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 14

  15. letsencrypt-auto • letsencrypt ίϚϯυͷϥούʔ • ࣮ߦ͢Δ͚ͩͰॾʑ΍ͬͯ͘ΕΔ • ؀ڥߏங(yum/apt/brewͱ͔ virtualenv ͱ͔

    pip ͱ͔) • ( _gentoo_common.sh ΋͋ͬͨ) • Virtualenv ͷ activate ͱ͔΋΍ͬͯ͘ΕΔ • ެࣜυΩϡϝϯτͰ͸͜ΕΛ࢖͏͜ͱʹͳͬͯͨ • ຖճ pip install Ͱ࠷৽͔Ͳ͏͔νΣοΫͨ͠Γͯ͠एׯॏ͍ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 15

  16. letsencrypt-auto • standalone Ͱূ໌ॻΛऔಘͯ͠ΈΔ • -d Λෳ਺ࢦఆ͢Δ͜ͱͰ SANs ʹෳ਺ͷυϝΠϯ͕ॻ͔ΕΔ໛༷ •

    ৭ʑ͋ͬͨ͋ͱ /etc/letsencrypt/ ഑Լʹ༷ʑͳσΟϨΫτϦ͕ੜ੒͞ΕΔ • ࠷৽ͷূ໌ॻ͸ /etc/letsencrypt/live/${DOMAIN_NAME} ഑Լʹஔ͔ΕΔ • /etc/letsencrypt/archive ഑Լͷ΋ͷͷγϯϘϦοΫϦϯΫ ./letsencrypt-auto \ -a standalone \ -d example.com \ -d www.example.com \ --server https://acme-v01.api.letsencrypt.org/directory \ --agree-dev-preview \ auth hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 16

  17. letsencrypt • ssl_certificate ʹ͸ fullchain.pem Λࢦఆ͢Δ • ssl_certificate_key ʹ͸ privkey.pem

    Λࢦఆ͢Δ • ౰વ͕ͩ Postfix/Dovecot Ͱ΋ͪΌΜͱ࢖͍͑ͯΔ • iPhone/Android ͔Β΋Τϥʔແ͘઀ଓͰ͖͍ͯΔ • smtpd_tls_(cert|key)_file ౳ʹಉ༷ʹࢦఆ͢Δ͚ͩ • (ډͳ͍ͱࢥ͏͕) ݹʔ͍ dovecot Ͱ࢖͏ࡍ͸݁߹ॱʹ஫ҙ͕ඞཁ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 17

  18. ॴײ • ແྉͰ DV ূ໌ॻ͕ೖखͰ͖ΔͳΜͯྑ͍࣌୅ • ௨ৗͷূ໌ॻͱԿΒ૬ҧແ͘ར༻Ͱ͖͍ͯΔ • ༗ޮظݶ͕୹ΊͳͷͰߋ৽ࣗಈԽ͸ඞਢͳؾ͕͢Δ •

    ACME ϓϩτίϧͷੑ্࣭ DNSSEC ʹରԠͨ͠Γͨ͠ํ͕ྑͦ͞͏ • https://letsencrypt.github.io/acme-spec/#integrity-of-authorizations • Ͳ͏Ͱ΋͍͍͚Ͳ࠷ۙͷ CloudFlare ͸ϫϯΫϦοΫͰ DNSSEC ΍ͬͯ͘ΕΔ • https://blog.cloudflare.com/introducing-universal-dnssec hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 18

  19. ࢀߟࢿྉ • https://letsencrypt.org • https://letsencrypt.org/about • https://letsencrypt.org/howitworks/technology • https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html •

    https://letsencrypt.org/2015/11/09/why-90-days.html • https://letsencrypt.github.io/acme-spec/ • https://github.com/letsencrypt/boulder • https://github.com/letsencrypt/letsencrypt • https://acme-v01.api.letsencrypt.org/directory • https://letsencrypt.github.io/acme-spec/#integrity-of-authorizations • http://jxck.hatenablog.com/entry/letsencrypt-acme hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 19