Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Let's Encrypt & ACME Overview (hbstyle-2015-1112)
Search
rrreeeyyy
November 12, 2015
Technology
2
1.3k
Let's Encrypt & ACME Overview (hbstyle-2015-1112)
hbstyle20151112 で Let's Encrypt と ACME について雑に喋りました
rrreeeyyy
November 12, 2015
Tweet
Share
More Decks by rrreeeyyy
See All by rrreeeyyy
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
210
An Efficient Incident Response Training with AI / SRE NEXT 2024 Sponsor Session
rrreeeyyy
1
4.6k
カンファレンスから見る SRE トレンド 2024 / SRE Trends from Conferences in 2024 #SRE_Findy
rrreeeyyy
4
2.3k
信頼性の育て方 / mackerel-meetup-15
rrreeeyyy
10
2.6k
SRE の歩き方・進め方 / sre-walk-through-procedure
rrreeeyyy
0
8.7k
「信頼性」を保ちつつ大規模サービスをリニューアルする / cookpad-tech-kitchen-service-embedded-sres
rrreeeyyy
11
12k
Cookpad and Prometheus
rrreeeyyy
6
20k
SRE-Lounge-8-Cookpad-Microservice-Architecture-Overview
rrreeeyyy
5
5.4k
A survey of anomaly detection methodologies for web system
rrreeeyyy
5
1.3k
Other Decks in Technology
See All in Technology
4/17/25 - CIJUG - Java Meets AI: Build LLM-Powered Apps with LangChain4j (part 2)
edeandrea
PRO
0
140
CodePipelineのアクション統合から学ぶAWS CDKの抽象化技術 / codepipeline-actions-cdk-abstraction
gotok365
5
310
SREからゼロイチプロダクト開発へ ー越境する打席の立ち方と期待への応え方ー / Product Engineering Night #8
itkq
2
1k
MCPを活用した検索システムの作り方/How to implement search systems with MCP #catalks
quiver
13
7.1k
Notion x ポストモーテムで広げる組織の学び / Notion x Postmortem
isaoshimizu
1
120
Writing Ruby Scripts with TypeProf
mame
0
380
日経電子版 for Android の技術的課題と取り組み(令和最新版)/android-20250423
nikkei_engineer_recruiting
1
470
Goの組織でバックエンドTypeScriptを採用してどうだったか / How was adopting backend TypeScript in a Golang company
kaminashi
12
8.6k
AIエージェント開発手法と業務導入のプラクティス
ykosaka
9
2.2k
Conquering PDFs: document understanding beyond plain text
inesmontani
PRO
1
310
今日からはじめるプラットフォームエンジニアリング
jacopen
8
1.7k
Making a MIDI controller device with PicoRuby/R2P2 (RubyKaigi 2025 LT)
risgk
1
320
Featured
See All Featured
Six Lessons from altMBA
skipperchong
28
3.7k
Raft: Consensus for Rubyists
vanstee
137
6.9k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
13
1.4k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
Statistics for Hackers
jakevdp
798
220k
Building Flexible Design Systems
yeseniaperezcruz
329
39k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
The World Runs on Bad Software
bkeepers
PRO
68
11k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
30
2.3k
Building a Modern Day E-commerce SEO Strategy
aleyda
40
7.2k
The Art of Programming - Codeland 2020
erikaheidi
53
13k
Transcript
Let's Encrypt & ACME Overview hbstyle20151112 - Yoshikawa Ryota (
@rrreeeyyy ) 2015/11/12 1
Let's Encrypt hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12
2
Let's Encrypt • ҎԼͷࣄ߲Λओٛͱ͢Δೝূہ • Free • Automatic • Secure
• Transparent • Open • Cooperative • ఏڙ͍ͯ͠Δͷ Internet Security Research Group (ISRG) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 3
Let's Encrypt • ແྉͰ SSL αʔό ূ໌ॻ(DV)Λೖख͢Δ͜ͱ͕ग़དྷΔ • ൃߦ͞Εͨূ໌ॻͷ༗ޮظݶ 90
ؒ • ཧ༝: https://letsencrypt.org/2015/11/09/why-90-days.html • πʔϧͷॆ࣮ͱڞʹߋʹ͘͢Δ༧ఆΒ͍͠ • Domain validation ACME ͱ͍͏ϓϩτίϧʹै͍ߦΘΕΔ • ACME(Automatic Certificate Management Environment) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 4
ACME (Automatic Certificate Management Environment) hbstyle20151112 - Yoshikawa Ryota (
@rrreeeyyy ) 2015/11/12 5
ACME • Internet draft (- 2016/1/22) • https://letsencrypt.github.io/acme-spec/ • αʔό/ΫϥΠΞϯτؒͰͷূ໌ॻൃߦͷखଓ͖Λࡦఆ
• ࣮ࡍʹূ໌ॻΛൃߦ(ഁغ)͢Δ·Ͱʹେମ࣍ͷΑ͏ͳखଓ͖͕ඞཁ • Register • Authorizations • New Cert (Revoke-cert) • ΫϥΠΞϯτଆͷ࣮ https://github.com/letsencrypt/letsencrypt (Python) • CA ଆͷ࣮ https://github.com/letsencrypt/boulder (Golang) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 6
Directory • ͦΕͧΕͷखଓ͖ʹඞཁͳ endpoint Λ directory Ͱఏڙ • ΫϥΠΞϯτ·ͣ͜͜Λݟͯ endpoint
ΛѲ͢Δ ✗ curl -sSL https://acme-v01.api.letsencrypt.org/directory | jq . { "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg", "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert" } hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 7
Register • ·ͣ ACME Server ଆʹΫϥΠΞϯτͷొΛߦ͏ • ࣍ͷΑ͏ͳ "contact" ϑΟʔϧυΛؚΜͩ
JSON ΛૹΔ • JWS(JSON Web Signature) Ͱॺ໊Λ͚Δඞཁ͕͋Δ { "resource": "new-reg", "contact": [ "mailto:
[email protected]
", "tel:+12025551212" ], } /* Signed as JWS */ • "key" ΛؚΜͩϨεϙϯε͕ฦͬͯ͘ΔͷͰҎ߱ͷखଓ͖ͦΕΛͬͯ signature Λ࡞Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 8
Authorization • ূ໌ॻൃߦͷೝՄΛߦ͏खଓ͖ • Domain validation ΛͲ͏ߦ͏͔Λࢦఆ͢Δ • ࣍ͷΑ͏ͳํ๏͕બΔ •
SimpleHttp • DNS • DVSNI • Proof of possession of a prior key • ෳͷํ๏Λ "combinations" ͷྻͰࢦఆ͢Δ͜ͱ͕ग़དྷΔ • combination ͷશͯΛຬͨͨ͠߹ʹ valid ͱ͢Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 9
• ϦΫΤετͷྫ { "status": "pending", "identifier": { "type": "dns", "value":
"example.org" }, "challenges": [ { "type": "simpleHttp", "uri": "https://example.com/authz/asdf/0", "token": "IlirfxKKXAsHtmzK29Pj8A" }, { "type": "dns", "uri": "https://example.com/authz/asdf/1" "token": "DGyRejmCefe7v4NfDGDKfA" } }, "combinations": [ [0, 2], [1, 2] ] } hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 10
Authorization (Challenges SimpleHttp/DNS) • SimpleHttp • HTTP(S) ʹͯΞΫηεΛߦ͍υϝΠϯॴ༗Λ֬ೝ͢Δ • ΞΫηεΛߦ͏ઌ
A Ϩίʔυ͘͠ AAAA Ϩίʔυ͔Βܾఆ͞ΕΔ • ΞΫηεઌͷ .well-known/acme-challenge/${TOKEN} ΛݟΔ • தʹॴఆͷ JSON ΛೖΕ͓ͯ͘ • DNS • DNS ϨίʔυΛ༻͍ͯυϝΠϯॴ༗Λ֬ೝ͢Δ • _acme-challenge αϒυϝΠϯͷ TXT ϨίʔυΛ༻͢Δ • Λ TOKEN ʹ͢Δ • ex.) _acme-challenge.example.com. 300 IN TXT "gfj9Xq...Rg85nM" hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 11
New Cert (Revoke-cert) • લड़ͷ Authorization ͷ status ͕ valid
ͳ߹ͷΈϦΫΤετͰ͖Δ • valid ͡Όͳ͍ͱ͖ 403 ͱ͔͕ฦΔ • New Cert /acme/new-cert ʹ CSR ΛૹΓ͚ͭΔ • JWS Ͱॺ໊͢Δඞཁ͕͋Δ • ৭ʑ͋ͬͨޙ DER ܗࣜͷূ໌ॻΛऔಘͰ͖Δ • Revoke /acme/revoke-cert ʹূ໌ॻΛૹΓ͚ͭΔ • CRL/OCSP ʹࣦޮใ͕ެ։͞ΕΔ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 12
letsencrypt hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 13
letsencrypt • લड़ͷ ACME ͷॾʑΛͬͯ͘ΕΔίϚϯυ(python) • جຊతʹ SimpleHttp ʹΑΔ Challenge
Λఆ͍ͯ͠Δ༷ • ҾϕʔεͰυϝΠϯͷύϥϝʔλΛઃఆ͢Δ • Apache Nginx ͷઃఆΛύʔεͨ͠Γॻ͖͑ͨΓग़དྷΔ • Nginx experimental, buggy and not installed by default ͱͷ͜ͱ • standalone Λࢦఆ͢Δͱ BaseHTTPServer(http.server) Λͬͯ Challenge Λߦ͏ • 80 ൪ϙʔτΛ LISTEN ग़དྷΔඞཁ͕͋Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 14
letsencrypt-auto • letsencrypt ίϚϯυͷϥούʔ • ࣮ߦ͢Δ͚ͩͰॾʑͬͯ͘ΕΔ • ڥߏங(yum/apt/brewͱ͔ virtualenv ͱ͔
pip ͱ͔) • ( _gentoo_common.sh ͋ͬͨ) • Virtualenv ͷ activate ͱ͔ͬͯ͘ΕΔ • ެࣜυΩϡϝϯτͰ͜ΕΛ͏͜ͱʹͳͬͯͨ • ຖճ pip install Ͱ࠷৽͔Ͳ͏͔νΣοΫͨ͠Γͯ͠एׯॏ͍ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 15
letsencrypt-auto • standalone Ͱূ໌ॻΛऔಘͯ͠ΈΔ • -d Λෳࢦఆ͢Δ͜ͱͰ SANs ʹෳͷυϝΠϯ͕ॻ͔ΕΔ༷ •
৭ʑ͋ͬͨ͋ͱ /etc/letsencrypt/ Լʹ༷ʑͳσΟϨΫτϦ͕ੜ͞ΕΔ • ࠷৽ͷূ໌ॻ /etc/letsencrypt/live/${DOMAIN_NAME} Լʹஔ͔ΕΔ • /etc/letsencrypt/archive ԼͷͷͷγϯϘϦοΫϦϯΫ ./letsencrypt-auto \ -a standalone \ -d example.com \ -d www.example.com \ --server https://acme-v01.api.letsencrypt.org/directory \ --agree-dev-preview \ auth hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 16
letsencrypt • ssl_certificate ʹ fullchain.pem Λࢦఆ͢Δ • ssl_certificate_key ʹ privkey.pem
Λࢦఆ͢Δ • વ͕ͩ Postfix/Dovecot ͰͪΌΜͱ͍͑ͯΔ • iPhone/Android ͔ΒΤϥʔແ͘ଓͰ͖͍ͯΔ • smtpd_tls_(cert|key)_file ʹಉ༷ʹࢦఆ͢Δ͚ͩ • (ډͳ͍ͱࢥ͏͕) ݹʔ͍ dovecot Ͱ͏ࡍ݁߹ॱʹҙ͕ඞཁ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 17
ॴײ • ແྉͰ DV ূ໌ॻ͕ೖखͰ͖ΔͳΜͯྑ͍࣌ • ௨ৗͷূ໌ॻͱԿΒ૬ҧແ͘ར༻Ͱ͖͍ͯΔ • ༗ޮظݶ͕ΊͳͷͰߋ৽ࣗಈԽඞਢͳؾ͕͢Δ •
ACME ϓϩτίϧͷੑ্࣭ DNSSEC ʹରԠͨ͠Γͨ͠ํ͕ྑͦ͞͏ • https://letsencrypt.github.io/acme-spec/#integrity-of-authorizations • Ͳ͏Ͱ͍͍͚Ͳ࠷ۙͷ CloudFlare ϫϯΫϦοΫͰ DNSSEC ͬͯ͘ΕΔ • https://blog.cloudflare.com/introducing-universal-dnssec hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 18
ࢀߟࢿྉ • https://letsencrypt.org • https://letsencrypt.org/about • https://letsencrypt.org/howitworks/technology • https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html •
https://letsencrypt.org/2015/11/09/why-90-days.html • https://letsencrypt.github.io/acme-spec/ • https://github.com/letsencrypt/boulder • https://github.com/letsencrypt/letsencrypt • https://acme-v01.api.letsencrypt.org/directory • https://letsencrypt.github.io/acme-spec/#integrity-of-authorizations • http://jxck.hatenablog.com/entry/letsencrypt-acme hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 19
rrreeeyyy
edeandrea
gotok365
itkq
quiver
isaoshimizu
mame
nikkei_engineer_recruiting
kaminashi
ykosaka
inesmontani
jacopen
risgk
skipperchong
vanstee
pedronauck
reverentgeek
lynnandtonic
jakevdp
yeseniaperezcruz
destraynor
bkeepers
marktimemedia
aleyda
erikaheidi
