Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Let's Encrypt & ACME Overview (hbstyle-2015-1112)

28e154e6e0351c70091997d2f574295a?s=47 rrreeeyyy
November 12, 2015
Technology
2
970

Let's Encrypt & ACME Overview (hbstyle-2015-1112)

hbstyle20151112 で Let's Encrypt と ACME について雑に喋りました

28e154e6e0351c70091997d2f574295a?s=128

rrreeeyyy

November 12, 2015
Tweet

More Decks by rrreeeyyy

See All by rrreeeyyy
SRE の歩き方・進め方 / sre-walk-through-procedure
28e154e6e0351c70091997d2f574295a?s=48 rrreeeyyy
0
330
「信頼性」を保ちつつ大規模サービスをリニューアルする / cookpad-tech-kitchen-service-embedded-sres
28e154e6e0351c70091997d2f574295a?s=48 rrreeeyyy
11
9.3k
Cookpad and Prometheus
28e154e6e0351c70091997d2f574295a?s=48 rrreeeyyy
6
18k
SRE-Lounge-8-Cookpad-Microservice-Architecture-Overview
28e154e6e0351c70091997d2f574295a?s=48 rrreeeyyy
5
4.2k
A survey of anomaly detection methodologies for web system
28e154e6e0351c70091997d2f574295a?s=48 rrreeeyyy
5
780
エンジニアリングをちゃんとやる あるいは 人類の平和 について / wsa02-rrreeeyyy
28e154e6e0351c70091997d2f574295a?s=48 rrreeeyyy
13
2.6k
「自立」したWebシステムを創る。自分の好きなことをする世界を目指して。/ ipsj-one-2018-rrreeeyyy
28e154e6e0351c70091997d2f574295a?s=48 rrreeeyyy
3
1.5k
Web サービスの信頼性と運用の自動化について / iot40-rrreeeyyy
28e154e6e0351c70091997d2f574295a?s=48 rrreeeyyy
12
6.8k
SRE at Cookpad
28e154e6e0351c70091997d2f574295a?s=48 rrreeeyyy
1
980

Other Decks in Technology

See All in Technology
5分で完全理解するGoのiota
9c23bec5e8b0aa1d9458d40800987347?s=48 uji
3
2.1k
OSINT/GEOINT ワークショップ 20220514 古橋資料
5314ec2302336bf68c95bdb5b1476227?s=48 furuhashilab
2
310
プルリク作ったらデプロイされる仕組み on ECS / SRE NEXT 2022
2537ce662eb08182e617ec7944981437?s=48 carta_engineering
1
350
信頼性の階層の一段目を積み上げる/Monitoring Dashboard
0b238801605070def81a98cfe8061aee?s=48 shonansurvivors
0
180
失敗を経験したあなたへ〜建設的なインシデントの振り返りを行うために実践するべきこと〜
8989dfee7c4a1360817fccb657d695bc?s=48 nobuakikikuchi
0
190
開発者のための GitHub Organization の安全な運用と 継続的なモニタリング
9b565bcc5e776225de62be25cc30f97f?s=48 flatt_security
3
3.8k
次期LTSに備えよ!AOS 6.1 HCI Core 編
A4d5b3aae2e67f31b513c88c726514c2?s=48 smzksts
0
180
新規ゲームのリリース(開発)前からのSRE活動
B276b9088550bc522536ab9d471aeebe?s=48 tmkoikee
1
340
Stripe Search APIを利用した、LINEとStripeの顧客情報連携/line-dc-202205
E77ca94266ffd3d69f8aee91f7468264?s=48 stripehideokamoto
0
130
Graph API について
C0c0e8e4d7f83912cb1b1a0699df82a5?s=48 miyakemito
0
280
HTTP Session Architecture Pattern
484571ccba0db66b69dc11761afdd0c4?s=48 chiroito
1
400
CTOのためのQAのつくりかた #scrumniigata / SigSQA How to create QA for CTOs and VPoEs
63d1e567c2c7b1dbf340f7bea9a92876?s=48 caori_t
0
300

Featured

See All Featured
Documentation Writing (for coders)
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
48
2.5k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Fd55de4174accaf3b4f030e43a8a70c6?s=48 marcduiker
3
440
Rails Girls Zürich Keynote
24fc194843a71f10949be18d5a692682?s=48 gr2m
86
12k
Bootstrapping a Software Product
A9179349dd2bdc67f377719f56d85656?s=48 garrettdimon
295
110k
Fashionably flexible responsive web design (full day workshop)
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
396
62k
Dealing with People You Can't Stand - Big Design 2015
44b54d2ffcb7857004071cc6795dde11?s=48 cassininazir
350
21k
Debugging Ruby Performance
D47656e20ff5e42f125fc5ea0fd636c6?s=48 tmm1
65
10k
jQuery: Nuts, Bolts and Bling
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
56
6.4k
Music & Morning Musume
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
35
4.1k
Rebuilding a faster, lazier Slack
C0b42577cfc2b321be3474618107e933?s=48 samanthasiow
62
7.2k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
D8fc2580cfaca035f666d9e4ee79a7f7?s=48 mongodb
29
4.3k
Fontdeck: Realign not Redesign
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
73
4.1k

Transcript

  1. Let's Encrypt & ACME Overview hbstyle20151112 - Yoshikawa Ryota (

    @rrreeeyyy ) 2015/11/12 1

  2. Let's Encrypt hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12

    2

  3. Let's Encrypt • ҎԼͷࣄ߲Λओٛͱ͢Δೝূہ • Free • Automatic • Secure

    • Transparent • Open • Cooperative • ఏڙ͍ͯ͠Δͷ͸ Internet Security Research Group (ISRG) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 3

  4. Let's Encrypt • ແྉͰ SSL αʔό ূ໌ॻ(DV)Λೖख͢Δ͜ͱ͕ग़དྷΔ • ൃߦ͞Εͨূ໌ॻͷ༗ޮظݶ͸ 90

    ೔ؒ • ཧ༝: https://letsencrypt.org/2015/11/09/why-90-days.html • πʔϧͷॆ࣮ͱڞʹߋʹ୹͘͢Δ༧ఆΒ͍͠ • Domain validation ͸ ACME ͱ͍͏ϓϩτίϧʹै͍ߦΘΕΔ • ACME(Automatic Certificate Management Environment) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 4

  5. ACME (Automatic Certificate Management Environment) hbstyle20151112 - Yoshikawa Ryota (

    @rrreeeyyy ) 2015/11/12 5

  6. ACME • Internet draft (- 2016/1/22) • https://letsencrypt.github.io/acme-spec/ • αʔό/ΫϥΠΞϯτؒͰͷূ໌ॻൃߦͷखଓ͖Λࡦఆ

    • ࣮ࡍʹূ໌ॻΛൃߦ(ഁغ)͢Δ·Ͱʹେମ࣍ͷΑ͏ͳखଓ͖͕ඞཁ • Register • Authorizations • New Cert (Revoke-cert) • ΫϥΠΞϯτଆͷ࣮૷͸ https://github.com/letsencrypt/letsencrypt (Python) • CA ଆͷ࣮૷͸ https://github.com/letsencrypt/boulder (Golang) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 6

  7. Directory • ͦΕͧΕͷखଓ͖ʹඞཁͳ endpoint Λ directory Ͱఏڙ • ΫϥΠΞϯτ͸·ͣ͜͜Λݟͯ endpoint

    Λ೺Ѳ͢Δ ✗ curl -sSL https://acme-v01.api.letsencrypt.org/directory | jq . { "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg", "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert" } hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 7

  8. Register • ·ͣ ACME Server ଆʹΫϥΠΞϯτͷొ࿥Λߦ͏ • ࣍ͷΑ͏ͳ "contact" ϑΟʔϧυΛؚΜͩ

    JSON ΛૹΔ • JWS(JSON Web Signature) Ͱॺ໊Λ෇͚Δඞཁ͕͋Δ { "resource": "new-reg", "contact": [ "mailto:cert-admin@example.com", "tel:+12025551212" ], } /* Signed as JWS */ • "key" ΛؚΜͩϨεϙϯε͕ฦͬͯ͘ΔͷͰҎ߱ͷखଓ͖͸ͦΕΛ࢖ͬͯ signature Λ࡞Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 8

  9. Authorization • ূ໌ॻൃߦͷೝՄΛߦ͏खଓ͖ • Domain validation ΛͲ͏ߦ͏͔౳Λࢦఆ͢Δ • ࣍ͷΑ͏ͳํ๏͕બ΂Δ •

    SimpleHttp • DNS • DVSNI • Proof of possession of a prior key • ෳ਺ͷํ๏Λ "combinations" ͷ഑ྻͰࢦఆ͢Δ͜ͱ͕ग़དྷΔ • combination ͷશͯΛຬͨͨ͠৔߹ʹ valid ͱ͢Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 9

  10. • ϦΫΤετͷྫ { "status": "pending", "identifier": { "type": "dns", "value":

    "example.org" }, "challenges": [ { "type": "simpleHttp", "uri": "https://example.com/authz/asdf/0", "token": "IlirfxKKXAsHtmzK29Pj8A" }, { "type": "dns", "uri": "https://example.com/authz/asdf/1" "token": "DGyRejmCefe7v4NfDGDKfA" } }, "combinations": [ [0, 2], [1, 2] ] } hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 10

  11. Authorization (Challenges SimpleHttp/DNS) • SimpleHttp • HTTP(S) ʹͯΞΫηεΛߦ͍υϝΠϯॴ༗Λ֬ೝ͢Δ • ΞΫηεΛߦ͏ઌ͸

    A Ϩίʔυ΋͘͠͸ AAAA Ϩίʔυ͔Βܾఆ͞ΕΔ • ΞΫηεઌͷ .well-known/acme-challenge/${TOKEN} ΛݟΔ • த਎ʹ͸ॴఆͷ JSON ΛೖΕ͓ͯ͘ • DNS • DNS ϨίʔυΛ༻͍ͯυϝΠϯॴ༗Λ֬ೝ͢Δ • _acme-challenge αϒυϝΠϯͷ TXT ϨίʔυΛ࢖༻͢Δ • ஋Λ TOKEN ʹ͢Δ • ex.) _acme-challenge.example.com. 300 IN TXT "gfj9Xq...Rg85nM" hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 11

  12. New Cert (Revoke-cert) • લड़ͷ Authorization ͷ status ͕ valid

    ͳ৔߹ͷΈϦΫΤετͰ͖Δ • valid ͡Όͳ͍ͱ͖͸ 403 ͱ͔͕ฦΔ • New Cert ͸ /acme/new-cert ʹ CSR ΛૹΓ͚ͭΔ • ໪࿦ JWS Ͱॺ໊͢Δඞཁ͕͋Δ • ৭ʑ͋ͬͨޙ DER ܗࣜͷূ໌ॻΛऔಘͰ͖Δ • Revoke ͸ /acme/revoke-cert ʹূ໌ॻΛૹΓ͚ͭΔ • CRL/OCSP ౳ʹࣦޮ৘ใ͕ެ։͞ΕΔ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 12

  13. letsencrypt hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 13

  14. letsencrypt • લड़ͷ ACME ͷॾʑΛ΍ͬͯ͘ΕΔίϚϯυ(python) • جຊతʹ SimpleHttp ʹΑΔ Challenge

    Λ૝ఆ͍ͯ͠Δ໛༷ • Ҿ਺ϕʔεͰυϝΠϯ౳ͷύϥϝʔλΛઃఆ͢Δ • Apache ΍ Nginx ͷઃఆΛύʔεͨ͠Γॻ͖׵͑ͨΓ΋ग़དྷΔ • Nginx ͸ experimental, buggy and not installed by default ͱͷ͜ͱ • standalone Λࢦఆ͢Δͱ BaseHTTPServer(http.server) Λ࢖ͬͯ Challenge Λߦ͏ • 80 ൪ϙʔτΛ LISTEN ग़དྷΔඞཁ͕͋Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 14

  15. letsencrypt-auto • letsencrypt ίϚϯυͷϥούʔ • ࣮ߦ͢Δ͚ͩͰॾʑ΍ͬͯ͘ΕΔ • ؀ڥߏங(yum/apt/brewͱ͔ virtualenv ͱ͔

    pip ͱ͔) • ( _gentoo_common.sh ΋͋ͬͨ) • Virtualenv ͷ activate ͱ͔΋΍ͬͯ͘ΕΔ • ެࣜυΩϡϝϯτͰ͸͜ΕΛ࢖͏͜ͱʹͳͬͯͨ • ຖճ pip install Ͱ࠷৽͔Ͳ͏͔νΣοΫͨ͠Γͯ͠एׯॏ͍ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 15

  16. letsencrypt-auto • standalone Ͱূ໌ॻΛऔಘͯ͠ΈΔ • -d Λෳ਺ࢦఆ͢Δ͜ͱͰ SANs ʹෳ਺ͷυϝΠϯ͕ॻ͔ΕΔ໛༷ •

    ৭ʑ͋ͬͨ͋ͱ /etc/letsencrypt/ ഑Լʹ༷ʑͳσΟϨΫτϦ͕ੜ੒͞ΕΔ • ࠷৽ͷূ໌ॻ͸ /etc/letsencrypt/live/${DOMAIN_NAME} ഑Լʹஔ͔ΕΔ • /etc/letsencrypt/archive ഑Լͷ΋ͷͷγϯϘϦοΫϦϯΫ ./letsencrypt-auto \ -a standalone \ -d example.com \ -d www.example.com \ --server https://acme-v01.api.letsencrypt.org/directory \ --agree-dev-preview \ auth hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 16

  17. letsencrypt • ssl_certificate ʹ͸ fullchain.pem Λࢦఆ͢Δ • ssl_certificate_key ʹ͸ privkey.pem

    Λࢦఆ͢Δ • ౰વ͕ͩ Postfix/Dovecot Ͱ΋ͪΌΜͱ࢖͍͑ͯΔ • iPhone/Android ͔Β΋Τϥʔແ͘઀ଓͰ͖͍ͯΔ • smtpd_tls_(cert|key)_file ౳ʹಉ༷ʹࢦఆ͢Δ͚ͩ • (ډͳ͍ͱࢥ͏͕) ݹʔ͍ dovecot Ͱ࢖͏ࡍ͸݁߹ॱʹ஫ҙ͕ඞཁ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 17

  18. ॴײ • ແྉͰ DV ূ໌ॻ͕ೖखͰ͖ΔͳΜͯྑ͍࣌୅ • ௨ৗͷূ໌ॻͱԿΒ૬ҧແ͘ར༻Ͱ͖͍ͯΔ • ༗ޮظݶ͕୹ΊͳͷͰߋ৽ࣗಈԽ͸ඞਢͳؾ͕͢Δ •

    ACME ϓϩτίϧͷੑ্࣭ DNSSEC ʹରԠͨ͠Γͨ͠ํ͕ྑͦ͞͏ • https://letsencrypt.github.io/acme-spec/#integrity-of-authorizations • Ͳ͏Ͱ΋͍͍͚Ͳ࠷ۙͷ CloudFlare ͸ϫϯΫϦοΫͰ DNSSEC ΍ͬͯ͘ΕΔ • https://blog.cloudflare.com/introducing-universal-dnssec hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 18

  19. ࢀߟࢿྉ • https://letsencrypt.org • https://letsencrypt.org/about • https://letsencrypt.org/howitworks/technology • https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html •

    https://letsencrypt.org/2015/11/09/why-90-days.html • https://letsencrypt.github.io/acme-spec/ • https://github.com/letsencrypt/boulder • https://github.com/letsencrypt/letsencrypt • https://acme-v01.api.letsencrypt.org/directory • https://letsencrypt.github.io/acme-spec/#integrity-of-authorizations • http://jxck.hatenablog.com/entry/letsencrypt-acme hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 19