Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Let's Encrypt & ACME Overview (hbstyle-2015-1112)
Search
rrreeeyyy
November 12, 2015
Technology
2
1.3k
Let's Encrypt & ACME Overview (hbstyle-2015-1112)
hbstyle20151112 で Let's Encrypt と ACME について雑に喋りました
rrreeeyyy
November 12, 2015
Tweet
Share
More Decks by rrreeeyyy
See All by rrreeeyyy
Rethinking Incident Response: Context-Aware AI in Practice
rrreeeyyy
0
64
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
230
An Efficient Incident Response Training with AI / SRE NEXT 2024 Sponsor Session
rrreeeyyy
1
5.2k
カンファレンスから見る SRE トレンド 2024 / SRE Trends from Conferences in 2024 #SRE_Findy
rrreeeyyy
4
2.4k
信頼性の育て方 / mackerel-meetup-15
rrreeeyyy
10
2.6k
SRE の歩き方・進め方 / sre-walk-through-procedure
rrreeeyyy
0
8.8k
「信頼性」を保ちつつ大規模サービスをリニューアルする / cookpad-tech-kitchen-service-embedded-sres
rrreeeyyy
11
12k
Cookpad and Prometheus
rrreeeyyy
6
21k
SRE-Lounge-8-Cookpad-Microservice-Architecture-Overview
rrreeeyyy
5
5.5k
Other Decks in Technology
See All in Technology
MobileActOsaka_250704.pdf
akaitadaaki
0
150
fukabori.fm 出張版: 売上高617億円と高稼働率を陰で支えた社内ツール開発のあれこれ話 / 20250704 Yoshimasa Iwase & Tomoo Morikawa
shift_evolve
PRO
2
8k
United Airlines Customer Service– Call 1-833-341-3142 Now!
airhelp
0
170
AWS認定を取る中で感じたこと
siromi
1
190
〜『世界中の家族のこころのインフラ』を目指して”次の10年”へ〜 SREが導いたグローバルサービスの信頼性向上戦略とその舞台裏 / Towards the Next Decade: Enhancing Global Service Reliability
kohbis
2
310
Coinbase™®️ USA Contact Numbers: Complete 2025 Support Guide
officialcoinbasehelpcenter
0
440
American airlines ®️ USA Contact Numbers: Complete 2025 Support Guide
airhelpsupport
0
390
使いたいMCPサーバーはWeb APIをラップして自分で作る #QiitaBash
bengo4com
0
2k
さくらのIaaS基盤のモニタリングとOpenTelemetry/OSC Hokkaido 2025
fujiwara3
3
460
Delta airlines Customer®️ USA Contact Numbers: Complete 2025 Support Guide
deltahelp
0
820
AI エージェントと考え直すデータ基盤
na0
12
3.4k
クラウド開発の舞台裏とSRE文化の醸成 / SRE NEXT 2025 Lunch Session
kazeburo
1
240
Featured
See All Featured
Designing for humans not robots
tammielis
253
25k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
32
2.4k
The Cost Of JavaScript in 2023
addyosmani
51
8.5k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
The Straight Up "How To Draw Better" Workshop
denniskardys
235
140k
Into the Great Unknown - MozCon
thekraken
40
1.9k
Java REST API Framework Comparison - PWX 2021
mraible
31
8.7k
Music & Morning Musume
bryan
46
6.6k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
6
310
GraphQLの誤解/rethinking-graphql
sonatard
71
11k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Unsuck your backbone
ammeep
671
58k
Transcript
Let's Encrypt & ACME Overview hbstyle20151112 - Yoshikawa Ryota (
@rrreeeyyy ) 2015/11/12 1
Let's Encrypt hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12
2
Let's Encrypt • ҎԼͷࣄ߲Λओٛͱ͢Δೝূہ • Free • Automatic • Secure
• Transparent • Open • Cooperative • ఏڙ͍ͯ͠Δͷ Internet Security Research Group (ISRG) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 3
Let's Encrypt • ແྉͰ SSL αʔό ূ໌ॻ(DV)Λೖख͢Δ͜ͱ͕ग़དྷΔ • ൃߦ͞Εͨূ໌ॻͷ༗ޮظݶ 90
ؒ • ཧ༝: https://letsencrypt.org/2015/11/09/why-90-days.html • πʔϧͷॆ࣮ͱڞʹߋʹ͘͢Δ༧ఆΒ͍͠ • Domain validation ACME ͱ͍͏ϓϩτίϧʹै͍ߦΘΕΔ • ACME(Automatic Certificate Management Environment) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 4
ACME (Automatic Certificate Management Environment) hbstyle20151112 - Yoshikawa Ryota (
@rrreeeyyy ) 2015/11/12 5
ACME • Internet draft (- 2016/1/22) • https://letsencrypt.github.io/acme-spec/ • αʔό/ΫϥΠΞϯτؒͰͷূ໌ॻൃߦͷखଓ͖Λࡦఆ
• ࣮ࡍʹূ໌ॻΛൃߦ(ഁغ)͢Δ·Ͱʹେମ࣍ͷΑ͏ͳखଓ͖͕ඞཁ • Register • Authorizations • New Cert (Revoke-cert) • ΫϥΠΞϯτଆͷ࣮ https://github.com/letsencrypt/letsencrypt (Python) • CA ଆͷ࣮ https://github.com/letsencrypt/boulder (Golang) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 6
Directory • ͦΕͧΕͷखଓ͖ʹඞཁͳ endpoint Λ directory Ͱఏڙ • ΫϥΠΞϯτ·ͣ͜͜Λݟͯ endpoint
ΛѲ͢Δ ✗ curl -sSL https://acme-v01.api.letsencrypt.org/directory | jq . { "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg", "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert" } hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 7
Register • ·ͣ ACME Server ଆʹΫϥΠΞϯτͷొΛߦ͏ • ࣍ͷΑ͏ͳ "contact" ϑΟʔϧυΛؚΜͩ
JSON ΛૹΔ • JWS(JSON Web Signature) Ͱॺ໊Λ͚Δඞཁ͕͋Δ { "resource": "new-reg", "contact": [ "mailto:
[email protected]
", "tel:+12025551212" ], } /* Signed as JWS */ • "key" ΛؚΜͩϨεϙϯε͕ฦͬͯ͘ΔͷͰҎ߱ͷखଓ͖ͦΕΛͬͯ signature Λ࡞Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 8
Authorization • ূ໌ॻൃߦͷೝՄΛߦ͏खଓ͖ • Domain validation ΛͲ͏ߦ͏͔Λࢦఆ͢Δ • ࣍ͷΑ͏ͳํ๏͕બΔ •
SimpleHttp • DNS • DVSNI • Proof of possession of a prior key • ෳͷํ๏Λ "combinations" ͷྻͰࢦఆ͢Δ͜ͱ͕ग़དྷΔ • combination ͷશͯΛຬͨͨ͠߹ʹ valid ͱ͢Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 9
• ϦΫΤετͷྫ { "status": "pending", "identifier": { "type": "dns", "value":
"example.org" }, "challenges": [ { "type": "simpleHttp", "uri": "https://example.com/authz/asdf/0", "token": "IlirfxKKXAsHtmzK29Pj8A" }, { "type": "dns", "uri": "https://example.com/authz/asdf/1" "token": "DGyRejmCefe7v4NfDGDKfA" } }, "combinations": [ [0, 2], [1, 2] ] } hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 10
Authorization (Challenges SimpleHttp/DNS) • SimpleHttp • HTTP(S) ʹͯΞΫηεΛߦ͍υϝΠϯॴ༗Λ֬ೝ͢Δ • ΞΫηεΛߦ͏ઌ
A Ϩίʔυ͘͠ AAAA Ϩίʔυ͔Βܾఆ͞ΕΔ • ΞΫηεઌͷ .well-known/acme-challenge/${TOKEN} ΛݟΔ • தʹॴఆͷ JSON ΛೖΕ͓ͯ͘ • DNS • DNS ϨίʔυΛ༻͍ͯυϝΠϯॴ༗Λ֬ೝ͢Δ • _acme-challenge αϒυϝΠϯͷ TXT ϨίʔυΛ༻͢Δ • Λ TOKEN ʹ͢Δ • ex.) _acme-challenge.example.com. 300 IN TXT "gfj9Xq...Rg85nM" hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 11
New Cert (Revoke-cert) • લड़ͷ Authorization ͷ status ͕ valid
ͳ߹ͷΈϦΫΤετͰ͖Δ • valid ͡Όͳ͍ͱ͖ 403 ͱ͔͕ฦΔ • New Cert /acme/new-cert ʹ CSR ΛૹΓ͚ͭΔ • JWS Ͱॺ໊͢Δඞཁ͕͋Δ • ৭ʑ͋ͬͨޙ DER ܗࣜͷূ໌ॻΛऔಘͰ͖Δ • Revoke /acme/revoke-cert ʹূ໌ॻΛૹΓ͚ͭΔ • CRL/OCSP ʹࣦޮใ͕ެ։͞ΕΔ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 12
letsencrypt hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 13
letsencrypt • લड़ͷ ACME ͷॾʑΛͬͯ͘ΕΔίϚϯυ(python) • جຊతʹ SimpleHttp ʹΑΔ Challenge
Λఆ͍ͯ͠Δ༷ • ҾϕʔεͰυϝΠϯͷύϥϝʔλΛઃఆ͢Δ • Apache Nginx ͷઃఆΛύʔεͨ͠Γॻ͖͑ͨΓग़དྷΔ • Nginx experimental, buggy and not installed by default ͱͷ͜ͱ • standalone Λࢦఆ͢Δͱ BaseHTTPServer(http.server) Λͬͯ Challenge Λߦ͏ • 80 ൪ϙʔτΛ LISTEN ग़དྷΔඞཁ͕͋Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 14
letsencrypt-auto • letsencrypt ίϚϯυͷϥούʔ • ࣮ߦ͢Δ͚ͩͰॾʑͬͯ͘ΕΔ • ڥߏங(yum/apt/brewͱ͔ virtualenv ͱ͔
pip ͱ͔) • ( _gentoo_common.sh ͋ͬͨ) • Virtualenv ͷ activate ͱ͔ͬͯ͘ΕΔ • ެࣜυΩϡϝϯτͰ͜ΕΛ͏͜ͱʹͳͬͯͨ • ຖճ pip install Ͱ࠷৽͔Ͳ͏͔νΣοΫͨ͠Γͯ͠एׯॏ͍ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 15
letsencrypt-auto • standalone Ͱূ໌ॻΛऔಘͯ͠ΈΔ • -d Λෳࢦఆ͢Δ͜ͱͰ SANs ʹෳͷυϝΠϯ͕ॻ͔ΕΔ༷ •
৭ʑ͋ͬͨ͋ͱ /etc/letsencrypt/ Լʹ༷ʑͳσΟϨΫτϦ͕ੜ͞ΕΔ • ࠷৽ͷূ໌ॻ /etc/letsencrypt/live/${DOMAIN_NAME} Լʹஔ͔ΕΔ • /etc/letsencrypt/archive ԼͷͷͷγϯϘϦοΫϦϯΫ ./letsencrypt-auto \ -a standalone \ -d example.com \ -d www.example.com \ --server https://acme-v01.api.letsencrypt.org/directory \ --agree-dev-preview \ auth hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 16
letsencrypt • ssl_certificate ʹ fullchain.pem Λࢦఆ͢Δ • ssl_certificate_key ʹ privkey.pem
Λࢦఆ͢Δ • વ͕ͩ Postfix/Dovecot ͰͪΌΜͱ͍͑ͯΔ • iPhone/Android ͔ΒΤϥʔແ͘ଓͰ͖͍ͯΔ • smtpd_tls_(cert|key)_file ʹಉ༷ʹࢦఆ͢Δ͚ͩ • (ډͳ͍ͱࢥ͏͕) ݹʔ͍ dovecot Ͱ͏ࡍ݁߹ॱʹҙ͕ඞཁ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 17
ॴײ • ແྉͰ DV ূ໌ॻ͕ೖखͰ͖ΔͳΜͯྑ͍࣌ • ௨ৗͷূ໌ॻͱԿΒ૬ҧແ͘ར༻Ͱ͖͍ͯΔ • ༗ޮظݶ͕ΊͳͷͰߋ৽ࣗಈԽඞਢͳؾ͕͢Δ •
ACME ϓϩτίϧͷੑ্࣭ DNSSEC ʹରԠͨ͠Γͨ͠ํ͕ྑͦ͞͏ • https://letsencrypt.github.io/acme-spec/#integrity-of-authorizations • Ͳ͏Ͱ͍͍͚Ͳ࠷ۙͷ CloudFlare ϫϯΫϦοΫͰ DNSSEC ͬͯ͘ΕΔ • https://blog.cloudflare.com/introducing-universal-dnssec hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 18
ࢀߟࢿྉ • https://letsencrypt.org • https://letsencrypt.org/about • https://letsencrypt.org/howitworks/technology • https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html •
https://letsencrypt.org/2015/11/09/why-90-days.html • https://letsencrypt.github.io/acme-spec/ • https://github.com/letsencrypt/boulder • https://github.com/letsencrypt/letsencrypt • https://acme-v01.api.letsencrypt.org/directory • https://letsencrypt.github.io/acme-spec/#integrity-of-authorizations • http://jxck.hatenablog.com/entry/letsencrypt-acme hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 19