$30 off During Our Annual Pro Sale. View Details »

Let's Encrypt & ACME Overview (hbstyle-2015-1112)

Avatar for rrreeeyyy rrreeeyyy
November 12, 2015
Technology
2
1.4k

Let's Encrypt & ACME Overview (hbstyle-2015-1112)

hbstyle20151112 で Let's Encrypt と ACME について雑に喋りました

Avatar for rrreeeyyy

rrreeeyyy

November 12, 2015
Tweet

More Decks by rrreeeyyy

See All by rrreeeyyy
Rethinking Incident Response: Context-Aware AI in Practice - Incident Buddy Edition -
Avatar for rrreeeyyy rrreeeyyy
0
190
Rethinking Incident Response: Context-Aware AI in Practice
Avatar for rrreeeyyy rrreeeyyy
3
2.2k
Incident Response Practices: Waroom's Features and Future Challenges
Avatar for rrreeeyyy rrreeeyyy
0
260
An Efficient Incident Response Training with AI / SRE NEXT 2024 Sponsor Session
Avatar for rrreeeyyy rrreeeyyy
1
5.7k
カンファレンスから見る SRE トレンド 2024 / SRE Trends from Conferences in 2024 #SRE_Findy
Avatar for rrreeeyyy rrreeeyyy
4
2.5k
信頼性の育て方 / mackerel-meetup-15
Avatar for rrreeeyyy rrreeeyyy
10
2.8k
SRE の歩き方・進め方 / sre-walk-through-procedure
Avatar for rrreeeyyy rrreeeyyy
0
8.9k
「信頼性」を保ちつつ大規模サービスをリニューアルする / cookpad-tech-kitchen-service-embedded-sres
Avatar for rrreeeyyy rrreeeyyy
11
13k
Cookpad and Prometheus
Avatar for rrreeeyyy rrreeeyyy
6
21k

Other Decks in Technology

See All in Technology
MySQLとPostgreSQLのコレーション / Collation of MySQL and PostgreSQL
Avatar for とみたまさひろ tmtms
1
1.2k
Entity Framework Core におけるIN句クエリ最適化について
Avatar for tkym htkym
0
130
M&Aで拡大し続けるGENDAのデータ活用を促すためのDatabricks権限管理 / AEON TECH HUB #22
Avatar for GENDA genda
0
260
ソフトウェアエンジニアとAIエンジニアの役割分担についてのある事例
Avatar for KNOWLEDGE WORK / 株式会社ナレッジワーク kworkdev
PRO
0
290
Snowflake Industry Days 2025 Nowcast
Avatar for tak takumimukaiyama
0
120
『君の名は』と聞く君の名は。 / Your name, you who asks for mine.
Avatar for NTT docomo Business nttcom
1
120
Microsoft Agent Frameworkの可観測性
Avatar for tomokusaba tomokusaba
1
110
モダンデータスタックの理想と現実の間で~1.3億人Vポイントデータ基盤の現在地とこれから~
Avatar for タロウ taromatsui_cccmkhd
2
270
「もしもデータ基盤開発で『強くてニューゲーム』ができたなら今の僕はどんなデータ基盤を作っただろう」
Avatar for AEON aeonpeople
0
250
「図面」から「法則」へ 〜メタ視点で読み解く現代のソフトウェアアーキテクチャ〜
Avatar for Satoshi Kobayashi scova0731
0
520
普段使ってるClaude Skillsの紹介(by Notebooklm)
Avatar for Higuchi kokoro zerebom
8
2.3k
ハッカソンから社内プロダクトへ AIエージェント「ko☆shi」開発で学んだ4つの重要要素
Avatar for そのだ sonoda_mj
6
1.7k

Featured

See All Featured
[RailsConf 2023 Opening Keynote] The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
31
9.8k
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
Avatar for Aleyda Solis aleyda
1
1k
What’s in a name? Adding method to the madness
Avatar for Product Marketing Alliance productmarketing
PRO
24
3.8k
The Illustrated Children's Guide to Kubernetes
Avatar for Chris Short chrisshort
51
51k
Unsuck your backbone
Avatar for Amy Palamountain ammeep
671
58k
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
333
22k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
254
22k
The B2B funnel & how to create a winning content strategy
Avatar for Katarina Dahlin katarinadahlin
PRO
0
190
What's in a price? How to price your products and services
Avatar for Michael Herold michaelherold
246
13k
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
80
6.1k
Lessons Learnt from Crawling 1000+ Websites
Avatar for Charles Meaden charlesmeaden
PRO
0
960
Navigating the moral maze — ethical principles for Al-driven product design
Avatar for Skipper Chong Warson skipperchong
1
210

Transcript

  1. Let's Encrypt & ACME Overview hbstyle20151112 - Yoshikawa Ryota (

    @rrreeeyyy ) 2015/11/12 1

  2. Let's Encrypt hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12

    2

  3. Let's Encrypt • ҎԼͷࣄ߲Λओٛͱ͢Δೝূہ • Free • Automatic • Secure

    • Transparent • Open • Cooperative • ఏڙ͍ͯ͠Δͷ͸ Internet Security Research Group (ISRG) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 3

  4. Let's Encrypt • ແྉͰ SSL αʔό ূ໌ॻ(DV)Λೖख͢Δ͜ͱ͕ग़དྷΔ • ൃߦ͞Εͨূ໌ॻͷ༗ޮظݶ͸ 90

    ೔ؒ • ཧ༝: https://letsencrypt.org/2015/11/09/why-90-days.html • πʔϧͷॆ࣮ͱڞʹߋʹ୹͘͢Δ༧ఆΒ͍͠ • Domain validation ͸ ACME ͱ͍͏ϓϩτίϧʹै͍ߦΘΕΔ • ACME(Automatic Certificate Management Environment) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 4

  5. ACME (Automatic Certificate Management Environment) hbstyle20151112 - Yoshikawa Ryota (

    @rrreeeyyy ) 2015/11/12 5

  6. ACME • Internet draft (- 2016/1/22) • https://letsencrypt.github.io/acme-spec/ • αʔό/ΫϥΠΞϯτؒͰͷূ໌ॻൃߦͷखଓ͖Λࡦఆ

    • ࣮ࡍʹূ໌ॻΛൃߦ(ഁغ)͢Δ·Ͱʹେମ࣍ͷΑ͏ͳखଓ͖͕ඞཁ • Register • Authorizations • New Cert (Revoke-cert) • ΫϥΠΞϯτଆͷ࣮૷͸ https://github.com/letsencrypt/letsencrypt (Python) • CA ଆͷ࣮૷͸ https://github.com/letsencrypt/boulder (Golang) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 6

  7. Directory • ͦΕͧΕͷखଓ͖ʹඞཁͳ endpoint Λ directory Ͱఏڙ • ΫϥΠΞϯτ͸·ͣ͜͜Λݟͯ endpoint

    Λ೺Ѳ͢Δ ✗ curl -sSL https://acme-v01.api.letsencrypt.org/directory | jq . { "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg", "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert" } hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 7

  8. Register • ·ͣ ACME Server ଆʹΫϥΠΞϯτͷొ࿥Λߦ͏ • ࣍ͷΑ͏ͳ "contact" ϑΟʔϧυΛؚΜͩ

    JSON ΛૹΔ • JWS(JSON Web Signature) Ͱॺ໊Λ෇͚Δඞཁ͕͋Δ { "resource": "new-reg", "contact": [ "mailto:[email protected]", "tel:+12025551212" ], } /* Signed as JWS */ • "key" ΛؚΜͩϨεϙϯε͕ฦͬͯ͘ΔͷͰҎ߱ͷखଓ͖͸ͦΕΛ࢖ͬͯ signature Λ࡞Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 8

  9. Authorization • ূ໌ॻൃߦͷೝՄΛߦ͏खଓ͖ • Domain validation ΛͲ͏ߦ͏͔౳Λࢦఆ͢Δ • ࣍ͷΑ͏ͳํ๏͕બ΂Δ •

    SimpleHttp • DNS • DVSNI • Proof of possession of a prior key • ෳ਺ͷํ๏Λ "combinations" ͷ഑ྻͰࢦఆ͢Δ͜ͱ͕ग़དྷΔ • combination ͷશͯΛຬͨͨ͠৔߹ʹ valid ͱ͢Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 9

  10. • ϦΫΤετͷྫ { "status": "pending", "identifier": { "type": "dns", "value":

    "example.org" }, "challenges": [ { "type": "simpleHttp", "uri": "https://example.com/authz/asdf/0", "token": "IlirfxKKXAsHtmzK29Pj8A" }, { "type": "dns", "uri": "https://example.com/authz/asdf/1" "token": "DGyRejmCefe7v4NfDGDKfA" } }, "combinations": [ [0, 2], [1, 2] ] } hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 10

  11. Authorization (Challenges SimpleHttp/DNS) • SimpleHttp • HTTP(S) ʹͯΞΫηεΛߦ͍υϝΠϯॴ༗Λ֬ೝ͢Δ • ΞΫηεΛߦ͏ઌ͸

    A Ϩίʔυ΋͘͠͸ AAAA Ϩίʔυ͔Βܾఆ͞ΕΔ • ΞΫηεઌͷ .well-known/acme-challenge/${TOKEN} ΛݟΔ • த਎ʹ͸ॴఆͷ JSON ΛೖΕ͓ͯ͘ • DNS • DNS ϨίʔυΛ༻͍ͯυϝΠϯॴ༗Λ֬ೝ͢Δ • _acme-challenge αϒυϝΠϯͷ TXT ϨίʔυΛ࢖༻͢Δ • ஋Λ TOKEN ʹ͢Δ • ex.) _acme-challenge.example.com. 300 IN TXT "gfj9Xq...Rg85nM" hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 11

  12. New Cert (Revoke-cert) • લड़ͷ Authorization ͷ status ͕ valid

    ͳ৔߹ͷΈϦΫΤετͰ͖Δ • valid ͡Όͳ͍ͱ͖͸ 403 ͱ͔͕ฦΔ • New Cert ͸ /acme/new-cert ʹ CSR ΛૹΓ͚ͭΔ • ໪࿦ JWS Ͱॺ໊͢Δඞཁ͕͋Δ • ৭ʑ͋ͬͨޙ DER ܗࣜͷূ໌ॻΛऔಘͰ͖Δ • Revoke ͸ /acme/revoke-cert ʹূ໌ॻΛૹΓ͚ͭΔ • CRL/OCSP ౳ʹࣦޮ৘ใ͕ެ։͞ΕΔ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 12

  13. letsencrypt hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 13

  14. letsencrypt • લड़ͷ ACME ͷॾʑΛ΍ͬͯ͘ΕΔίϚϯυ(python) • جຊతʹ SimpleHttp ʹΑΔ Challenge

    Λ૝ఆ͍ͯ͠Δ໛༷ • Ҿ਺ϕʔεͰυϝΠϯ౳ͷύϥϝʔλΛઃఆ͢Δ • Apache ΍ Nginx ͷઃఆΛύʔεͨ͠Γॻ͖׵͑ͨΓ΋ग़དྷΔ • Nginx ͸ experimental, buggy and not installed by default ͱͷ͜ͱ • standalone Λࢦఆ͢Δͱ BaseHTTPServer(http.server) Λ࢖ͬͯ Challenge Λߦ͏ • 80 ൪ϙʔτΛ LISTEN ग़དྷΔඞཁ͕͋Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 14

  15. letsencrypt-auto • letsencrypt ίϚϯυͷϥούʔ • ࣮ߦ͢Δ͚ͩͰॾʑ΍ͬͯ͘ΕΔ • ؀ڥߏங(yum/apt/brewͱ͔ virtualenv ͱ͔

    pip ͱ͔) • ( _gentoo_common.sh ΋͋ͬͨ) • Virtualenv ͷ activate ͱ͔΋΍ͬͯ͘ΕΔ • ެࣜυΩϡϝϯτͰ͸͜ΕΛ࢖͏͜ͱʹͳͬͯͨ • ຖճ pip install Ͱ࠷৽͔Ͳ͏͔νΣοΫͨ͠Γͯ͠एׯॏ͍ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 15

  16. letsencrypt-auto • standalone Ͱূ໌ॻΛऔಘͯ͠ΈΔ • -d Λෳ਺ࢦఆ͢Δ͜ͱͰ SANs ʹෳ਺ͷυϝΠϯ͕ॻ͔ΕΔ໛༷ •

    ৭ʑ͋ͬͨ͋ͱ /etc/letsencrypt/ ഑Լʹ༷ʑͳσΟϨΫτϦ͕ੜ੒͞ΕΔ • ࠷৽ͷূ໌ॻ͸ /etc/letsencrypt/live/${DOMAIN_NAME} ഑Լʹஔ͔ΕΔ • /etc/letsencrypt/archive ഑Լͷ΋ͷͷγϯϘϦοΫϦϯΫ ./letsencrypt-auto \ -a standalone \ -d example.com \ -d www.example.com \ --server https://acme-v01.api.letsencrypt.org/directory \ --agree-dev-preview \ auth hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 16

  17. letsencrypt • ssl_certificate ʹ͸ fullchain.pem Λࢦఆ͢Δ • ssl_certificate_key ʹ͸ privkey.pem

    Λࢦఆ͢Δ • ౰વ͕ͩ Postfix/Dovecot Ͱ΋ͪΌΜͱ࢖͍͑ͯΔ • iPhone/Android ͔Β΋Τϥʔແ͘઀ଓͰ͖͍ͯΔ • smtpd_tls_(cert|key)_file ౳ʹಉ༷ʹࢦఆ͢Δ͚ͩ • (ډͳ͍ͱࢥ͏͕) ݹʔ͍ dovecot Ͱ࢖͏ࡍ͸݁߹ॱʹ஫ҙ͕ඞཁ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 17

  18. ॴײ • ແྉͰ DV ূ໌ॻ͕ೖखͰ͖ΔͳΜͯྑ͍࣌୅ • ௨ৗͷূ໌ॻͱԿΒ૬ҧແ͘ར༻Ͱ͖͍ͯΔ • ༗ޮظݶ͕୹ΊͳͷͰߋ৽ࣗಈԽ͸ඞਢͳؾ͕͢Δ •

    ACME ϓϩτίϧͷੑ্࣭ DNSSEC ʹରԠͨ͠Γͨ͠ํ͕ྑͦ͞͏ • https://letsencrypt.github.io/acme-spec/#integrity-of-authorizations • Ͳ͏Ͱ΋͍͍͚Ͳ࠷ۙͷ CloudFlare ͸ϫϯΫϦοΫͰ DNSSEC ΍ͬͯ͘ΕΔ • https://blog.cloudflare.com/introducing-universal-dnssec hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 18

  19. ࢀߟࢿྉ • https://letsencrypt.org • https://letsencrypt.org/about • https://letsencrypt.org/howitworks/technology • https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html •

    https://letsencrypt.org/2015/11/09/why-90-days.html • https://letsencrypt.github.io/acme-spec/ • https://github.com/letsencrypt/boulder • https://github.com/letsencrypt/letsencrypt • https://acme-v01.api.letsencrypt.org/directory • https://letsencrypt.github.io/acme-spec/#integrity-of-authorizations • http://jxck.hatenablog.com/entry/letsencrypt-acme hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 19