Let's Encrypt & ACME Overview (hbstyle-2015-1112)

Transcript

1. Let's Encrypt & ACME Overview hbstyle20151112 - Yoshikawa Ryota (

   @rrreeeyyy ) 2015/11/12 1

2. Let's Encrypt hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12

   2

3. Let's Encrypt • ҎԼͷࣄ߲Λओٛͱ͢Δೝূہ • Free • Automatic • Secure

   • Transparent • Open • Cooperative • ఏڙ͍ͯ͠Δͷ͸ Internet Security Research Group (ISRG) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 3

4. Let's Encrypt • ແྉͰ SSL αʔό ূ໌ॻ(DV)Λೖख͢Δ͜ͱ͕ग़དྷΔ • ൃߦ͞Εͨূ໌ॻͷ༗ޮظݶ͸ 90

   ೔ؒ • ཧ༝: https://letsencrypt.org/2015/11/09/why-90-days.html • πʔϧͷॆ࣮ͱڞʹߋʹ୹͘͢Δ༧ఆΒ͍͠ • Domain validation ͸ ACME ͱ͍͏ϓϩτίϧʹै͍ߦΘΕΔ • ACME(Automatic Certificate Management Environment) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 4

5. ACME (Automatic Certificate Management Environment) hbstyle20151112 - Yoshikawa Ryota (

   @rrreeeyyy ) 2015/11/12 5

6. ACME • Internet draft (- 2016/1/22) • https://letsencrypt.github.io/acme-spec/ • αʔό/ΫϥΠΞϯτؒͰͷূ໌ॻൃߦͷखଓ͖Λࡦఆ

   • ࣮ࡍʹূ໌ॻΛൃߦ(ഁغ)͢Δ·Ͱʹେମ࣍ͷΑ͏ͳखଓ͖͕ඞཁ • Register • Authorizations • New Cert (Revoke-cert) • ΫϥΠΞϯτଆͷ࣮૷͸ https://github.com/letsencrypt/letsencrypt (Python) • CA ଆͷ࣮૷͸ https://github.com/letsencrypt/boulder (Golang) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 6

7. Directory • ͦΕͧΕͷखଓ͖ʹඞཁͳ endpoint Λ directory Ͱఏڙ • ΫϥΠΞϯτ͸·ͣ͜͜Λݟͯ endpoint

   Λ೺Ѳ͢Δ ✗ curl -sSL https://acme-v01.api.letsencrypt.org/directory | jq . { "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg", "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert" } hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 7

8. Register • ·ͣ ACME Server ଆʹΫϥΠΞϯτͷొ࿥Λߦ͏ • ࣍ͷΑ͏ͳ "contact" ϑΟʔϧυΛؚΜͩ

   JSON ΛૹΔ • JWS(JSON Web Signature) Ͱॺ໊Λ෇͚Δඞཁ͕͋Δ { "resource": "new-reg", "contact": [ "mailto:[email protected]", "tel:+12025551212" ], } /* Signed as JWS */ • "key" ΛؚΜͩϨεϙϯε͕ฦͬͯ͘ΔͷͰҎ߱ͷखଓ͖͸ͦΕΛ࢖ͬͯ signature Λ࡞Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 8

9. Authorization • ূ໌ॻൃߦͷೝՄΛߦ͏खଓ͖ • Domain validation ΛͲ͏ߦ͏͔౳Λࢦఆ͢Δ • ࣍ͷΑ͏ͳํ๏͕બ΂Δ •

   SimpleHttp • DNS • DVSNI • Proof of possession of a prior key • ෳ਺ͷํ๏Λ "combinations" ͷ഑ྻͰࢦఆ͢Δ͜ͱ͕ग़དྷΔ • combination ͷશͯΛຬͨͨ͠৔߹ʹ valid ͱ͢Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 9

10. • ϦΫΤετͷྫ { "status": "pending", "identifier": { "type": "dns", "value":

    "example.org" }, "challenges": [ { "type": "simpleHttp", "uri": "https://example.com/authz/asdf/0", "token": "IlirfxKKXAsHtmzK29Pj8A" }, { "type": "dns", "uri": "https://example.com/authz/asdf/1" "token": "DGyRejmCefe7v4NfDGDKfA" } }, "combinations": [ [0, 2], [1, 2] ] } hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 10

11. Authorization (Challenges SimpleHttp/DNS) • SimpleHttp • HTTP(S) ʹͯΞΫηεΛߦ͍υϝΠϯॴ༗Λ֬ೝ͢Δ • ΞΫηεΛߦ͏ઌ͸

    A Ϩίʔυ΋͘͠͸ AAAA Ϩίʔυ͔Βܾఆ͞ΕΔ • ΞΫηεઌͷ .well-known/acme-challenge/${TOKEN} ΛݟΔ • த਎ʹ͸ॴఆͷ JSON ΛೖΕ͓ͯ͘ • DNS • DNS ϨίʔυΛ༻͍ͯυϝΠϯॴ༗Λ֬ೝ͢Δ • _acme-challenge αϒυϝΠϯͷ TXT ϨίʔυΛ࢖༻͢Δ • ஋Λ TOKEN ʹ͢Δ • ex.) _acme-challenge.example.com. 300 IN TXT "gfj9Xq...Rg85nM" hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 11

12. New Cert (Revoke-cert) • લड़ͷ Authorization ͷ status ͕ valid

    ͳ৔߹ͷΈϦΫΤετͰ͖Δ • valid ͡Όͳ͍ͱ͖͸ 403 ͱ͔͕ฦΔ • New Cert ͸ /acme/new-cert ʹ CSR ΛૹΓ͚ͭΔ • ໪࿦ JWS Ͱॺ໊͢Δඞཁ͕͋Δ • ৭ʑ͋ͬͨޙ DER ܗࣜͷূ໌ॻΛऔಘͰ͖Δ • Revoke ͸ /acme/revoke-cert ʹূ໌ॻΛૹΓ͚ͭΔ • CRL/OCSP ౳ʹࣦޮ৘ใ͕ެ։͞ΕΔ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 12

13. letsencrypt hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 13

14. letsencrypt • લड़ͷ ACME ͷॾʑΛ΍ͬͯ͘ΕΔίϚϯυ(python) • جຊతʹ SimpleHttp ʹΑΔ Challenge

    Λ૝ఆ͍ͯ͠Δ໛༷ • Ҿ਺ϕʔεͰυϝΠϯ౳ͷύϥϝʔλΛઃఆ͢Δ • Apache ΍ Nginx ͷઃఆΛύʔεͨ͠Γॻ͖׵͑ͨΓ΋ग़དྷΔ • Nginx ͸ experimental, buggy and not installed by default ͱͷ͜ͱ • standalone Λࢦఆ͢Δͱ BaseHTTPServer(http.server) Λ࢖ͬͯ Challenge Λߦ͏ • 80 ൪ϙʔτΛ LISTEN ग़དྷΔඞཁ͕͋Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 14

15. letsencrypt-auto • letsencrypt ίϚϯυͷϥούʔ • ࣮ߦ͢Δ͚ͩͰॾʑ΍ͬͯ͘ΕΔ • ؀ڥߏங(yum/apt/brewͱ͔ virtualenv ͱ͔

    pip ͱ͔) • ( _gentoo_common.sh ΋͋ͬͨ) • Virtualenv ͷ activate ͱ͔΋΍ͬͯ͘ΕΔ • ެࣜυΩϡϝϯτͰ͸͜ΕΛ࢖͏͜ͱʹͳͬͯͨ • ຖճ pip install Ͱ࠷৽͔Ͳ͏͔νΣοΫͨ͠Γͯ͠एׯॏ͍ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 15

16. letsencrypt-auto • standalone Ͱূ໌ॻΛऔಘͯ͠ΈΔ • -d Λෳ਺ࢦఆ͢Δ͜ͱͰ SANs ʹෳ਺ͷυϝΠϯ͕ॻ͔ΕΔ໛༷ •

    ৭ʑ͋ͬͨ͋ͱ /etc/letsencrypt/ ഑Լʹ༷ʑͳσΟϨΫτϦ͕ੜ੒͞ΕΔ • ࠷৽ͷূ໌ॻ͸ /etc/letsencrypt/live/${DOMAIN_NAME} ഑Լʹஔ͔ΕΔ • /etc/letsencrypt/archive ഑Լͷ΋ͷͷγϯϘϦοΫϦϯΫ ./letsencrypt-auto \ -a standalone \ -d example.com \ -d www.example.com \ --server https://acme-v01.api.letsencrypt.org/directory \ --agree-dev-preview \ auth hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 16

17. letsencrypt • ssl_certificate ʹ͸ fullchain.pem Λࢦఆ͢Δ • ssl_certificate_key ʹ͸ privkey.pem

    Λࢦఆ͢Δ • ౰વ͕ͩ Postfix/Dovecot Ͱ΋ͪΌΜͱ࢖͍͑ͯΔ • iPhone/Android ͔Β΋Τϥʔແ͘઀ଓͰ͖͍ͯΔ • smtpd_tls_(cert|key)_file ౳ʹಉ༷ʹࢦఆ͢Δ͚ͩ • (ډͳ͍ͱࢥ͏͕) ݹʔ͍ dovecot Ͱ࢖͏ࡍ͸݁߹ॱʹ஫ҙ͕ඞཁ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 17

18. ॴײ • ແྉͰ DV ূ໌ॻ͕ೖखͰ͖ΔͳΜͯྑ͍࣌୅ • ௨ৗͷূ໌ॻͱԿΒ૬ҧແ͘ར༻Ͱ͖͍ͯΔ • ༗ޮظݶ͕୹ΊͳͷͰߋ৽ࣗಈԽ͸ඞਢͳؾ͕͢Δ •

    ACME ϓϩτίϧͷੑ্࣭ DNSSEC ʹରԠͨ͠Γͨ͠ํ͕ྑͦ͞͏ • https://letsencrypt.github.io/acme-spec/#integrity-of-authorizations • Ͳ͏Ͱ΋͍͍͚Ͳ࠷ۙͷ CloudFlare ͸ϫϯΫϦοΫͰ DNSSEC ΍ͬͯ͘ΕΔ • https://blog.cloudflare.com/introducing-universal-dnssec hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 18

19. ࢀߟࢿྉ • https://letsencrypt.org • https://letsencrypt.org/about • https://letsencrypt.org/howitworks/technology • https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html •

    https://letsencrypt.org/2015/11/09/why-90-days.html • https://letsencrypt.github.io/acme-spec/ • https://github.com/letsencrypt/boulder • https://github.com/letsencrypt/letsencrypt • https://acme-v01.api.letsencrypt.org/directory • https://letsencrypt.github.io/acme-spec/#integrity-of-authorizations • http://jxck.hatenablog.com/entry/letsencrypt-acme hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 19