Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Let's Encrypt & ACME Overview (hbstyle-2015-1112)
Search
rrreeeyyy
November 12, 2015
Technology
1.4k
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Let's Encrypt & ACME Overview (hbstyle-2015-1112)
hbstyle20151112 で Let's Encrypt と ACME について雑に喋りました
rrreeeyyy
November 12, 2015
More Decks by rrreeeyyy
See All by rrreeeyyy
Reliability in the Age of AI: Engineering for AI Velocity
rrreeeyyy
0
160
Rethinking Incident Response: Context-Aware AI in Practice - Incident Buddy Edition -
rrreeeyyy
0
250
Rethinking Incident Response: Context-Aware AI in Practice
rrreeeyyy
3
2.5k
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
310
An Efficient Incident Response Training with AI / SRE NEXT 2024 Sponsor Session
rrreeeyyy
1
6.2k
カンファレンスから見る SRE トレンド 2024 / SRE Trends from Conferences in 2024 #SRE_Findy
rrreeeyyy
4
2.6k
信頼性の育て方 / mackerel-meetup-15
rrreeeyyy
10
3k
SRE の歩き方・進め方 / sre-walk-through-procedure
rrreeeyyy
0
9k
「信頼性」を保ちつつ大規模サービスをリニューアルする / cookpad-tech-kitchen-service-embedded-sres
rrreeeyyy
11
13k
Other Decks in Technology
See All in Technology
なぜ私たちのSREプラクティスはなかなか機能しないのか 〜システムより先に組織を見る〜 / Why our SRE practices aren't really working
vtryo
1
2.4k
Baseline対応のDOMの型定義を作った
uhyo
3
720
CSに"SLO"は要らない、経営層に"99.9%"は伝わらない - SREを全社に"翻訳"する3原則
cscengineer
PRO
0
3.3k
ポストモーテム! DDoSからサイトは守れた。 でもビジネスは守れなかった。
bengo4com
0
1.6k
AIDLC_ヤフーショッピングの取り組み
lycorptech_jp
PRO
0
560
デジタル・デザイン:次の50年を描く「進化する青写真」
y150saya
0
820
GuardrailからGovernanceへ~AIエージェント運用の次の課題~
sbspsy
1
220
cccccc
moznion
0
1.8k
ローカルLLMとLINE Botの組み合わせ その3 / LINE DC Generative AI Meetup #8
you
PRO
0
120
ヘルスケア領域における AI 活用と その安全性担保のための取り組み (Leveraging AI in Healthcare and Our Efforts to Ensure Its Safety) - Google I/O Extended Tokyo 2026, July 11, 2026
zettaittenani
0
130
Docker Desktop不要の時代が来る? WSL標準の「wslc」で Linuxコンテナを動かしてみた.
ueponx
0
790
“全部コピーしない”ファイルデータの活用 : — FSx for ONTAP × S3 Tables × Icebergで作るメタデータカタログ
yoshiki0705
0
540
Featured
See All Featured
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
inesmontani
PRO
3
3.5k
4 Signs Your Business is Dying
shpigford
187
22k
Impact Scores and Hybrid Strategies: The future of link building
tamaranovitovic
0
330
Building a Modern Day E-commerce SEO Strategy
aleyda
45
9.1k
Design of three-dimensional binary manipulators for pick-and-place task avoiding obstacles (IECON2024)
konakalab
0
480
Understanding Cognitive Biases in Performance Measurement
bluesmoon
32
3k
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
aleyda
1
1.3k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
16k
More Than Pixels: Becoming A User Experience Designer
marktimemedia
3
460
A designer walks into a library…
pauljervisheath
211
24k
Pawsitive SEO: Lessons from My Dog (and Many Mistakes) on Thriving as a Consultant in the Age of AI
davidcarrasco
0
180
Navigating the moral maze — ethical principles for Al-driven product design
skipperchong
2
410
Transcript
Let's Encrypt & ACME Overview hbstyle20151112 - Yoshikawa Ryota (
@rrreeeyyy ) 2015/11/12 1
Let's Encrypt hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12
2
Let's Encrypt • ҎԼͷࣄ߲Λओٛͱ͢Δೝূہ • Free • Automatic • Secure
• Transparent • Open • Cooperative • ఏڙ͍ͯ͠Δͷ Internet Security Research Group (ISRG) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 3
Let's Encrypt • ແྉͰ SSL αʔό ূ໌ॻ(DV)Λೖख͢Δ͜ͱ͕ग़དྷΔ • ൃߦ͞Εͨূ໌ॻͷ༗ޮظݶ 90
ؒ • ཧ༝: https://letsencrypt.org/2015/11/09/why-90-days.html • πʔϧͷॆ࣮ͱڞʹߋʹ͘͢Δ༧ఆΒ͍͠ • Domain validation ACME ͱ͍͏ϓϩτίϧʹै͍ߦΘΕΔ • ACME(Automatic Certificate Management Environment) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 4
ACME (Automatic Certificate Management Environment) hbstyle20151112 - Yoshikawa Ryota (
@rrreeeyyy ) 2015/11/12 5
ACME • Internet draft (- 2016/1/22) • https://letsencrypt.github.io/acme-spec/ • αʔό/ΫϥΠΞϯτؒͰͷূ໌ॻൃߦͷखଓ͖Λࡦఆ
• ࣮ࡍʹূ໌ॻΛൃߦ(ഁغ)͢Δ·Ͱʹେମ࣍ͷΑ͏ͳखଓ͖͕ඞཁ • Register • Authorizations • New Cert (Revoke-cert) • ΫϥΠΞϯτଆͷ࣮ https://github.com/letsencrypt/letsencrypt (Python) • CA ଆͷ࣮ https://github.com/letsencrypt/boulder (Golang) hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 6
Directory • ͦΕͧΕͷखଓ͖ʹඞཁͳ endpoint Λ directory Ͱఏڙ • ΫϥΠΞϯτ·ͣ͜͜Λݟͯ endpoint
ΛѲ͢Δ ✗ curl -sSL https://acme-v01.api.letsencrypt.org/directory | jq . { "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg", "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert" } hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 7
Register • ·ͣ ACME Server ଆʹΫϥΠΞϯτͷొΛߦ͏ • ࣍ͷΑ͏ͳ "contact" ϑΟʔϧυΛؚΜͩ
JSON ΛૹΔ • JWS(JSON Web Signature) Ͱॺ໊Λ͚Δඞཁ͕͋Δ { "resource": "new-reg", "contact": [ "mailto:
[email protected]
", "tel:+12025551212" ], } /* Signed as JWS */ • "key" ΛؚΜͩϨεϙϯε͕ฦͬͯ͘ΔͷͰҎ߱ͷखଓ͖ͦΕΛͬͯ signature Λ࡞Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 8
Authorization • ূ໌ॻൃߦͷೝՄΛߦ͏खଓ͖ • Domain validation ΛͲ͏ߦ͏͔Λࢦఆ͢Δ • ࣍ͷΑ͏ͳํ๏͕બΔ •
SimpleHttp • DNS • DVSNI • Proof of possession of a prior key • ෳͷํ๏Λ "combinations" ͷྻͰࢦఆ͢Δ͜ͱ͕ग़དྷΔ • combination ͷશͯΛຬͨͨ͠߹ʹ valid ͱ͢Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 9
• ϦΫΤετͷྫ { "status": "pending", "identifier": { "type": "dns", "value":
"example.org" }, "challenges": [ { "type": "simpleHttp", "uri": "https://example.com/authz/asdf/0", "token": "IlirfxKKXAsHtmzK29Pj8A" }, { "type": "dns", "uri": "https://example.com/authz/asdf/1" "token": "DGyRejmCefe7v4NfDGDKfA" } }, "combinations": [ [0, 2], [1, 2] ] } hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 10
Authorization (Challenges SimpleHttp/DNS) • SimpleHttp • HTTP(S) ʹͯΞΫηεΛߦ͍υϝΠϯॴ༗Λ֬ೝ͢Δ • ΞΫηεΛߦ͏ઌ
A Ϩίʔυ͘͠ AAAA Ϩίʔυ͔Βܾఆ͞ΕΔ • ΞΫηεઌͷ .well-known/acme-challenge/${TOKEN} ΛݟΔ • தʹॴఆͷ JSON ΛೖΕ͓ͯ͘ • DNS • DNS ϨίʔυΛ༻͍ͯυϝΠϯॴ༗Λ֬ೝ͢Δ • _acme-challenge αϒυϝΠϯͷ TXT ϨίʔυΛ༻͢Δ • Λ TOKEN ʹ͢Δ • ex.) _acme-challenge.example.com. 300 IN TXT "gfj9Xq...Rg85nM" hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 11
New Cert (Revoke-cert) • લड़ͷ Authorization ͷ status ͕ valid
ͳ߹ͷΈϦΫΤετͰ͖Δ • valid ͡Όͳ͍ͱ͖ 403 ͱ͔͕ฦΔ • New Cert /acme/new-cert ʹ CSR ΛૹΓ͚ͭΔ • JWS Ͱॺ໊͢Δඞཁ͕͋Δ • ৭ʑ͋ͬͨޙ DER ܗࣜͷূ໌ॻΛऔಘͰ͖Δ • Revoke /acme/revoke-cert ʹূ໌ॻΛૹΓ͚ͭΔ • CRL/OCSP ʹࣦޮใ͕ެ։͞ΕΔ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 12
letsencrypt hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 13
letsencrypt • લड़ͷ ACME ͷॾʑΛͬͯ͘ΕΔίϚϯυ(python) • جຊతʹ SimpleHttp ʹΑΔ Challenge
Λఆ͍ͯ͠Δ༷ • ҾϕʔεͰυϝΠϯͷύϥϝʔλΛઃఆ͢Δ • Apache Nginx ͷઃఆΛύʔεͨ͠Γॻ͖͑ͨΓग़དྷΔ • Nginx experimental, buggy and not installed by default ͱͷ͜ͱ • standalone Λࢦఆ͢Δͱ BaseHTTPServer(http.server) Λͬͯ Challenge Λߦ͏ • 80 ൪ϙʔτΛ LISTEN ग़དྷΔඞཁ͕͋Δ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 14
letsencrypt-auto • letsencrypt ίϚϯυͷϥούʔ • ࣮ߦ͢Δ͚ͩͰॾʑͬͯ͘ΕΔ • ڥߏங(yum/apt/brewͱ͔ virtualenv ͱ͔
pip ͱ͔) • ( _gentoo_common.sh ͋ͬͨ) • Virtualenv ͷ activate ͱ͔ͬͯ͘ΕΔ • ެࣜυΩϡϝϯτͰ͜ΕΛ͏͜ͱʹͳͬͯͨ • ຖճ pip install Ͱ࠷৽͔Ͳ͏͔νΣοΫͨ͠Γͯ͠एׯॏ͍ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 15
letsencrypt-auto • standalone Ͱূ໌ॻΛऔಘͯ͠ΈΔ • -d Λෳࢦఆ͢Δ͜ͱͰ SANs ʹෳͷυϝΠϯ͕ॻ͔ΕΔ༷ •
৭ʑ͋ͬͨ͋ͱ /etc/letsencrypt/ Լʹ༷ʑͳσΟϨΫτϦ͕ੜ͞ΕΔ • ࠷৽ͷূ໌ॻ /etc/letsencrypt/live/${DOMAIN_NAME} Լʹஔ͔ΕΔ • /etc/letsencrypt/archive ԼͷͷͷγϯϘϦοΫϦϯΫ ./letsencrypt-auto \ -a standalone \ -d example.com \ -d www.example.com \ --server https://acme-v01.api.letsencrypt.org/directory \ --agree-dev-preview \ auth hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 16
letsencrypt • ssl_certificate ʹ fullchain.pem Λࢦఆ͢Δ • ssl_certificate_key ʹ privkey.pem
Λࢦఆ͢Δ • વ͕ͩ Postfix/Dovecot ͰͪΌΜͱ͍͑ͯΔ • iPhone/Android ͔ΒΤϥʔແ͘ଓͰ͖͍ͯΔ • smtpd_tls_(cert|key)_file ʹಉ༷ʹࢦఆ͢Δ͚ͩ • (ډͳ͍ͱࢥ͏͕) ݹʔ͍ dovecot Ͱ͏ࡍ݁߹ॱʹҙ͕ඞཁ hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 17
ॴײ • ແྉͰ DV ূ໌ॻ͕ೖखͰ͖ΔͳΜͯྑ͍࣌ • ௨ৗͷূ໌ॻͱԿΒ૬ҧແ͘ར༻Ͱ͖͍ͯΔ • ༗ޮظݶ͕ΊͳͷͰߋ৽ࣗಈԽඞਢͳؾ͕͢Δ •
ACME ϓϩτίϧͷੑ্࣭ DNSSEC ʹରԠͨ͠Γͨ͠ํ͕ྑͦ͞͏ • https://letsencrypt.github.io/acme-spec/#integrity-of-authorizations • Ͳ͏Ͱ͍͍͚Ͳ࠷ۙͷ CloudFlare ϫϯΫϦοΫͰ DNSSEC ͬͯ͘ΕΔ • https://blog.cloudflare.com/introducing-universal-dnssec hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 18
ࢀߟࢿྉ • https://letsencrypt.org • https://letsencrypt.org/about • https://letsencrypt.org/howitworks/technology • https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html •
https://letsencrypt.org/2015/11/09/why-90-days.html • https://letsencrypt.github.io/acme-spec/ • https://github.com/letsencrypt/boulder • https://github.com/letsencrypt/letsencrypt • https://acme-v01.api.letsencrypt.org/directory • https://letsencrypt.github.io/acme-spec/#integrity-of-authorizations • http://jxck.hatenablog.com/entry/letsencrypt-acme hbstyle20151112 - Yoshikawa Ryota ( @rrreeeyyy ) 2015/11/12 19