$30 off During Our Annual Pro Sale. View Details »

Acmesmith (http2study8)

Acmesmith (http2study8)

Sorah Fukumori

May 30, 2016
Tweet

More Decks by Sorah Fukumori

Other Decks in Technology

Transcript

  1. acmesmith:
    An effective ACME client
    @sorah
    http2study #8 / May 30, 2016

    View Slide

  2. @sorah (ͦΒ͸)
    • https://sorah.jp/
    • https://github.com/sorah
    • https://twitter.com/sora_h
    • Cookpad Inc. ΠϯϑϥετϥΫνϟʔ෦
    • Ruby committer

    View Slide

  3. ACME protorol
    • Automated Certificate Management Environment
    • Let’s encrypt https://letsencrypt.org/ ͷͨΊʹ࡞ΒΕͨ API ࢓༷
    • https://letsencrypt.org/how-it-works/

    https://github.com/letsencrypt/acme-spec
    • HTTP/DNS/TLS-SNIΛ௨ͨ͠ॴ༗֬ೝɺূ໌ॻͷൃߦΛࣗಈԽ

    View Slide

  4. ACME client
    • ࣮ࡍʹ ACME server ͱ΍ΓͱΓͯ͠ TLS ূ໌ॻΛऔಘͯ͘͠ΕΔΫ
    ϥΠΞϯτ
    • ެࣜ https://github.com/certbot/certbot (چ letsencrypt)
    • https://github.com/certbot/certbot/wiki/Links

    View Slide

  5. ެࣜ

    View Slide

  6. ެࣜ
    • ΘΓͱ୭Ͱ΋࢖͑ͦ͏ͳײ͡ʹΏΔ͘࡞ΒΕ͍ͯΔ
    • ศར͡ΌΜ

    View Slide

  7. ެࣜ

    View Slide

  8. ެࣜ
    • nginx/apache/haproxy ͱ͔ͱ͍͍ײ͡ʹ࿈ܞͯ͠উखʹઃఆͯ͘͠
    ΕΔΒ͍͠ɺศར

    View Slide

  9. ໰୊఺
    • ৴༻Ͱ͖ͳ͍ڍಈ
    • ͓અհͳڍಈ
    • Ωʔ؅ཧ໰୊

    View Slide

  10. ৴༻Ͱ͖ͳ͍໰୊
    • ·ͣ͸͜ͷεΫγϣΛݟͯ͘Ε

    View Slide

  11. ৴༻Ͱ͖ͳ͍໰୊

    View Slide

  12. ৴༻Ͱ͖ͳ͍໰୊
    • Manual installation ͷ৔߹ͩͱಥવ sudo apt-get install (΍ Gentoo
    ͳΒ sudo emerge) Λୟ͖ग़͢໰୊
    • sudo -k ͠ͱ͚͹େৎ෉!
    • ͍ͯ͏͔ help ୟ͍͚ͨͩͳΜͰ͚͢Ͳ…
    • ϚδͰ…?

    View Slide

  13. ͓અհͳ໰୊
    • Θͨ͠͸αʔόʔΛϓϩϏδϣχϯάπʔϧΛ࢖ͬͯ៉ྷʹͱͱͷ͑
    ͍ͯΔ
    • ͦΕͳΓʹϚτϞͳ nginx ౳Ͱͷ TLS ͷઃఆ΋Ͱ͖Δ͠ɺπʔϧͭ
    ͔ͬͯ៉ྷʹ؅ཧͯ͠Δ
    • উखʹαʔόʔͷઃఆΛ࿔Βͳ͍Ͱ΄͍͠ɻ͓અհͰ͋Δɻ
    • ͦ͏͍͏Ϟʔυ΋͋Δ͚ͲɺͳΜ͔͜͏͍͏ڍಈͯ͠Δ࣌఺Ͱ৴
    ༻͕ͳΒͳ͍

    View Slide

  14. Ωʔ؅ཧ໰୊
    • ൃߦͨ͠ূ໌ॻ΍ͦͷΩʔϖΞɺ͓Αͼ account key ͷ؅ཧ͸͖ͬ
    ͪΓ΍Γ͍ͨ
    • Θͨ͠ͷखݩʹ͸ෳ਺ͷαʔόʔ͕͋Δ
    • certbot ͩͱ /etc/letsencrypt ͱ͔ʹࡶʹஔ͔Εͯࣗ෼Ͱ؅ཧ͢Δ
    ඞཁ͕͋Δ (ΊΜͲ͍)ɻ

    View Slide

  15. ͳΜͱ͔͍ͨ͠

    View Slide

  16. ͭ͘Γ·ͨ͠
    • https://github.com/sorah/acmesmith
    • Acmesmith: An effective ACME client to operate on multiple servers
    environment with the cloud

    View Slide

  17. sorah/acmesmith
    • ACME client designed to work on multiple servers
    • ACME registration, domain authorization, certificate requests
    • Tested against Let's encrypt
    • Storing keys in several ways (Currently AWS S3 is supported)
    • Challenge responses (Currently dns-01 with AWS Route 53 is
    supported)

    View Slide

  18. sorah/acmesmith
    • Ruby ੡
    • ࣗಈߋ৽ (ࢦఆ೔਺ະຬͷূ໌ॻΛ୳͖ͯͯ͠ request ͠ͳ͓͢); Ͳ
    ͔͜1ՕॴͰcronͰճͤ͹ok
    • (ಉࠝͯ͠Δ S3 plugin) ͸γϯϓϧͳߏ଄Ͱূ໌ॻ΍ΩʔΛอଘ͢Δ
    ͷͰɺαʔόʔ্Ͱ͸ aws-cli ͳͲͰ伴ɾূ໌ॻΛऔಘ͢Ε͹ OK

    View Slide

  19. sorah/acmesmith
    • ϓϥΨϒϧͳػߏͰ challenge responder ΍ storage Λ௥ՃͰ͖Δ
    • ͓અհ͸͠ͳ͍
    • Θͨ͠ͷधཁʹ߹Θͤͯ࡞ͬͨͷͰݱঢ় AWS S3 + Route53 ͷΈ
    • (ݱঢ় OpenStack ͷ Designate (DNSaaS) ޲͚ͷ gem ͕͋Γ·͢)

    View Slide

  20. Acmesmith (S3+Route53)
    • acmesmith register CONTACT
    • acmesmith authorize test.example.org
    • acmesmith request test.example.org
    • acmesmith show-certificate test.example.org

    View Slide

  21. ิ଍: Identifier Validation Challenges
    • ACME ϓϩτίϧʹ͓͍ͯυϝΠϯͷॴ༗ऀ֬ೝΛ͢ΔͨΊͷϑϩʔ
    • http-01: ࢦఆ͞Εͨύεʹࢦఆ͞ΕͨจࣈྻΛ account key Ͱॺ໊ɺ഑ஔͯ͠ೝূ
    • tls-sni-02: SNI Ͱܨ͍ͩ࣌ʹฦ͢ূ໌ॻͷ SAN ʹ *.acme.invalid ͷܗͰࢦఆ͞Εͨจࣈྻʹ
    ॺ໊ͨ͠σʔλΛؚ·ͤͯೝূ
    • dns-01: ࢦఆ͞ΕͨจࣈྻΛॺ໊ͯ͠σʔλΛυϝΠϯͷԼʹTXTϨίʔυͱͯ͠ઃఆͯ͠ೝ

    • oob-01: out of band, ࣗಈԽ͞Ε͍ͯͳ͍ೝূ༻
    • Acmesmith ͸ݱঢ় out of the box Ͱ͸ Route 53 + dns-01 ʹରԠ

    View Slide

  22. sorah/acmesmith
    • ·ͩग़དྷ͍ͯͳ͍ࣄ
    • post issuance hook (ൃߦޙࣗಈͰαʔόʔʹ഑ஔ͍ͨ͠)
    • AWS S3, Route53 Ҏ֎΁ͷରԠ (୭͔΍ͬͯ͘Εʙ)
    • ϓϥάΠϯճΓͷυΩϡϝϯςʔγϣϯ

    View Slide