Acmesmith (http2study8)

Transcript

1. acmesmith: An effective ACME client @sorah <[email protected]> http2study #8 /

   May 30, 2016

2. @sorah (ͦΒ͸) • https://sorah.jp/ • https://github.com/sorah • https://twitter.com/sora_h • Cookpad

   Inc. ΠϯϑϥετϥΫνϟʔ෦ • Ruby committer

3. ACME protorol • Automated Certificate Management Environment • Let’s encrypt

   https://letsencrypt.org/ ͷͨΊʹ࡞ΒΕͨ API ࢓༷ • https://letsencrypt.org/how-it-works/
 https://github.com/letsencrypt/acme-spec • HTTP/DNS/TLS-SNIΛ௨ͨ͠ॴ༗֬ೝɺূ໌ॻͷൃߦΛࣗಈԽ

4. ACME client • ࣮ࡍʹ ACME server ͱ΍ΓͱΓͯ͠ TLS ূ໌ॻΛऔಘͯ͘͠ΕΔΫ ϥΠΞϯτ

   • ެࣜ https://github.com/certbot/certbot (چ letsencrypt) • https://github.com/certbot/certbot/wiki/Links

5. ެࣜ

6. ެࣜ • ΘΓͱ୭Ͱ΋࢖͑ͦ͏ͳײ͡ʹΏΔ͘࡞ΒΕ͍ͯΔ • ศར͡ΌΜ

7. ެࣜ

8. ެࣜ • nginx/apache/haproxy ͱ͔ͱ͍͍ײ͡ʹ࿈ܞͯ͠উखʹઃఆͯ͘͠ ΕΔΒ͍͠ɺศར

9. ໰୊఺ • ৴༻Ͱ͖ͳ͍ڍಈ • ͓અհͳڍಈ • Ωʔ؅ཧ໰୊

10. ৴༻Ͱ͖ͳ͍໰୊ • ·ͣ͸͜ͷεΫγϣΛݟͯ͘Ε

11. ৴༻Ͱ͖ͳ͍໰୊

12. ৴༻Ͱ͖ͳ͍໰୊ • Manual installation ͷ৔߹ͩͱಥવ sudo apt-get install (΍ Gentoo

    ͳΒ sudo emerge) Λୟ͖ग़͢໰୊ • sudo -k ͠ͱ͚͹େৎ෉! • ͍ͯ͏͔ help ୟ͍͚ͨͩͳΜͰ͚͢Ͳ… • ϚδͰ…?

13. ͓અհͳ໰୊ • Θͨ͠͸αʔόʔΛϓϩϏδϣχϯάπʔϧΛ࢖ͬͯ៉ྷʹͱͱͷ͑ ͍ͯΔ • ͦΕͳΓʹϚτϞͳ nginx ౳Ͱͷ TLS ͷઃఆ΋Ͱ͖Δ͠ɺπʔϧͭ

    ͔ͬͯ៉ྷʹ؅ཧͯ͠Δ • উखʹαʔόʔͷઃఆΛ࿔Βͳ͍Ͱ΄͍͠ɻ͓અհͰ͋Δɻ • ͦ͏͍͏Ϟʔυ΋͋Δ͚ͲɺͳΜ͔͜͏͍͏ڍಈͯ͠Δ࣌఺Ͱ৴ ༻͕ͳΒͳ͍

14. Ωʔ؅ཧ໰୊ • ൃߦͨ͠ূ໌ॻ΍ͦͷΩʔϖΞɺ͓Αͼ account key ͷ؅ཧ͸͖ͬ ͪΓ΍Γ͍ͨ • Θͨ͠ͷखݩʹ͸ෳ਺ͷαʔόʔ͕͋Δ •

    certbot ͩͱ /etc/letsencrypt ͱ͔ʹࡶʹஔ͔Εͯࣗ෼Ͱ؅ཧ͢Δ ඞཁ͕͋Δ (ΊΜͲ͍)ɻ

15. ͳΜͱ͔͍ͨ͠

16. ͭ͘Γ·ͨ͠ • https://github.com/sorah/acmesmith • Acmesmith: An effective ACME client to

    operate on multiple servers environment with the cloud

17. sorah/acmesmith • ACME client designed to work on multiple servers

    • ACME registration, domain authorization, certificate requests • Tested against Let's encrypt • Storing keys in several ways (Currently AWS S3 is supported) • Challenge responses (Currently dns-01 with AWS Route 53 is supported)

18. sorah/acmesmith • Ruby ੡ • ࣗಈߋ৽ (ࢦఆ೔਺ະຬͷূ໌ॻΛ୳͖ͯͯ͠ request ͠ͳ͓͢); Ͳ

    ͔͜1ՕॴͰcronͰճͤ͹ok • (ಉࠝͯ͠Δ S3 plugin) ͸γϯϓϧͳߏ଄Ͱূ໌ॻ΍ΩʔΛอଘ͢Δ ͷͰɺαʔόʔ্Ͱ͸ aws-cli ͳͲͰ伴ɾূ໌ॻΛऔಘ͢Ε͹ OK

19. sorah/acmesmith • ϓϥΨϒϧͳػߏͰ challenge responder ΍ storage Λ௥ՃͰ͖Δ • ͓અհ͸͠ͳ͍

    • Θͨ͠ͷधཁʹ߹Θͤͯ࡞ͬͨͷͰݱঢ় AWS S3 + Route53 ͷΈ • (ݱঢ় OpenStack ͷ Designate (DNSaaS) ޲͚ͷ gem ͕͋Γ·͢)

20. Acmesmith (S3+Route53) • acmesmith register CONTACT • acmesmith authorize test.example.org

    • acmesmith request test.example.org • acmesmith show-certificate test.example.org

21. ิ଍: Identifier Validation Challenges • ACME ϓϩτίϧʹ͓͍ͯυϝΠϯͷॴ༗ऀ֬ೝΛ͢ΔͨΊͷϑϩʔ • http-01: ࢦఆ͞Εͨύεʹࢦఆ͞ΕͨจࣈྻΛ

    account key Ͱॺ໊ɺ഑ஔͯ͠ೝূ • tls-sni-02: SNI Ͱܨ͍ͩ࣌ʹฦ͢ূ໌ॻͷ SAN ʹ *.acme.invalid ͷܗͰࢦఆ͞Εͨจࣈྻʹ ॺ໊ͨ͠σʔλΛؚ·ͤͯೝূ • dns-01: ࢦఆ͞ΕͨจࣈྻΛॺ໊ͯ͠σʔλΛυϝΠϯͷԼʹTXTϨίʔυͱͯ͠ઃఆͯ͠ೝ ূ • oob-01: out of band, ࣗಈԽ͞Ε͍ͯͳ͍ೝূ༻ • Acmesmith ͸ݱঢ় out of the box Ͱ͸ Route 53 + dns-01 ʹରԠ

22. sorah/acmesmith • ·ͩग़དྷ͍ͯͳ͍ࣄ • post issuance hook (ൃߦޙࣗಈͰαʔόʔʹ഑ஔ͍ͨ͠) • AWS

    S3, Route53 Ҏ֎΁ͷରԠ (୭͔΍ͬͯ͘Εʙ) • ϓϥάΠϯճΓͷυΩϡϝϯςʔγϣϯ