Acmesmith (http2study8)

Transcript

1. acmesmith:
   An effective ACME client
   @sorah
   http2study #8 / May 30, 2016
   

   View Slide

2. @sorah (ͦΒ͸)
   • https://sorah.jp/
   • https://github.com/sorah
   • https://twitter.com/sora_h
   • Cookpad Inc. ΠϯϑϥετϥΫνϟʔ෦
   • Ruby committer
   

   View Slide

3. ACME protorol
   • Automated Certificate Management Environment
   • Let’s encrypt https://letsencrypt.org/ ͷͨΊʹ࡞ΒΕͨ API ࢓༷
   • https://letsencrypt.org/how-it-works/

   https://github.com/letsencrypt/acme-spec
   • HTTP/DNS/TLS-SNIΛ௨ͨ͠ॴ༗֬ೝɺূ໌ॻͷൃߦΛࣗಈԽ
   

   View Slide

4. ACME client
   • ࣮ࡍʹ ACME server ͱ΍ΓͱΓͯ͠ TLS ূ໌ॻΛऔಘͯ͘͠ΕΔΫ
   ϥΠΞϯτ
   • ެࣜ https://github.com/certbot/certbot (چ letsencrypt)
   • https://github.com/certbot/certbot/wiki/Links
   

   View Slide

5. ެࣜ
   

   View Slide

6. ެࣜ
   • ΘΓͱ୭Ͱ΋࢖͑ͦ͏ͳײ͡ʹΏΔ͘࡞ΒΕ͍ͯΔ
   • ศར͡ΌΜ
   

   View Slide

7. ެࣜ
   

   View Slide

8. ެࣜ
   • nginx/apache/haproxy ͱ͔ͱ͍͍ײ͡ʹ࿈ܞͯ͠উखʹઃఆͯ͘͠
   ΕΔΒ͍͠ɺศར
   

   View Slide

9. ໰୊఺
   • ৴༻Ͱ͖ͳ͍ڍಈ
   • ͓અհͳڍಈ
   • Ωʔ؅ཧ໰୊
   

   View Slide

10. ৴༻Ͱ͖ͳ͍໰୊
    • ·ͣ͸͜ͷεΫγϣΛݟͯ͘Ε
    

    View Slide

11. ৴༻Ͱ͖ͳ͍໰୊
    

    View Slide

12. ৴༻Ͱ͖ͳ͍໰୊
    • Manual installation ͷ৔߹ͩͱಥવ sudo apt-get install (΍ Gentoo
    ͳΒ sudo emerge) Λୟ͖ग़͢໰୊
    • sudo -k ͠ͱ͚͹େৎ෉!
    • ͍ͯ͏͔ help ୟ͍͚ͨͩͳΜͰ͚͢Ͳ…
    • ϚδͰ…?
    

    View Slide

13. ͓અհͳ໰୊
    • Θͨ͠͸αʔόʔΛϓϩϏδϣχϯάπʔϧΛ࢖ͬͯ៉ྷʹͱͱͷ͑
    ͍ͯΔ
    • ͦΕͳΓʹϚτϞͳ nginx ౳Ͱͷ TLS ͷઃఆ΋Ͱ͖Δ͠ɺπʔϧͭ
    ͔ͬͯ៉ྷʹ؅ཧͯ͠Δ
    • উखʹαʔόʔͷઃఆΛ࿔Βͳ͍Ͱ΄͍͠ɻ͓અհͰ͋Δɻ
    • ͦ͏͍͏Ϟʔυ΋͋Δ͚ͲɺͳΜ͔͜͏͍͏ڍಈͯ͠Δ࣌఺Ͱ৴
    ༻͕ͳΒͳ͍
    

    View Slide

14. Ωʔ؅ཧ໰୊
    • ൃߦͨ͠ূ໌ॻ΍ͦͷΩʔϖΞɺ͓Αͼ account key ͷ؅ཧ͸͖ͬ
    ͪΓ΍Γ͍ͨ
    • Θͨ͠ͷखݩʹ͸ෳ਺ͷαʔόʔ͕͋Δ
    • certbot ͩͱ /etc/letsencrypt ͱ͔ʹࡶʹஔ͔Εͯࣗ෼Ͱ؅ཧ͢Δ
    ඞཁ͕͋Δ (ΊΜͲ͍)ɻ
    

    View Slide

15. ͳΜͱ͔͍ͨ͠
    

    View Slide

16. ͭ͘Γ·ͨ͠
    • https://github.com/sorah/acmesmith
    • Acmesmith: An effective ACME client to operate on multiple servers
    environment with the cloud
    

    View Slide

17. sorah/acmesmith
    • ACME client designed to work on multiple servers
    • ACME registration, domain authorization, certificate requests
    • Tested against Let's encrypt
    • Storing keys in several ways (Currently AWS S3 is supported)
    • Challenge responses (Currently dns-01 with AWS Route 53 is
    supported)
    

    View Slide

18. sorah/acmesmith
    • Ruby ੡
    • ࣗಈߋ৽ (ࢦఆ೔਺ະຬͷূ໌ॻΛ୳͖ͯͯ͠ request ͠ͳ͓͢); Ͳ
    ͔͜1ՕॴͰcronͰճͤ͹ok
    • (ಉࠝͯ͠Δ S3 plugin) ͸γϯϓϧͳߏ଄Ͱূ໌ॻ΍ΩʔΛอଘ͢Δ
    ͷͰɺαʔόʔ্Ͱ͸ aws-cli ͳͲͰ伴ɾূ໌ॻΛऔಘ͢Ε͹ OK
    

    View Slide

19. sorah/acmesmith
    • ϓϥΨϒϧͳػߏͰ challenge responder ΍ storage Λ௥ՃͰ͖Δ
    • ͓અհ͸͠ͳ͍
    • Θͨ͠ͷधཁʹ߹Θͤͯ࡞ͬͨͷͰݱঢ় AWS S3 + Route53 ͷΈ
    • (ݱঢ় OpenStack ͷ Designate (DNSaaS) ޲͚ͷ gem ͕͋Γ·͢)
    

    View Slide

20. Acmesmith (S3+Route53)
    • acmesmith register CONTACT
    • acmesmith authorize test.example.org
    • acmesmith request test.example.org
    • acmesmith show-certificate test.example.org
    

    View Slide

21. ิ଍: Identifier Validation Challenges
    • ACME ϓϩτίϧʹ͓͍ͯυϝΠϯͷॴ༗ऀ֬ೝΛ͢ΔͨΊͷϑϩʔ
    • http-01: ࢦఆ͞Εͨύεʹࢦఆ͞ΕͨจࣈྻΛ account key Ͱॺ໊ɺ഑ஔͯ͠ೝূ
    • tls-sni-02: SNI Ͱܨ͍ͩ࣌ʹฦ͢ূ໌ॻͷ SAN ʹ *.acme.invalid ͷܗͰࢦఆ͞Εͨจࣈྻʹ
    ॺ໊ͨ͠σʔλΛؚ·ͤͯೝূ
    • dns-01: ࢦఆ͞ΕͨจࣈྻΛॺ໊ͯ͠σʔλΛυϝΠϯͷԼʹTXTϨίʔυͱͯ͠ઃఆͯ͠ೝ
    ূ
    • oob-01: out of band, ࣗಈԽ͞Ε͍ͯͳ͍ೝূ༻
    • Acmesmith ͸ݱঢ় out of the box Ͱ͸ Route 53 + dns-01 ʹରԠ
    

    View Slide

22. sorah/acmesmith
    • ·ͩग़དྷ͍ͯͳ͍ࣄ
    • post issuance hook (ൃߦޙࣗಈͰαʔόʔʹ഑ஔ͍ͨ͠)
    • AWS S3, Route53 Ҏ֎΁ͷରԠ (୭͔΍ͬͯ͘Εʙ)
    • ϓϥάΠϯճΓͷυΩϡϝϯςʔγϣϯ
    

    View Slide