More Related Content Similar to Edge 2016 acme - lets encrypt your origin (20) Edge 2016 acme - lets encrypt your origin1. © AKAMAI - EDGE 2016
ACME – Let’s Encrypt Your Origin
Stephen Ludin – Chief Architect, Akamai – BoD, ISRG
3. © AKAMAI - EDGE 2016
Our cast of characters
Alice Bob Eve
4. © AKAMAI - EDGE 2016
A little ditty about Alice and Bob
All Alice and Bob want
to do is peacefully
pass notes in class
without interference
from Eve.
5. © AKAMAI - EDGE 2016
U R
Sweet
e1bf4
190ce
U R
Sweet
e1bf4
190ce
???
6. © AKAMAI - EDGE 2016
U R
Sweet
692ha
1ac43
U R
Sweet
e1bf4
190ce
U
Smell
7. © AKAMAI - EDGE 2016
We have not solved ANYTHING!
8. © AKAMAI - EDGE 2016
How does Bob know this really
IS Alice’s public key?
9. © AKAMAI - EDGE 2016
Enter, Carol Carol’s job is simple:
• Get Alice’s public key
• Verify that it really is Alice
• Sign Alice’s public key saying
“This really is Alice”
• Give her (Carol’s) public key to
Bob
12. © AKAMAI - EDGE 2016
Free
Automatic
Secure
Transparent
Open
Cooperative
14. © AKAMAI - EDGE 2016
Over 10,000,000 active certificates
Over 13,500,000 active domains
18. © AKAMAI - EDGE 2016
Yes, It’s that easy
(mostly)
19. © AKAMAI - EDGE 2016
Create
Key Pair
Create
Signed
CSR
Send
CSR
To CA
Validate
CA
Creates/
Signs
Cert
Install
Cert
21. © AKAMAI - EDGE 2016
Where certbot excels
A small infrastructure
• Single webserver for example
Can run certbot on the machine that needs the key
Are running a supported webserver
Designed to be fully automated with little knowledge required
23. © AKAMAI - EDGE 2016
(and that’s why you are here)
24. © AKAMAI - EDGE 2016
The Voodoo Behind
Let’s Encrypt
25. © AKAMAI - EDGE 2016
ACME
Automated Certificate
Management Environment
26. © AKAMAI - EDGE 2016
“…a protocol for automating the
management of domain-validation
certificates, based on a simple JSON-
over-HTTPS interface.”
28. © AKAMAI - EDGE 2016
Something for Everyone
45 Clients
14 Libraries
10 Languages
32. © AKAMAI - EDGE 2016
Staging versus Production
acme-staging.api.letsencrypt.org
acme-v01.api.letsencrypt.org
No Rate Limits
“Fake” Root
Rate Limits
True Root
33. © AKAMAI - EDGE 2016
JWS / Nonce
Everything is Protected with JWS and Nonces:
"header": { "alg":"RS256", "jwk": { "e":"AQAB", "kty":"RSA", "n":"<n> } },
"payload" : <payload>,
"protected": <protected_header>,
"signature": <sig>
34. © AKAMAI - EDGE 2016
Account Key – Your ID
$ openssl genrsa –out account_key.pem 2048
36. © AKAMAI - EDGE 2016
Getting Started
perl
my $acme = Protocol::ACME->new( host => $le_host,
account_key => $key,
mailto => $email );
REST
37. © AKAMAI - EDGE 2016
directory - Get a list of REST end points
perl
$acme->directory();
REST
GET: https://<host>/directory
38. © AKAMAI - EDGE 2016
reg / new-reg – Lookup or register account key
perl
$acme->register();
REST
POST: https://<host>/acme/new-reg
JWS( mailto: <your email> )
39. © AKAMAI - EDGE 2016
Accept Terms of Service
perl
$acme->accept_tos();
REST
POST: https://<host>/acme/reg/ID
JWS ( “agreement”: “<TOS URL>” )
40. © AKAMAI - EDGE 2016
authz – Request a validation challenge
perl
$acme->authz( $domain );
REST
POST: https://<host>/acme/reg/ID
JWS ( identifier: { type => DNS, value = <domain> } )
41. © AKAMAI - EDGE 2016
Challenges
dns-01: Add a specific TXT record to DNS
tls-sni-01: Provision a specific certificate at the domain
http-01: Place a specific object a the domain
42. © AKAMAI - EDGE 2016
Challenges
Protocol::ACME helps with Challenge automation:
• Protocol::ACME::Challenge::SimpleSSH
• Protocol::ACME::Challenge::LocalFile
• Protocol::ACME::Challenge::Manual
my $challenge =
Protocol::ACME::Challenge::SimpleSSH->new(
{ ssh_host => <my_host>, www_root => ”/opt/local/www/htdocs” } )
43. © AKAMAI - EDGE 2016
Handle Challenges
perl
$acme->handle_challenge( $challenge );
REST
Follow instructions to do it by hand
44. © AKAMAI - EDGE 2016
Check challenges
perl
$acme->check_challenge();
REST
POST https://<host>/<challenge_id>
JWS( keyAuthorization: token + fingerprint )
45. © AKAMAI - EDGE 2016
new-cert: Submit the CSR and get the certificate
perl
my $cert = $acme->sign( $csr );
REST
POST https://<host>/new-cert
JWS( csr: <DER encoded CSR> )
46. © AKAMAI - EDGE 2016
The whole thing…
my $acme = Protocol::ACME->new( host => $le_host,
account_key => $key,
mailto => $email );
$acme->directory();
$acme->register();
$acme->accept_tos();
$acme->authz( $domain );
$acme->handle_challenge( $challenge );
$acme->check_challenge();
my $cert = $acme->sign( $csr );