Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
入門Let's Encrypt
Search
Hirokazu Sugiuchi
January 15, 2016
2
2.4k
入門Let's Encrypt
2016/01/15に社内勉強会で使用した資料です。内容の補足記事はこちら
http://tech.feedforce.jp/study-letsencrypt.html
Hirokazu Sugiuchi
January 15, 2016
Tweet
Share
More Decks by Hirokazu Sugiuchi
See All by Hirokazu Sugiuchi
FFLT_12.pdf
critical_alert
0
70
AWS認定 ソリューションアーキテクトアソシエイトを受けてきた話
critical_alert
1
370
Hue で始める おうちハック入門
critical_alert
1
2.1k
Blue/Green deploymentへの道のり
critical_alert
1
130
Mackerelでサーバ監視はじめた話
critical_alert
0
1.7k
Featured
See All Featured
Navigating Team Friction
lara
184
15k
The Power of CSS Pseudo Elements
geoffreycrofte
75
5.7k
A better future with KSS
kneath
238
17k
Visualization
eitanlees
146
16k
Why Our Code Smells
bkeepers
PRO
336
57k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.1k
RailsConf 2023
tenderlove
29
1k
For a Future-Friendly Web
brad_frost
176
9.6k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
Rails Girls Zürich Keynote
gr2m
94
13k
4 Signs Your Business is Dying
shpigford
183
22k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
12
1.4k
Transcript
ೖLet's Encrypt 2016/01/15 feedforce Inc. / ਿ
ࣗݾհ
@critical-alert @critical_alert • ϑΟʔυϑΥʔεͰΠϯϑϥΤϯδχΞͱ͠ ͯಇ͍͍ͯ·͢ • ͡ΊͯLinuxʹ৮Εͯ8͘Β͍Ͱ͢ • SNSͷID͕͍͜͠Ͱ͢
Let's Encryptͱࢲ
Let’s EncryptͱͳΜͰ͔͢
SSL/TLSαʔόূ໌ॻΛແྉ Ͱൃߦͯ͘͠ΕΔCA(ೝূہ)
SSL
None
SSL͋Δ͋Δ • झຯͰwebαʔϏε࡞͚ͬͨͲϩάΠϯػೳ ͚͔ͭͨΒSSLʹ͍ͨ͠ • Ͱূ໌ॻߴ͍ɻɻɻ • ͕͢͞ʹΦϨΦϨূ໌ॻແ͍Θʔ • ͱ͍͏͔ͦͦऔΓํΑ͘Θ͔ΒΜɻɻ
Let’s EncryptͱͳΜͰ͔͢ • SSLূ໌ॻΛແྉͰൃߦ͢Δͱͱʹɺূ໌ॻ ͷൃߦɺΠϯετʔϧɺߋ৽ΛࣗಈԽ͠ HTTPSͷීٴΛతͱ͍ͯ͠Δ • ΞϝϦΧ߹ऺࠃେखೝূہʢCAʣͰ͋Δ IdenTrust ࣾͷϧʔτূ໌ॻ͔ΒνΣʔϯͰ͖
ΔΫϩεϧʔτূ໌ॻ
Let’s EncryptͱͳΜͰ͔͢ • ISRGʢInternet Security Research Groupʣɹ ͱ͍͏ඇӦརஂମ͕ӡӦ͍ͯ͠Δ • γείɺAkamaiɺMozillaͳͲ͕εϙϯαʔͰ
ࢧԉ͍ͯ͠Δ
ൃߦɺΠϯετʔϧɺߋ৽Λ ࣗಈԽ͠
ࣗಈԽ͠
ࣗಈԽ!!!!!!
Let’s Encryptͷূ໌ॻ • DV(Domain Validation): υϝΠϯͷॴ༗Λ֬ೝͯ͠ൃߦ • OV(Organization Validation): ৫ͷ࣮ࡏͷ֬ೝΛͯ͠ൃߦ
• EV(Extended Validation): OVΑΓݫີͳ࣮ࡏ֬ೝΛͯ͠ൃߦ • Let's Encrypt͜ͷ͏ͪυϝΠϯͷॴ༗Λ֬ೝͯ͠ൃߦ͢Δ DV SSLΛൃߦ͢Δ
Let’s Encryptͷূ໌ॻ • DV(Domain Validation): υϝΠϯͷॴ༗Λ֬ೝͯ͠ൃߦ • OV(Organization Validation): ৫ͷ࣮ࡏͷ֬ೝΛͯ͠ൃߦ
• EV(Extended Validation): OVΑΓݫີͳ࣮ࡏ֬ೝΛͯ͠ൃߦ • Let's Encrypt͜ͷ͏ͪυϝΠϯͷॴ༗Λ֬ೝͯ͠ൃߦ͢Δ DV SSLΛൃߦ͢Δ
͖ͬࣗ͞ಈԽͬͯݴ͚ͬͨͲ ͳΜͰخ͍͠ͷ͔
طଘͷূ໌ॻͷൃߦ/ߋ৽ʹ ࣗಈԽͮ͠Β͍ཧ༝͕͋Δ
ཧ༝ • ূ໌ॻ༗ྉͳͷͰࢧ͍ϓϩηε͕ඞཁ • ূ໌ॻൃߦػؔ(CA)͝ͱʹਃϓϩηε͕ҧ͏ • ূ໌ॻखಈͰൃߦ͢Δ(ঝೝํ๏͕ϝʔϧͰདྷ Δ) • ূ໌ॻαʔόʹઃఆͯ͠࠶ىಈ͕ඞཁ
εςοϓʹ͢Δͱ͜Μͳײ͡ • 1 ൿີ伴Λ࡞ • 2 ൿີ伴ΛݩʹɺCSRʢূ໌ॻΛൃߦ͢ΔͨΊͷॺ໊ཁٻʣΛੜ • 3 ೝূہͷαΠτʹϩάΠϯͯ͠CSRΛϑΥʔϜ͔Βૹ৴
• 4 ূ໌ॻͷྉۚΛࢧ͏(ΫϨδοτΧʔυorۜߦৼࠐ) • 5 ೝূہ͔ΒυϝΠϯॴ༗ऀ֬ೝϝʔϧ͕ಧ͘ͷͰঝೝ͢Δ • 6 ೝূہ͔Βূ໌ॻ͕ϝʔϧͳͲͰಧ͘ • 7 ূ໌ॻΛαʔόʹઃఆ
None
ख࡞ۀʹΑΔ෦͕ଟࣗ͘ಈ Խɺφ͍σϓϩΠϑϩʔ ʹऔΓࠐΈͮΒ͍
DVূ໌ॻͷൃߦʹඞཁͳ͜ͱ ͜Ε͚ͩ
ʮূ໌ॻΛൃߦ͍ͨ͠υϝΠϯ ͷॴ࣋ऀ͔Ͳ͏͔ʯ
ຊਓ֬ೝ • औಘ͠Α͏ͱ͍ͯ͠ΔυϝΠϯͷॴ࣋ऀ͔Ͳ ͏͔ΛνΣοΫͰ͖Εྑ͍ • υϝΠϯॴ࣋ऀ͔͠Ͱ͖ͳ͍Α͏ͳΞΫγϣ ϯΛཁٻ͞ΕΔ
ຊਓͰ͔͢ʁ • ॴ͍࣋ͯ͠ΔυϝΠϯʹHTTPܦ༝ͰಛఆͷॴʹϑΝΠϧΛઃ ஔ͠Let’s Encrypt͔ΒΞΫηεͤ͞Δ • (ଞʹೝূํ๏͕͋Δ͚ͲࠓճऔΓѻΘͳ͍) • GoogleAppsͱ͔ͰɺಛఆͷHTMLΛొ͍ͨ͠υϝΠϯͷweb αʔόʹΞοϓϩʔυͯ֬͠ೝ͢ΔతͳΞϨͱಉ͡
• ͦΕΛletsencryptΫϥΠΞϯτ͕CUIϕʔεͰࣗಈԽͯ͘͠ΕΔ
ਤʹ͢Δͱ Ҿ༻ݩɿhttps://http2.try-and-test.net/letsencrypt.html
Ҿ༻ݩΑΓ • ᶃ·ͣɺൿີ伴ͱCSRΛੜ͠ɺൿີ伴ϩʔΧϧϑΝΠϧʹอଘ͠·͢ɻ • ͜ΕɺΤʔδΣϯτʢΫϥΠΞϯτιϑτ)͕ੜ͍͍ͯ͠Ͱ͢͠ɺผ్OpenSSLͰ४උ͍ͯ͠Ͱ ͢ɻ • ᶄΤʔδΣϯτ(ΫϥΠΞϯτιϑτ)ɺLet'sEncryptͷACMEαʔόʹଓ͠CSRΛૹΓ·͢ɻ • ᶅACMEαʔόɺnonceͱݺΕΔೝূ༻ͷใΛΤʔδΣϯτιϑτʹฦ͠·͢ɻ
• ᶆΤʔδΣϯτɺnonce͔Βɺೝূ༻ͷϑΝΠϧΛੜ͠ɺhtdocsԼͷಛఆͷσΟϨΫτʹஔ͠·͢ɻ • ᶇ४උ͕ͬͨͱ͜ΖͰɺΤʔδΣϯτɺACMEαʔόʹʹೝূνϟϨϯδΛཁٻ͠·͢ɻ • ᶈACMEαʔόɺࢦఆͷυϝΠϯʹೝূ༻ͷϑΝΠϧ͕ઃஔ͞Ε͍ͯΔ͔ɺWebαʔό(HTTPD)ʹ֬ೝ͠ʹ ͍͖·͢ɻ • ᶉACMEαʔό͕ɺظͨ͠௨Γͷೝূ༻ϑΝΠϧΛμϯϩʔυͰ͖Εɺαʔόূ໌ॻΛൃߦ͠ɺᶊͰ ΤʔδΣϯτʹૹ͠·͢ɻ
ACMEϓϩτίϧ
ACME • ACMEͱ Automated Certificate Management Environment ͷུ • ͖ͬ͞ͷೝূํ๏͕ϓϩτίϧԽ͞Ε͍ͯΔ
letsencryptΫϥΠΞϯτ • ACMEϓϩτίϧʹैͬͯূ໌ॻΛൃߦɺΠ ϯετʔϧɺߋ৽Λߦ͏ΫϥΠΞϯτ͕ެ։ ͞Ε͍ͯΔ • https://github.com/letsencrypt/letsencrypt
ͬͯΈΔ
ͬͯΈΔ $ git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt $ ./letsencrypt-auto
letsencrypt-auto • letsencrypt-auto ͱ͍͏εΫϦϓτ͕༻ҙ͞Ε ͍ͯͯɺॳճΫϥΠΞϯτΛ࣮ߦ͢ΔͨΊ ͷϥΠϒϥϦͳͲΛΠϯετʔϧ͢Δ • OSΛࣗಈఆͯ͠pythonͷΠϯετʔϧ gccɺopensslͷΠϯετʔϧͳͲΛ͍ͯ͠ ΔɻpythonvirtualenvͰΠϯετʔϧ͞ΕΔ
ূ໌ॻऔಘίϚϯυ ./letsencrypt-auto certonly -t \ -d letsen.critical-alert.net \ --webroot —-webroot-path=/var/www/html/
\ --rsa-key-size 2048
Φϓγϣϯ͕͍ • certonly • ূ໌ॻͷऔಘͷΈΛߦ͏ • -d • ূ໌ॻΛऔಘ͢ΔυϝΠϯΛࢦఆ͢Δ
Φϓγϣϯ͕͍2 • --webroot • ApacheͳͲwebαʔόͷυΩϡϝϯτϧʔ τʹೝূ༻ͷϑΝΠϧΛੜ͢Δ • --webroot-path • υΩϡϝϯτϧʔτͷύεΛࢦఆ͢Δ
letsencrypt-auto • ͪΌΜͱऔಘͰ͖͍ͯΕԼهʹஔ͞Ε·͢ • /etc/letsencrypt/live/{domain}/ • cert.pem -> ূ໌ॻ •
chain.pem -> தؒূ໌ॻ • fullchain.pem -> ূ໌ॻͱதؒূ໌ॻΛͭͳ͛ͨͷ • privkey.pem -> ൿີ伴
͋ͱؾ߹ͱσϞͰ͕ΜΔ (࣌ؒʹ༨༟͕͋Ε)
ߋ৽ʁ • جຊతʹऔಘ࣌ͱಉ͡ίϚϯυΛ࣮ߦ͢Ε ߋ৽ • --renew-by-default • ͜ͷΦϓγϣϯΛ͚ͭΔͱ্ॻ͖͢Δ͔ฉ ͔Εͳ͍ͷͰ͚ͭΔ
ߋ৽ʁ • --renew-by-defaultΛ͚ͭͯcronʹࠐΉ • વɺߋ৽͞ΕͨλΠϛϯάͰwebαʔόΛreloadͯ͠ূ໌ ॻಡΈ͞ͳ͍ͱ͍͚ͳ͍ͷͰ && systemctl reload httpd
ͷΑ͏ʹ͢Δ • ূ໌ॻͷ༗ޮظؒ90ʹͳ͍ͬͯΔͷͰ(ηΩϡϦςΟత ͳҙຯ߹͍ɺࣗಈߋ৽͕લఏͷͨΊ)1ϲ݄ʹ1ճcronͰ࣮ ߦ͢ΔΑ͏ʹ͢ΕOK
·ͱΊ • ϕʔλͳ͕Β΄ͱΜͲͷϞμϯͳڥͰ༗ޮͳূ໌ॻ͕ແྉͰऔಘͰ͖Δ • ։ൃதͷΞϓϦέʔγϣϯɺݸਓͰ࡞ͨ͠ΞϓϦέʔγϣϯͷSSLԽʹ ༗ޮ • CUIͰ݁͢Δͷྑ͍ͱࢥ͏ • ELBͱ͔ͷڥͰ͏ʹ…ʁ
• શͳΔࣗಈԽʹ·͔͔ͩΓͦ͏ • ߋ৽cronͩͬͨΓͶ
ࢀߟϦϯΫ • Let's Encrypt ૯߹ϙʔλϧ • https://letsencrypt.jp/ • Apache 2.4ܥͰHTTP/2αʔόΛߏஙͯ͠ΈΔςετɻ
• https://http2.try-and-test.net/letsencrypt.html • GoݴޠͰLet's EncryptͷACMEΛཧղ͢Δ • http://deeeet.com/writing/2015/12/01/go-letsencrypt-acme/