If you can't read please download the document
Upload
nicola-corti
View
188
Download
2
Embed Size (px)
Citation preview
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Lets Encrypt! Free certificates for everyone!
Nicola Corti
Gruppo Utenti Linux Pisa
03 February 2016
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Introduction
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
What is Lets Encrypt?
Lets Encrypt is a Certification Authority (CA) that issue freeSSL/TLS certificates
I From 5 December 2015 L.E. is available in Public BetaI L.E. has released more than 480 k certificatesI Its major focus is automation of processes.I https://letsencrypt.org/
https://letsencrypt.org/
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Sponsors
Whos behind the project?
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
History
2012 Project begins insideMozilla11-2014 Lets Encrypt publicly announced01-2015 The ACME protocol submitted to IETF for
standardization04-2015 ISRG (Internet Security Research Group) and
Linux Foundation join the project09-2015 Issued the first certificate for
helloworld.letsencrypt.org10-2015 L.E. intermediate certificate becomes cross-signed
by IdenTrust. (Lets Encrypt is trusted!)12-2015 Public beta!
https://helloworld.letsencrypt.org/
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Why?
I Free
I Automated
I Open
I Secure
I Transparent
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Server
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Boulder
ArchitectureThe Lets Encrypt system is based on 3 components: a server, aclient and the protocol that defines the communication rulesbetween server and client
The server is called Boulder and its completely written in Go. Itsresponsible of handling all the procedures for issuing, renewaland revocation of certificates.
Its basically an HTTPS server that exposes a RESTful interface.
https://github.com/letsencrypt/boulder
https://github.com/letsencrypt/boulder
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Client
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
letsencrypt
The client is called (obviously) letsencrypt and its completelywritten in Python. Its responsible for interaction with the remoteserver and it handles your certificates.
I Download through .deb package letsencrypt (only ondebian sid/stretch).
I Clone the git repository.
https://github.com/letsencrypt/letsencrypt
https://github.com/letsencrypt/letsencrypt
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Plugins
The clients main purpose is to simplify and automate the wholeprocess of authentication and creation of the certificate.
For this reason the client comes with several plugins, useful toautomatically setup the new certificates on popular web servers:apache and nginx.
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Protocol
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
ACME
The procol use by Lets Encrypt is called Automated CertificateManagement Environment (ACME).
ACME is based on exchanges of signed JSON files (a.k.a. JWS,Json Web Signature). These documents contains all therequests and the responses between the client and the server.
These documentsmust be exchanged over HTTPS.
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
ACME
https://github.com/letsencrypt/acme-spec
https://github.com/letsencrypt/acme-spec
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
ACME
The ACME protocol is aimed to:
1. Prove that we are the owners of a specific domain, sayexample.com
2. Obtain a new certificate for the domain example.com
3. Revoke or Renew a certificate for the domain example.com
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Security
All the interactions between client and servers are encryptedwith a public/private key pair generated during the firstexecution of the client.
In order to prove that we are the owners of the domain, theserver sends us a set of challenges that we must solve.
Every interaction with the server is marked with a nonce numberthat allows to avoid Replay attacks.
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Challenges
The server can decide to send one or more challenge from thefollowings:
Type DescriptionSimple HTTP Youmust place a token file inside your web-
server root folder. Both HTTP and HTTPSare accepted
DNS You must provide a token inside a TXTrecord of your DNS server
Proof of possession You must sign a document using a keypair that the
server already consider yours
Domain Validation with
Server Name Indication
You must configure a TLS server on a specific IP ad-
dress (through an A record inside the DNS).
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Domain Validation
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Domain Validation
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Certificate Issuance
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Certificate Revocation
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Certificates
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
DV Certificates
DVAll the certificates issue from L.E. are Domain Validatedcertificates. They basically prove that you are the owner of aspecific domain, nothing more.
Organization Validation and Extended Validation certificatesrequires to explicit verify the identity of the subject that isrequesting a certificate.
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Cross Signing
All the issued certificates are Cross-signed by IdenTrust. In thisway, all the L.E. certificates are trusted by major browsers.
We can avoid browser errors such as:
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Cross Signing
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Validity
All the certificates have a 90 days validity. After the expiry, thecertificates are not valid anymore and the browsers will raisesecurity errors.
90-days validityThis is nothing new on the web. Having certificates with areduced validity could help to limit damage from keycompromise and mis-issuance.
You will receive remind emails whenever a certificate is near toexpire. Certificate renewal can be automated with a cron task.
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Setup
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Requirements
The client minimal requirements are:I Unix like system.I Python 2.6 or 2.7.I root rights on the system.
The apache setup plugins works only on Debian based system:Ubuntu 12.04+ and Debian 7+
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Download
First, lets download the letsencrypt client.
On Debian sid/stretch:
$ sudo apt-get install letsencrypt
$ letsencrypt --help
On other OS:
$ git clone https://github.com/letsencrypt/letsencrypt
$ cd letsencrypt
$ ./letsencrypt-auto --help
From now on we will use letsencrypt-auto for all the commands,assuming to proceed with clone of the repository.
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Run
To execute the client you simply have to invoke:
$ ./letsencrypt-auto
We will be guided through the issuing process
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Apache
If you want to automatically configure Apache with thegenerated certificates you can invoke:
$ ./letsencrypt-auto --apache -d example.com -d www.example.com
With --apache we are enabling the apache plugin, and with -d weare giving the list of involved domains.
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Contacts
During the first run, the client will ask for ourmail address and itwill request to accept the Terms of service.
You can skip these steps using these flags:
$ ./letsencrypt-auto --email [email protected] --agree-tos
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Plugins
Plugin A I DescrizioneApache Y Y Obtain and setup automatically the certs. on
Apache 2.4 (Debian based)
Standalone Y N Obtain the cert with a standalone web serveron ports 80/443
Webroot Y N Obtain a certificate touching a token inside theroot folder of an already existing webserver
Manual Y N Prints the commands to manually obtain thecerts from a different client
Nginx Y Y Obtain and setup automatically the certs. onnginx (experimental)
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
certonly
You can use the plugins with authentication support (A column)just to obtain the certificates without installation.
Simply add the option certonly to the command line.
Standalone example$ ./letsencrypt-auto --standalone-supported-challenges \
http-01 certonly -d example.com
This command will start a standalone webserver on port 80 andit will obtain the certificate for example.com
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
/etc/letsencrypt
All the certificates and the auth keys will be saved into/etc/letsencrypt.
Inside this folder you will find all the certificates and all thepublic/private keys. Its extremely recommended to make abackup of this folder to a secure place.
Inside /etc/letsencrypt/live/example.com/ you will findsymlinks that will be updated after every renewal.
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
/etc/letsencrypt
You will find the following files:privkey.pem Private key of the certificate. DO NOT SHARE IT!
cert.pem Webserver certificate (sent to the browser).chain.pem List of all the intermediate certificates connected
to this certificate.fullchain.pem cert.pem + chain.pem
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Revoke
To revoke a certificate you can simply use the option revoke.
$ /.letsencrypt-auto revoke --cert-path example-cert.pem
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Renewal
The renewal process its extremely easy, you can simply invokeletsencrypt without parameters.
You can also use the --renew-by-default to perform theautomatic renewal of the certificate without user interaction.
In this way, its possible to schedule a cron task to automaticallyrenew the certificates before the expiry.
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Update
Since Lets Encrypt its a public beta, its fundamental to keep theclient up to date.
On Debian sid/stretch:
$ apt-get update && apt-get upgrade
On other OS:
$ cd letsencrypt
$ git pull
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
General usage
During everyday usage, you can simply invoke letsencryptwithout parameters. The terminal UI will guide you through thedesidered process.
You simply have to answer to the client questions.
Having only too much parameters could be hard to remember.The UI will help on this, but the parameter still give the flexibilityto embed the client inside scripts.
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Screens
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Screens
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Screens
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Screens
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Screens
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Screens
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Screens
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Screens
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Conclusions
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Drawbacks
I No support for Organization Validation or ExtendedValidation, to hard to automate.
I No support for wildcards (*.example.com), maybe in thefuture.
I Only HTTP challenge is supported (public beta), DNSchallenge support is not already available.
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Resources
I How it works https://letsencrypt.org/howitworks/
I Tech details https://letsencrypt.org/howitworks/technology/
I Read the docs https://letsencrypt.readthedocs.org/
I Community board https://community.letsencrypt.org/
I Code https://github.com/letsencrypt/
I Mailing listsI Client https://groups.google.com/a/letsencrypt.org/
forum/#!forum/client-devI Server https://groups.google.com/a/letsencrypt.org/
forum/#!forum/ca-devI ACME (IETF) https://www.ietf.org/mailman/listinfo/acme
https://letsencrypt.org/howitworks/https://letsencrypt.org/howitworks/technology/https://letsencrypt.readthedocs.org/https://community.letsencrypt.org/https://github.com/letsencrypt/https://groups.google.com/a/letsencrypt.org/forum/#!forum/client-devhttps://groups.google.com/a/letsencrypt.org/forum/#!forum/client-devhttps://groups.google.com/a/letsencrypt.org/forum/#!forum/ca-devhttps://groups.google.com/a/letsencrypt.org/forum/#!forum/ca-devhttps://www.ietf.org/mailman/listinfo/acme
Lets Encrypt! Freecertificates for
everyone!
Nicola Corti
IntroSponsors
History
Why?
Server
Client
ProtocolSecurity
Challenges
The protocol
Cert revocation
CertsDV
Cross Signing
SetupRequirements
Download
Run
Plugins
Revoke
Renewal
Update
Screens
ConclusionsDrawbacks
Resources
Questions...?
ncorti.com@cortinico@cortinico
Made with LATEX Beamer.This presentation is released under licence
Creative Commons - Attributions, Non Commercial, Share-alike.
Sources at https://github.com/cortinico/gulp-letsencrypt
https://ncorti.comhttps://twitter.com/cortinicohttps://github.com/cortinicohttps://github.com/cortinico/gulp-letsencrypt
IntroSponsorsHistoryWhy?
ServerClientProtocolSecurityChallengesThe protocolCert revocation
CertsDVCross Signing
SetupRequirementsDownloadRunPluginsRevokeRenewalUpdateScreens
ConclusionsDrawbacksResources