Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Lets Encrypt! Free certificates for everyone!

Nicola Corti

Gruppo Utenti Linux Pisa

03 February 2016

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Introduction

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

What is Lets Encrypt?

Lets Encrypt is a Certification Authority (CA) that issue freeSSL/TLS certificates

I From 5 December 2015 L.E. is available in Public BetaI L.E. has released more than 480 k certificatesI Its major focus is automation of processes.I https://letsencrypt.org/

https://letsencrypt.org/

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Sponsors

Whos behind the project?

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

History

2012 Project begins insideMozilla11-2014 Lets Encrypt publicly announced01-2015 The ACME protocol submitted to IETF for

standardization04-2015 ISRG (Internet Security Research Group) and

Linux Foundation join the project09-2015 Issued the first certificate for

helloworld.letsencrypt.org10-2015 L.E. intermediate certificate becomes cross-signed

by IdenTrust. (Lets Encrypt is trusted!)12-2015 Public beta!

https://helloworld.letsencrypt.org/

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Why?

I Free

I Automated

I Open

I Secure

I Transparent

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Server

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Boulder

ArchitectureThe Lets Encrypt system is based on 3 components: a server, aclient and the protocol that defines the communication rulesbetween server and client

The server is called Boulder and its completely written in Go. Itsresponsible of handling all the procedures for issuing, renewaland revocation of certificates.

Its basically an HTTPS server that exposes a RESTful interface.

https://github.com/letsencrypt/boulder

https://github.com/letsencrypt/boulder

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Client

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

letsencrypt

The client is called (obviously) letsencrypt and its completelywritten in Python. Its responsible for interaction with the remoteserver and it handles your certificates.

I Download through .deb package letsencrypt (only ondebian sid/stretch).

I Clone the git repository.

https://github.com/letsencrypt/letsencrypt

https://github.com/letsencrypt/letsencrypt

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Plugins

The clients main purpose is to simplify and automate the wholeprocess of authentication and creation of the certificate.

For this reason the client comes with several plugins, useful toautomatically setup the new certificates on popular web servers:apache and nginx.

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Protocol

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

ACME

The procol use by Lets Encrypt is called Automated CertificateManagement Environment (ACME).

ACME is based on exchanges of signed JSON files (a.k.a. JWS,Json Web Signature). These documents contains all therequests and the responses between the client and the server.

These documentsmust be exchanged over HTTPS.

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

ACME

https://github.com/letsencrypt/acme-spec

https://github.com/letsencrypt/acme-spec

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

ACME

The ACME protocol is aimed to:

1. Prove that we are the owners of a specific domain, sayexample.com

2. Obtain a new certificate for the domain example.com

3. Revoke or Renew a certificate for the domain example.com

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Security

All the interactions between client and servers are encryptedwith a public/private key pair generated during the firstexecution of the client.

In order to prove that we are the owners of the domain, theserver sends us a set of challenges that we must solve.

Every interaction with the server is marked with a nonce numberthat allows to avoid Replay attacks.

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Challenges

The server can decide to send one or more challenge from thefollowings:

Type DescriptionSimple HTTP Youmust place a token file inside your web-

server root folder. Both HTTP and HTTPSare accepted

DNS You must provide a token inside a TXTrecord of your DNS server

Proof of possession You must sign a document using a keypair that the

server already consider yours

Domain Validation with

Server Name Indication

You must configure a TLS server on a specific IP ad-

dress (through an A record inside the DNS).

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Domain Validation

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Domain Validation

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Certificate Issuance

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Certificate Revocation

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Certificates

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

DV Certificates

DVAll the certificates issue from L.E. are Domain Validatedcertificates. They basically prove that you are the owner of aspecific domain, nothing more.

Organization Validation and Extended Validation certificatesrequires to explicit verify the identity of the subject that isrequesting a certificate.

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Cross Signing

All the issued certificates are Cross-signed by IdenTrust. In thisway, all the L.E. certificates are trusted by major browsers.

We can avoid browser errors such as:

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Cross Signing

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Validity

All the certificates have a 90 days validity. After the expiry, thecertificates are not valid anymore and the browsers will raisesecurity errors.

90-days validityThis is nothing new on the web. Having certificates with areduced validity could help to limit damage from keycompromise and mis-issuance.

You will receive remind emails whenever a certificate is near toexpire. Certificate renewal can be automated with a cron task.

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Setup

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Requirements

The client minimal requirements are:I Unix like system.I Python 2.6 or 2.7.I root rights on the system.

The apache setup plugins works only on Debian based system:Ubuntu 12.04+ and Debian 7+

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Download

First, lets download the letsencrypt client.

On Debian sid/stretch:

$ sudo apt-get install letsencrypt

$ letsencrypt --help

On other OS:

$ git clone https://github.com/letsencrypt/letsencrypt

$ cd letsencrypt

$ ./letsencrypt-auto --help

From now on we will use letsencrypt-auto for all the commands,assuming to proceed with clone of the repository.

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Run

To execute the client you simply have to invoke:

$ ./letsencrypt-auto

We will be guided through the issuing process

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Apache

If you want to automatically configure Apache with thegenerated certificates you can invoke:

$ ./letsencrypt-auto --apache -d example.com -d www.example.com

With --apache we are enabling the apache plugin, and with -d weare giving the list of involved domains.

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Contacts

During the first run, the client will ask for ourmail address and itwill request to accept the Terms of service.

You can skip these steps using these flags:

$ ./letsencrypt-auto --email admin@example.com --agree-tos

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Plugins

Plugin A I DescrizioneApache Y Y Obtain and setup automatically the certs. on

Apache 2.4 (Debian based)

Standalone Y N Obtain the cert with a standalone web serveron ports 80/443

Webroot Y N Obtain a certificate touching a token inside theroot folder of an already existing webserver

Manual Y N Prints the commands to manually obtain thecerts from a different client

Nginx Y Y Obtain and setup automatically the certs. onnginx (experimental)

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

certonly

You can use the plugins with authentication support (A column)just to obtain the certificates without installation.

Simply add the option certonly to the command line.

Standalone example$ ./letsencrypt-auto --standalone-supported-challenges \

http-01 certonly -d example.com

This command will start a standalone webserver on port 80 andit will obtain the certificate for example.com

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

/etc/letsencrypt

All the certificates and the auth keys will be saved into/etc/letsencrypt.

Inside this folder you will find all the certificates and all thepublic/private keys. Its extremely recommended to make abackup of this folder to a secure place.

Inside /etc/letsencrypt/live/example.com/ you will findsymlinks that will be updated after every renewal.

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

/etc/letsencrypt

You will find the following files:privkey.pem Private key of the certificate. DO NOT SHARE IT!

cert.pem Webserver certificate (sent to the browser).chain.pem List of all the intermediate certificates connected

to this certificate.fullchain.pem cert.pem + chain.pem

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Revoke

To revoke a certificate you can simply use the option revoke.

$ /.letsencrypt-auto revoke --cert-path example-cert.pem

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Renewal

The renewal process its extremely easy, you can simply invokeletsencrypt without parameters.

You can also use the --renew-by-default to perform theautomatic renewal of the certificate without user interaction.

In this way, its possible to schedule a cron task to automaticallyrenew the certificates before the expiry.

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Update

Since Lets Encrypt its a public beta, its fundamental to keep theclient up to date.

On Debian sid/stretch:

$ apt-get update && apt-get upgrade

On other OS:

$ cd letsencrypt

$ git pull

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

General usage

During everyday usage, you can simply invoke letsencryptwithout parameters. The terminal UI will guide you through thedesidered process.

You simply have to answer to the client questions.

Having only too much parameters could be hard to remember.The UI will help on this, but the parameter still give the flexibilityto embed the client inside scripts.

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Screens

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Screens

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Screens

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Screens

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Screens

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Screens

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Screens

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Screens

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Conclusions

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Drawbacks

I No support for Organization Validation or ExtendedValidation, to hard to automate.

I No support for wildcards (*.example.com), maybe in thefuture.

I Only HTTP challenge is supported (public beta), DNSchallenge support is not already available.

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Resources

I How it works https://letsencrypt.org/howitworks/

I Tech details https://letsencrypt.org/howitworks/technology/

I Read the docs https://letsencrypt.readthedocs.org/

I Community board https://community.letsencrypt.org/

I Code https://github.com/letsencrypt/

I Mailing listsI Client https://groups.google.com/a/letsencrypt.org/

forum/#!forum/client-devI Server https://groups.google.com/a/letsencrypt.org/

forum/#!forum/ca-devI ACME (IETF) https://www.ietf.org/mailman/listinfo/acme

https://letsencrypt.org/howitworks/https://letsencrypt.org/howitworks/technology/https://letsencrypt.readthedocs.org/https://community.letsencrypt.org/https://github.com/letsencrypt/https://groups.google.com/a/letsencrypt.org/forum/#!forum/client-devhttps://groups.google.com/a/letsencrypt.org/forum/#!forum/client-devhttps://groups.google.com/a/letsencrypt.org/forum/#!forum/ca-devhttps://groups.google.com/a/letsencrypt.org/forum/#!forum/ca-devhttps://www.ietf.org/mailman/listinfo/acme

Lets Encrypt! Freecertificates for

everyone!

Nicola Corti

IntroSponsors

History

Why?

Server

Client

ProtocolSecurity

Challenges

The protocol

Cert revocation

CertsDV

Cross Signing

SetupRequirements

Download

Run

Plugins

Revoke

Renewal

Update

Screens

ConclusionsDrawbacks

Resources

Questions...?

ncorti.com@cortinico@cortinico

Made with LATEX Beamer.This presentation is released under licence

Creative Commons - Attributions, Non Commercial, Share-alike.

Sources at https://github.com/cortinico/gulp-letsencrypt

https://ncorti.comhttps://twitter.com/cortinicohttps://github.com/cortinicohttps://github.com/cortinico/gulp-letsencrypt

IntroSponsorsHistoryWhy?

ServerClientProtocolSecurityChallengesThe protocolCert revocation

CertsDVCross Signing

SetupRequirementsDownloadRunPluginsRevokeRenewalUpdateScreens

ConclusionsDrawbacksResources