Edge 2016 acme - lets encrypt your origin

© AKAMAI - EDGE 2016

ACME – Let’s Encrypt Your OriginStephen Ludin – Chief Architect, Akamai – BoD, ISRG


A PKI Primer


Our cast of characters

Alice Bob Eve


A little ditty about Alice and Bob

All Alice and Bob want to do is peacefully pass notes in class without interference

from Eve.


U R Sweete1bf4190ce

U RSweet

e1bf4190ce ???


U RSweet692ha1ac43

U RSweet

e1bf4190ce

U Smell


We have not solved ANYTHING!


How does Bob know this reallyIS Alice’s public key?


Enter, Carol Carol’s job is simple:

• Get Alice’s public key

• Verify that it really is Alice

• Sign Alice’s public key saying “This really is Alice”

• Give her (Carol’s) public key to Bob


X



FreeAutomatic

SecureTransparent

OpenCooperative


TLS Everywhere


Over 10,000,000 active certificatesOver 13,500,000 active domains




Demo


Yes, It’s that easy(mostly)


CreateKey Pair

CreateSignedCSR

Send CSR

To CAValidate

CACreates/

Signs Cert

Install Cert


For many of us…

certbot


Where certbot excels

A small infrastructure• Single webserver for example

Can run certbot on the machine that needs the keyAre running a supported webserverDesigned to be fully automated with little knowledge required


“But, that’s not me!”


(and that’s why you are here)


The Voodoo BehindLet’s Encrypt


ACMEAutomated Certificate

Management Environment


“…a protocol for automating the management of domain-validation

certificates, based on a simple JSON-over-HTTPS interface.”


REST


Something for Everyone

45 Clients14 Libraries

10 Languages


Protocol::ACME



A few notes…


Staging versus Production

acme-staging.api.letsencrypt.org

acme-v01.api.letsencrypt.org

No Rate Limits“Fake” Root

Rate LimitsTrue Root


JWS / Nonce

Everything is Protected with JWS and Nonces:

"header": { "alg":"RS256", "jwk": { "e":"AQAB", "kty":"RSA", "n":"<n> } },"payload" : <payload>,"protected": <protected_header>,"signature": <sig>


Account Key – Your ID

$ openssl genrsa –out account_key.pem 2048


Let’s Code


Getting Started

perlmy $acme = Protocol::ACME->new( host => $le_host,

account_key => $key, mailto => $email );

REST


directory - Get a list of REST end points

perl$acme->directory();

RESTGET: https://<host>/directory


reg / new-reg – Lookup or register account key

perl$acme->register();

RESTPOST: https://<host>/acme/new-regJWS( mailto: <your email> )


Accept Terms of Service

perl$acme->accept_tos();

RESTPOST: https://<host>/acme/reg/IDJWS ( “agreement”: “<TOS URL>” )


authz – Request a validation challenge

perl$acme->authz( $domain );

RESTPOST: https://<host>/acme/reg/IDJWS ( identifier: { type => DNS, value = <domain> } )


Challenges

dns-01: Add a specific TXT record to DNS

tls-sni-01: Provision a specific certificate at the domain

http-01: Place a specific object a the domain


Challenges

Protocol::ACME helps with Challenge automation:• Protocol::ACME::Challenge::SimpleSSH• Protocol::ACME::Challenge::LocalFile• Protocol::ACME::Challenge::Manual

my $challenge = Protocol::ACME::Challenge::SimpleSSH->new(

{ ssh_host => <my_host>, www_root => ”/opt/local/www/htdocs” } )


Handle Challenges

perl$acme->handle_challenge( $challenge );

RESTFollow instructions to do it by hand


Check challenges

perl$acme->check_challenge();

RESTPOST https://<host>/<challenge_id>JWS( keyAuthorization: token + fingerprint )


new-cert: Submit the CSR and get the certificate

perlmy $cert = $acme->sign( $csr );

RESTPOST https://<host>/new-certJWS( csr: <DER encoded CSR> )


The whole thing…

my $acme = Protocol::ACME->new( host => $le_host,account_key => $key, mailto => $email );

$acme->directory();$acme->register();$acme->accept_tos();$acme->authz( $domain );$acme->handle_challenge( $challenge );$acme->check_challenge();my $cert = $acme->sign( $csr );


Install your Certificate


Renew


Questions?

Technology

Edge 2016 acme - lets encrypt your origin