LET'SENCRYPTCLIENT...LET'SENCRYPTCLIENT...LET'SENCRYPTCLIENT...LET'SENCRYPTCLIENT...LET'SENCRYPTCLIENT...LET'SENCRYPTCLIENT...
LET'SENCRYPTCLIENT...
LET'SENCRYPTCLIENT...
LET'SENCRYPTCLIENT...
LET'SENCRYPTCLIENT...
LET'SENCRYPTCLIENT...
LET'SENCRYPTCLIENT...
LET'SENCRYPTCLIENT...
LET'SENCRYPTCLIENT...
LET'SENCRYPTCLIENT...LET'SENCRYPTCLIENT......ANDTHECHALLENGESWITHWILDLY
HETEROGENOUSDEPLOYMENTENVIRONMENTS2016
JoonaHoikkala( )
PyConSweden
@joohoi
LET'SENCRYPTLET'SENCRYPTLET'SENCRYPTLET'SENCRYPTLET'SENCRYPTLET'SENCRYPT
LET'SENCRYPT
LET'SENCRYPT
LET'SENCRYPT
LET'SENCRYPT
LET'SENCRYPT
LET'SENCRYPT
LET'SENCRYPT
LET'SENCRYPT
LET'SENCRYPTLET'SENCRYPTTHEAMBITIOUSPLANTOENCRYPT100%OFTHEWEB!
HOWAREWEDOING?Currently 3,112,302 certificatesissued.
Outofwhichroughly twomillion arecurrentlyactive!
UNDERTHEHOODLet'sEncryptCAspeaksAutomatedCertificateManagement
Environmentprotocol- ACME forshort.
OnlyDV,nowildcards,upto100domainsin SAN .
Shortlived- 90d expiration.
OBTAININGCAresolvesIPaddressesofyourdomain(s)frommultiple
locations,andproceedsbyissuingachallenge.
Challengetypes:
tls-sni-01http-01dns-01
AUTOMATIONISTHEKEYShortlifetimes.
Renewingusedtobeannoying.
Keepingupwiththebestpractices.
THEOFFICIALCLIENTAuthenticator / Installer pluginarchitecture.
Easyrenewal.Clientsavesyourconfiguration,andwheninitiated,checksallyouractivecertificates,and renews
(only)theonesexpiringsoon.
PLUGINFLAVORSManual
Standalone
Webroot
Apache
nginx
CONFIGURATIONCONFIGURATIONCONFIGURATIONCONFIGURATIONCONFIGURATIONCONFIGURATION
CONFIGURATION
CONFIGURATION
CONFIGURATION
CONFIGURATION
CONFIGURATION
CONFIGURATION
CONFIGURATION
CONFIGURATION
CONFIGURATIONCONFIGURATIONCHALLENGESINPARSING&MANAGEMENT
THOUSANDANDONEDISTRIBUTIONS......withdifferent packagemanagers .
...withdifferent configurationparadigms .
...withdifferentwaystodetermine flavor .
...PACKAGEMANAGERSDifferenthooks&packagenamesperdistributionfor
dependencies andkeepinguptodate.
OS packaging naturallyongoing,butwe'renew.
...CONFIGURATIONPARADIGMSUsing apache asanexample.
Prettymucheverymajordistributionisusingadifferentone.
Notonlythe VirtualHost configs,but controlscripts etc.aswell.
...OSDETECTIONlsb_release,redhat-release,sles-release...
platform.linux_distribution()is deprecated ,andgoingtogetremoved in3.7
HOWWE'REHANDLINGITHOWWE'REHANDLINGITHOWWE'REHANDLINGITHOWWE'REHANDLINGITHOWWE'REHANDLINGITHOWWE'REHANDLINGIT
HOWWE'REHANDLINGIT
HOWWE'REHANDLINGIT
HOWWE'REHANDLINGIT
HOWWE'REHANDLINGIT
HOWWE'REHANDLINGIT
HOWWE'REHANDLINGIT
HOWWE'REHANDLINGIT
HOWWE'REHANDLINGIT
HOWWE'REHANDLINGITHOWWE'REHANDLINGIT
BOOTSTRAPPINGInstallingtheospackagedependencies
Bootstrappingthe virtualenv forclient.
pip8 incorporatingfunctionalityof peep .
LINUXDISTRIBUTIONFINGERPRINTINGSystemd /etc/os-release
VERSION_ID and ID .
Abletoidentifyminorforksofdistributionsby LIKE
CONFIGURATIONPARSINGAugeas -librarywritteninC,withpythonbindings.
Supportswidevarietyofdifferentconfigurationformats,andlocationsthroughtemplatescalled lenses
Createsa DOM liketreestructurerepresentation.
Uses XPath conventionformatching.
PARSINGANDWRITINGCONFIGFILESAugeasallowsustohopintorelevant IfDefine statements,
ie.smartparsing.
Findoutwhichfilehas ServerName / ServerAlias fordomainwe'reinstallingthecertificatefor.
Provideseasywaytowriteto,andsavethemodifiedfiles.
QUESTIONS?-Let'sEncryptclient
-Let'sEncryptproject
-Let'sEncryptCA
-ACME
-Augeas
https://github.com/certbot/certbot
https://letsencrypt.org
https://github.com/letsencrypt/boulder
https://tools.ietf.org/html/draft-ietf-acme-acme-02
http://augeas.net
@joohoi
