let's encrypt client deployment challenges, pycon sweden 2016

Download Let's Encrypt client deployment challenges, PyCon Sweden 2016

Post on 20-Jan-2017

119 views

Category:

Software

1 download

Embed Size (px)

TRANSCRIPT

  • LET'SENCRYPTCLIENT...LET'SENCRYPTCLIENT...LET'SENCRYPTCLIENT...LET'SENCRYPTCLIENT...LET'SENCRYPTCLIENT...LET'SENCRYPTCLIENT...

    LET'SENCRYPTCLIENT...

    LET'SENCRYPTCLIENT...

    LET'SENCRYPTCLIENT...

    LET'SENCRYPTCLIENT...

    LET'SENCRYPTCLIENT...

    LET'SENCRYPTCLIENT...

    LET'SENCRYPTCLIENT...

    LET'SENCRYPTCLIENT...

    LET'SENCRYPTCLIENT...LET'SENCRYPTCLIENT......ANDTHECHALLENGESWITHWILDLY

    HETEROGENOUSDEPLOYMENTENVIRONMENTS2016

    JoonaHoikkala( )

    PyConSweden

    @joohoi

    https://twitter.com/pyconsehttps://twitter.com/joohoi

  • LET'SENCRYPTLET'SENCRYPTLET'SENCRYPTLET'SENCRYPTLET'SENCRYPTLET'SENCRYPT

    LET'SENCRYPT

    LET'SENCRYPT

    LET'SENCRYPT

    LET'SENCRYPT

    LET'SENCRYPT

    LET'SENCRYPT

    LET'SENCRYPT

    LET'SENCRYPT

    LET'SENCRYPTLET'SENCRYPTTHEAMBITIOUSPLANTOENCRYPT100%OFTHEWEB!

  • HOWAREWEDOING?Currently 3,112,302 certificatesissued.

    Outofwhichroughly twomillion arecurrentlyactive!

  • UNDERTHEHOODLet'sEncryptCAspeaksAutomatedCertificateManagement

    Environmentprotocol- ACME forshort.

    OnlyDV,nowildcards,upto100domainsin SAN .

    Shortlived- 90d expiration.

  • OBTAININGCAresolvesIPaddressesofyourdomain(s)frommultiple

    locations,andproceedsbyissuingachallenge.

    Challengetypes:

    tls-sni-01http-01dns-01

  • AUTOMATIONISTHEKEYShortlifetimes.

    Renewingusedtobeannoying.

    Keepingupwiththebestpractices.

  • THEOFFICIALCLIENTAuthenticator / Installer pluginarchitecture.

    Easyrenewal.Clientsavesyourconfiguration,andwheninitiated,checksallyouractivecertificates,and renews

    (only)theonesexpiringsoon.

  • PLUGINFLAVORSManual

    Standalone

    Webroot

    Apache

    nginx

  • CONFIGURATIONCONFIGURATIONCONFIGURATIONCONFIGURATIONCONFIGURATIONCONFIGURATION

    CONFIGURATION

    CONFIGURATION

    CONFIGURATION

    CONFIGURATION

    CONFIGURATION

    CONFIGURATION

    CONFIGURATION

    CONFIGURATION

    CONFIGURATIONCONFIGURATIONCHALLENGESINPARSING&MANAGEMENT

  • THOUSANDANDONEDISTRIBUTIONS......withdifferent packagemanagers .

    ...withdifferent configurationparadigms .

    ...withdifferentwaystodetermine flavor .

  • ...PACKAGEMANAGERSDifferenthooks&packagenamesperdistributionfor

    dependencies andkeepinguptodate.

    OS packaging naturallyongoing,butwe'renew.

  • ...CONFIGURATIONPARADIGMSUsing apache asanexample.

    Prettymucheverymajordistributionisusingadifferentone.

    Notonlythe VirtualHost configs,but controlscripts etc.aswell.

  • ...OSDETECTIONlsb_release,redhat-release,sles-release...

    platform.linux_distribution()is deprecated ,andgoingtogetremoved in3.7

  • HOWWE'REHANDLINGITHOWWE'REHANDLINGITHOWWE'REHANDLINGITHOWWE'REHANDLINGITHOWWE'REHANDLINGITHOWWE'REHANDLINGIT

    HOWWE'REHANDLINGIT

    HOWWE'REHANDLINGIT

    HOWWE'REHANDLINGIT

    HOWWE'REHANDLINGIT

    HOWWE'REHANDLINGIT

    HOWWE'REHANDLINGIT

    HOWWE'REHANDLINGIT

    HOWWE'REHANDLINGIT

    HOWWE'REHANDLINGITHOWWE'REHANDLINGIT

  • BOOTSTRAPPINGInstallingtheospackagedependencies

    Bootstrappingthe virtualenv forclient.

    pip8 incorporatingfunctionalityof peep .

  • LINUXDISTRIBUTIONFINGERPRINTINGSystemd /etc/os-release

    VERSION_ID and ID .

    Abletoidentifyminorforksofdistributionsby LIKE

  • CONFIGURATIONPARSINGAugeas -librarywritteninC,withpythonbindings.

    Supportswidevarietyofdifferentconfigurationformats,andlocationsthroughtemplatescalled lenses

    Createsa DOM liketreestructurerepresentation.

    Uses XPath conventionformatching.

  • PARSINGANDWRITINGCONFIGFILESAugeasallowsustohopintorelevant IfDefine statements,

    ie.smartparsing.

    Findoutwhichfilehas ServerName / ServerAlias fordomainwe'reinstallingthecertificatefor.

    Provideseasywaytowriteto,andsavethemodifiedfiles.

  • QUESTIONS?-Let'sEncryptclient

    -Let'sEncryptproject

    -Let'sEncryptCA

    -ACME

    -Augeas

    /joona@kuori.org

    https://github.com/certbot/certbot

    https://letsencrypt.org

    https://github.com/letsencrypt/boulder

    https://tools.ietf.org/html/draft-ietf-acme-acme-02

    http://augeas.net

    @joohoi

    https://github.com/certbot/certbothttps://letsencrypt.org/https://github.com/letsencrypt/boulderhttps://tools.ietf.org/html/draft-ietf-acme-acme-02http://augeas.net/https://twitter.com/joohoi