LET'SENCRYPTCLIENT...LET'SENCRYPTCLIENT...LET'SENCRYPTCLIENT...LET'SENCRYPTCLIENT...LET'SENCRYPTCLIENT...LET'SENCRYPTCLIENT...

LET'SENCRYPTCLIENT...

LET'SENCRYPTCLIENT...

LET'SENCRYPTCLIENT...

LET'SENCRYPTCLIENT...

LET'SENCRYPTCLIENT...

LET'SENCRYPTCLIENT...

LET'SENCRYPTCLIENT...

LET'SENCRYPTCLIENT...

LET'SENCRYPTCLIENT...LET'SENCRYPTCLIENT......ANDTHECHALLENGESWITHWILDLY

HETEROGENOUSDEPLOYMENTENVIRONMENTS2016

JoonaHoikkala( )

PyConSweden

@joohoi

LET'SENCRYPTLET'SENCRYPTLET'SENCRYPTLET'SENCRYPTLET'SENCRYPTLET'SENCRYPT

LET'SENCRYPT

LET'SENCRYPT

LET'SENCRYPT

LET'SENCRYPT

LET'SENCRYPT

LET'SENCRYPT

LET'SENCRYPT

LET'SENCRYPT

LET'SENCRYPTLET'SENCRYPTTHEAMBITIOUSPLANTOENCRYPT100%OFTHEWEB!

HOWAREWEDOING?Currently 3,112,302 certificatesissued.

Outofwhichroughly twomillion arecurrentlyactive!

UNDERTHEHOODLet'sEncryptCAspeaksAutomatedCertificateManagement

Environmentprotocol- ACME forshort.

OnlyDV,nowildcards,upto100domainsin SAN .

Shortlived- 90d expiration.

OBTAININGCAresolvesIPaddressesofyourdomain(s)frommultiple

locations,andproceedsbyissuingachallenge.

Challengetypes:

tls-sni-01http-01dns-01

AUTOMATIONISTHEKEYShortlifetimes.

Renewingusedtobeannoying.

Keepingupwiththebestpractices.

THEOFFICIALCLIENTAuthenticator / Installer pluginarchitecture.

Easyrenewal.Clientsavesyourconfiguration,andwheninitiated,checksallyouractivecertificates,and renews

(only)theonesexpiringsoon.

PLUGINFLAVORSManual

Standalone

Webroot

Apache

nginx

CONFIGURATIONCONFIGURATIONCONFIGURATIONCONFIGURATIONCONFIGURATIONCONFIGURATION

CONFIGURATION

CONFIGURATION

CONFIGURATION

CONFIGURATION

CONFIGURATION

CONFIGURATION

CONFIGURATION

CONFIGURATION

CONFIGURATIONCONFIGURATIONCHALLENGESINPARSING&MANAGEMENT

THOUSANDANDONEDISTRIBUTIONS......withdifferent packagemanagers .

...withdifferent configurationparadigms .

...withdifferentwaystodetermine flavor .

...PACKAGEMANAGERSDifferenthooks&packagenamesperdistributionfor

dependencies andkeepinguptodate.

OS packaging naturallyongoing,butwe'renew.

...CONFIGURATIONPARADIGMSUsing apache asanexample.

Prettymucheverymajordistributionisusingadifferentone.

Notonlythe VirtualHost configs,but controlscripts etc.aswell.

...OSDETECTIONlsb_release,redhat-release,sles-release...

platform.linux_distribution()is deprecated ,andgoingtogetremoved in3.7

HOWWE'REHANDLINGITHOWWE'REHANDLINGITHOWWE'REHANDLINGITHOWWE'REHANDLINGITHOWWE'REHANDLINGITHOWWE'REHANDLINGIT

HOWWE'REHANDLINGIT

HOWWE'REHANDLINGIT

HOWWE'REHANDLINGIT

HOWWE'REHANDLINGIT

HOWWE'REHANDLINGIT

HOWWE'REHANDLINGIT

HOWWE'REHANDLINGIT

HOWWE'REHANDLINGIT

HOWWE'REHANDLINGITHOWWE'REHANDLINGIT

BOOTSTRAPPINGInstallingtheospackagedependencies

Bootstrappingthe virtualenv forclient.

pip8 incorporatingfunctionalityof peep .

LINUXDISTRIBUTIONFINGERPRINTINGSystemd /etc/os-release

VERSION_ID and ID .

Abletoidentifyminorforksofdistributionsby LIKE

CONFIGURATIONPARSINGAugeas -librarywritteninC,withpythonbindings.

Supportswidevarietyofdifferentconfigurationformats,andlocationsthroughtemplatescalled lenses

Createsa DOM liketreestructurerepresentation.

Uses XPath conventionformatching.

PARSINGANDWRITINGCONFIGFILESAugeasallowsustohopintorelevant IfDefine statements,

ie.smartparsing.

Findoutwhichfilehas ServerName / ServerAlias fordomainwe'reinstallingthecertificatefor.

Provideseasywaytowriteto,andsavethemodifiedfiles.

QUESTIONS?-Let'sEncryptclient

-Let'sEncryptproject

-Let'sEncryptCA

-ACME

-Augeas

/joona@kuori.org

https://github.com/certbot/certbot

https://letsencrypt.org

https://github.com/letsencrypt/boulder

https://tools.ietf.org/html/draft-ietf-acme-acme-02

http://augeas.net

@joohoi