LET S ENCRYPT WITH PYTHON WEB APPS. Joe Jasinski Imaginary Landscape

Transcription

1 LET S ENCRYPT WITH PYTHON WEB APPS Joe Jasinski Imaginary Landscape

2 SSL / TLS

3 WHY USE SSL/TLS ON YOUR WEB SERVER?

4 BROWSERS ARE MANDATING IT Firefox 51 and Chrome 56 Non-HTTPS Pages with Password/CC Forms marked as insecure Source: Arstechnica

5 SEARCH ENGINES ARE EXPECTING IT Google Using HTTPS as a ranking signal Google Blog:

6 INDUSTRY RECOMMENDS IT Redirect http to https sitewide https-only sites are becoming the norm Many of the big sites did this years ago

7 STANDARDS REQUIRE IT Required by PCI-DSS Required for HIPPA

8 USERS EXPECT SECURITY

9 ABOUT SSL/TLS

10 CERTIFICATE TYPES Domain Validation (DV) - verify domain ownership Organization Validation (OV) - verify org Extended Validation (EV) - max verification

11 SCOPE *Wildcard example.com foo.example.com Normal Cert (with SAN) example.com bar.example.com baz.example.com *.example.com

12 PROTOCOL VERSIONS SSL1.0 SSL2.0 SSL3.0 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 (Draft)

13 HOW TO GET A CERT (PRIOR TO LET S ENCRYPT)

14

15 GENERATE PRIVATE KEY On Server, openssl genrsa -out example.com.key 2048

16 GENERATE CERTIFICATE SIGNING REQUEST (CSR) On Server: openssl req -new -sha256 -key example.com.key \ -out example.com.csr

17

18

19 SERVE UP A LOCATION FOR THE FILE (AS SPECIFIED BY YOUR CA) Nginx Example: server { listen 80; location /.well-known/random-path { } root /var/www/htdocs/;

20

21

22 server { INSTALL CERT IN WEBSERVER CONFIG Nginx Example: listen 443 ssl http2; ssl_certificate /etc/ssl/mydomain.com/example.com.crt; ssl_certificate_key /etc/ssl/mydomain.com/example.com.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_dhparam /srv/etc/ssl/dhparam.pem; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256: ; ssl_prefer_server_ciphers on;

23 THOUGHTS Lots of manual steps Must be repeated every few years when the certs expire. Process differs slightly between CAs Error prone and time consuming It costs money

24 ENTER LET S ENCRYPT

25 ABOUT Certificate Authority Simplify SSL Certificates Automate SSL Certificates Lots of sponsors: Mozilla, Google, Akami, Cisco, Shopify, Facebook, EFF, more! Make Certs Free Ensure Security Encrypt the entire web! Open Source

26 IT DOES NOT Issue Wildcard certificates Issue Organization Validation (OV) or Extended Validation (EV) certificates. (Only supports Domain Validation (DV) certs)

27 WHERE YOU MIGHT USE IT Good for Personal and Professional sites Dedicated server, AWS EC2, Rackspace Cloud Instance, Digital Ocean Droplet, Google Compute Engine Sites with typically only a few sub-domains. Docker-hosted sites

28 NOT A GOOD FIT PaSS (i.e. Heroku) Blogger, Github Pages, etc. Large orgs with an existing wildcard cert Orgs with need for EV or OV certs Only using IP addresses

29 ACME PROTOCOL Developed by Let s Encrypt Open protocol for SSL Certificate automation Requires Client to be installed on you Webserver

30 LET S ENCRYPT CLIENT Many Implementations (in many languages): All implement the ACME Protocol

31 CERTBOT (THE OFFICIAL CLIENT) Written in Python Developed by Let s Encrypt Supports many modes of operation (can integrate with different web servers) Supported in many OSs (It s Python!)

32

33 HOW TO GET A CERT (WITH LETSENCRYPT)

34 REQUIREMENTS Linux or UNIX-like server Domain name pointed at server Root access to server

35 $ sudo apt-get install software-properties-common $ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install certbot

36 CONFIGURE LETSENCRYPT $ vim /etc/letsencrypt/cli.ini # increase key size rsa-key-size = 2048 # Or 4096 # this address will receive renewal reminders = domains@example.com # turn off the ncurses UI, so this can be run as a cron job text = True # authenticate by placing a file in the webroot # (under.well-known/acme-challenge/) # and then letting LE fetch it authenticator = webroot webroot-path = /srv/sites/djencrypt/htdocs/letsencrypt

37 CONFIGURE WEBSERVER Update Nginx Config server { listen 80; server_name example.com; } # letsencrypt challenge directory location /.well-known/acme-challenge { root /srv/sites/djencrypt/htdocs/letsencrypt; }... Restart Nginx mkdir /srv/sites/djencrypt/htdocs/letsencrypt

38 RUN CERTBOT sudo certbot \ certonly \ --config /etc/letsencrypt/cli.ini \ -d example.com -d

39 CERT & KEY CREATED /etc/letsencrypt/ archive letsencrypt.jazstudios.com cert1.pem chain1.pem fullchain1.pem privkey1.pem cli.ini csr 0000_csr-certbot.pem keys 0000_key-certbot.pem live letsencrypt.jazstudios.com cert.pem ->../../archive/letsencrypt.jazstudios.com/cert1.pem chain.pem ->../../archive/letsencrypt.jazstudios.com/chain1.pem fullchain.pem ->../../archive/letsencrypt.jazstudios.com/fullchain1.pem privkey.pem ->../../archive/letsencrypt.jazstudios.com/privkey1.pem README renewal letsencrypt.jazstudios.com.conf

40 INSTALL CERT IN WEBSERVER CONFIG Update Nginx Config server { listen 443 ssl http2; ssl_certificate /etc/letsencrypt/live/letsencrypt.jazstudios.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/letsencrypt.jazstudios.com/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Restart Nginx

41 SECURE!

42 CERTIFICATE RENEWAL

43 RENEW sudo certbot \ renew \ --text \ --renew-hook "service nginx restart"

44 RENEW VIA CRON vim /etc/cron.monthly/letsencrypt #!/bin/bash sudo certbot \ renew --text \ --renew-hook "service nginx restart > /var/log/letsencrypt_cron.log 2>&1 chmod 755 /etc/cron.monthly/letsencrypt

45 OTHER CLIENTS

46 ACME.SH

47 SSL RESOURCES

48 SSL TESTER

49 SSL TESTER (SCRIPT)

50 Certbot Website: Related blog posts: letsencrypt-quick-setup/ Mozilla TLS Server Guide

51 QUESTIONS? Joe Jasinski Imaginary Landscape