Let's Encrypt 101

# Let's Encrypt 101 ## Why HTTPS? ### Problems ![](https://i.imgur.com/mjiIQwh.png) ![](https://i.imgur.com/j26ErU2.png) ![](https://i.imgur.com/UrJLShb.png) ### HTTPS - 加密 (Encryption) - 資料被竊取後，無法看出原文內容 - 驗證 (Authentication) - 身份驗證 - 完整性 (Integrity) - 避免資料被竄改 ### Require HTTPS - Browser APIs - Service Workers - Geo location - Push Notifications - getUserMedia - App Cache - Encrypted Media Extensions - Third Party API - Line Bot - SEO - Google Search Engine - iOS APP ## How HTTPS Work? ![](https://i.imgur.com/x5Hyv6U.png) - Security Basic - Encryption Basic - Hash Functions - Shared-Key Cryptosystem - Public-Key Cryptosystem - Hybrid Cryptosystem - Diffie-Hellman Key Exchange - Message Authentication Codes - Digital Signatures - Digital Certificates from [Algorithms: Explained and Animated](https://itunes.apple.com/us/app/algorithms-explained-and-animated/id1047532631?mt=8) ### 簡化一下 ![](https://i.imgur.com/aUkEMfV.png) ![](https://i.imgur.com/llok2sb.png) ![](https://i.imgur.com/samZ6W2.png) ![](https://i.imgur.com/fiicPQX.png) - 公鑰/私鑰 - 數位憑證認證機構(CA)(Certificate Authority) - 數位憑證(CSR)(Certificate Signing Request) ### 傳輸層安全性協定 SSL/TLS - ~~SSL 1.0~~ - ~~SSL 2.0~~ - SSL 3.0 IETF將SSL標準化 - TLS 1.0 - TLS 1.1 - TLS 1.2 - TLS 1.3 (草案) ## Let's Encrypt ![](https://i.imgur.com/sPzCDOl.png) ### Automatic Certificate Management Environment (ACME) protocol ![](https://i.imgur.com/vvCfh4H.png) ![](https://i.imgur.com/TjllsiK.png) ### acme.sh ```shell= curl https://get.acme.sh | sh sudo ~/.acme.sh/acme.sh --issue -d yibin.one --webroot /var/www/html # --staging for testing sudo mkdir /etc/apache2/ssl sudo ~/.acme.sh/acme.sh --install-cert -d yibin.one \ --cert-file /etc/apache2/ssl/cert.pem \ --key-file /etc/apache2/ssl/key.pem \ --fullchain-file /etc/apache2/ssl/fullchain.pem \ --reloadcmd "service apache2 force-reload" ``` ### Apache2 SSL Configuration ```shell= # Reference: <VirtualHost *:443> ... SSLEngine on SSLCertificateFile /etc/apache2/ssl/cert.pem SSLCertificateKeyFile /etc/apache2/ssl/key.pem SSLCertificateChainFile /etc/apache2/ssl/fullchain.pem # Uncomment the following directive when using client certificate authentication #SSLCACertificateFile /path/to/ca_certs_for_client_authentication # HSTS (mod_headers is required) (15768000 seconds = 6 months) Header always set Strict-Transport-Security "max-age=15768000" # modern configuration, tweak to your needs SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off </VirtualHost> # OCSP Stapling, only in httpd 2.3.3 and later SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) ``` ### Apache2 HTTP/2 Configuration ```shell= sudo a2enmod http2 ``` ```shell= <VirtualHost *:443> Protocols h2 http/1.1 # (TLS only) </VirtualHost> ``` ## Mix Contents ``` Content-Security-Policy: default-src https:; ``` - [防止混合内容](https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content) ### Wildcard Certificates ![](https://i.imgur.com/cJdE1rA.png) ### References - [Let's Encrypt](https://letsencrypt.org/) - [acme.sh](https://github.com/Neilpang/acme.sh) - [Algorithms: Explained and Animated](https://itunes.apple.com/us/app/algorithms-explained-and-animated/id1047532631?mt=8) - [Mozilla Wiki: Security/Server Side TLS](https://wiki.mozilla.org/Security/Server_Side_TLS) - [使用 acme.sh 给 Nginx 安装 Let’ s Encrypt 提供的免费 SSL 证书](https://ruby-china.org/topics/31983) - [sudo without password](https://joshtronic.com/2014/12/21/sudo-without-password/)