preface

Once upon a time, the Internet was a wild, open world in which anyone could publish websites and exchange information. Yet savage growth has brought chaos as well as prosperity. A large number of counterfeiters began to be ready to move, a vest can fake a website, was found to change a vest to continue to cheat. All private messages are transmitted in plain text, and no one knows how many people are listening in on them. The masses who did not know the truth were cheated out of their money, which not only deceived the masses, but also violated the rights and interests of the Lord.

Since then, officials have rolled out a series of measures to clean up the Internet continent. In the industry, an encrypted digital certificate is becoming popular. This certificate can not only authenticate the identity of the website owner, but also play a role in the transmission of data encryption, integrity verification, tamper-proof functions. This is HTTPS certificates, a simple but extremely effective solution.

Today, HTTPS certificates have become a prerequisite for payment transactions, third-party calls (such as wechat mini programs) and other scenarios, as well as the minimum standards for security protection of many websites.

However, it usually takes thousands of thousands of yuan a year for certificate issuing agencies to apply for an HTTPS certificate, which is also a large cost for individual webmasters or small businesses.

Until one day, a mysterious organization came out of nowhere — Let’s Encrypt. The group’s vision is to make certificates available to websites around the world, creating a more secure and connected world. This is the Gospel of individual stationmaster and medium and small website simply!

Thanks to the ongoing efforts of Let’s Encrypt, more than 180 million web sites have applied for free HTTPS certificates to date.

Although Let’s Encrypt’s free certificate has been available for several years, I still find that many sites, even some of the more “well-known” sites, do not have certificates. Like this one:

Maybe they’re not done fighting. The HTTPS certificate? Security? It doesn’t exist! The seal is gone! ╮ (╯ del ╰) ╭

Therefore, I think it is necessary to talk about the application of this certificate. By the way, use in the current popular Kubernetes cluster.

Apply for an HTTPS wildcard certificate

In the early days of Let’s Encrypt, certificates could only be applied for one domain name at a time. Each secondary domain name required a new certificate. Although the certificate application process can be completely automated, a full-domain wildcard certificate is still necessary for larger websites.

Finally, on March 13, 2018, Let’s Encrypt provided wildcard certificate functionality. Next, we will apply for Let’s Encrypt wildcard certificate.

First, Let’s take a look at the authentication method of Let’s Encrypt application certificate.

Let’s Encrypt provides three ways to authenticate domain names.

  • Http-01 authentication mode: Ensure that the Let’s Encrypt server can access port 80 of the domain name. Place the randomly generated TOKEN in the authentication domain namehttp://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>Verify the ownership of the domain name.
  • Tls-alpn-01 Authentication: The Let’s Encrypt server must be able to access port 443 of the domain name. It uses the customized ALPN protocol to ensure that only servers that know this authentication type will respond to authentication requests. This also makes authentication requests for this challenge type more secure by allowing them to use SNI fields that match the domain name being validated.
  • Dns-01 authentication: The DNS system needs to place specific values in the TXT records of the domain name to prove the domain name. The TOKEN is randomly generated in the_acme-challenge.<YOUR_DOMAIN>DNS TXT records are queried by the Let’s Encrypt server for confirmation.

When applying for a wildcard certificate, only the third dnS-01 authentication mode is supported.

Let’s Encrypt has also been kind enough to provide automatic consolidation for many DNS parsing services. However, do not look for, most of them are foreign, domestic seems to have only Ali cloud DNS. If your DNS provider isn’t on the list, that’s fine, because mine isn’t either, so do it manually.

Note that the certificate requested by Let’s Encrypt is only valid for 90 days.

Check the DNS

First, make sure your DNS server is accessible from the Internet. Most of the regular public cloud DNS resolution services are no problem, if it is self-built or niche DNS, then each show his own magic.

DNSViz can analyze the DNS resolution service of the domain name. It is very simple to use. Enter the domain name and wait for a few minutes. The analysis report is very detailed and can help us find many problems with the DNS resolution setup. The following page is for analyzing the STATUS of the DNS server.

Add a certificate authority authorized CAA

The CAA is also a DNS record that allows the site owner to specify which certificate authorities (cas) are allowed to issue certificates containing their domain name. This is mainly used to avoid accidental issuance of certificates and is now used as a mandatory checking mechanism.

The most common CAA error is a SERVFAIL, which might look like this.

DNS problem: SERVFAIL looking up CAA for www.example.com
Copy the code

CAA authentication of DNS resolution service failed or is empty or not supported. First, make sure your DNS resolution service provider supports CAA. Currently, all mainstream public cloud service providers support CAA. Then add a CAA record.

For a certificate issued by Let’s Encrypt, the value must be 0 issue “letsencrypt.org”

CAA has a priority. CAA can specify a secondary domain name or a parent domain name. By default, CAA searches for the most matched domain name.

Install certbot

Certbot is a client program that automatically applies for domain name certificates from Let’s Encrypt. It also provides a variety of plug-ins that provide an automated application deployment process for a variety of systems and software.

Installation is also very simple, you can choose the installation document according to the operating system and corresponding software on the official website.

For example, the CentOS system is installed as follows.

sudo yum install certbot
Copy the code

To apply for a wildcard certificate, install version 1.0.0 or later.

Obtain the wildcard certificate manually

After the installation is complete, run the following command to apply for a certificate. (Please replace *.example.com with your domain name below)

certbot certonly --manual -d *.example.com --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory
Copy the code

To implement wildcard certificates, Let’s Encrypt updates the ACME protocol implementation. Only V2 supports wildcard certificates. Specify the API using –server.

First we need to confirm.

Random tokens are then generated that we need to add to the DNS TXT record.

Open the DNS resolution console and add TXT records, similar to the following.

To ensure that the resolution Settings are successful, run the following command to obtain the resolution records:

Dig -t TXT _acme-challenge.example.com @8.8.8.8Copy the code

The parse record value returned should be the TOKEN given to us earlier.

_acme-challenge.example.com. 300 IN TXT "7q1qb... IAj4"Copy the code

After the modification is successful, return to the previous command line and press Enter.

Wait a moment, output the following content and the application is successful!

The certificate we applied for is placed in the path of the output file, mainly four files:

  • Cert. Pem: certificate
  • Chain. pem: certificate chain
  • Fullchain. pem: a complete certificate chain, which is the integration of cert.pem and chain.pem
  • Privkey. Pem: the private key

Certificate of configuration

After applying for the certificate, it’s our turn to use it. Since we are using it in a Kubernetes cluster, we may have the following places to configure.

CDN/ Object storage

The Kubernetes cluster hosts our services, but it is better to host static resources in CDN or object storage service (such as S3, OSS).

Usually the CDN or object storage service we use has a domain name and HTTPS configuration, and each console is different, but it’s pretty much the same.

The main steps are to configure the domain name, enable HTTPS, and upload the fullchain-pem certificate chain and privkey.pem private key file that we have obtained. After the configuration is complete, it generally takes effect after a while and can be accessed through the HTTPS protocol of the configured domain name.

However, it should be noted that the private key we applied for is in X.509 format and the file header is

-----BEGIN PRIVATE KEY-----
Copy the code

What many service providers need is something like this

-----BEGIN RSA PRIVATE KEY-----
Copy the code

These are two different format specifications that can be converted using the Openssl command.

openssl rsa -in privkey.pem -out out.pem
Copy the code

Nginx

Nginx can be used as a front-end load balancer for a Kubernetes cluster or as an Ingress Controller. Nginx certificates are very simple to configure and can be automatically configured via certbot’s Nginx plug-in (using the — Nginx parameter, see documentation) if you are on a standalone server and have direct external access. Complex scenarios can also be manually configured, mainly in the following configuration block Nginx Server configuration items:

listen 443 ssl; Ssl_certificate /etc/letsencrypt/live/<path-to>/ fullchain-pem; Ssl_certificate_key /etc/letsencrypt/live/<path-to>/privkey.pem; # private key include /etc/letsencrypt/options-ssl-nginx.conf; Ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # this is a key parameter configuration, used to enhance security, don't know how to match can also no matter,, we can see http://www.ruanyifeng.com/blog/2014/09/illustration-ssl.htmlCopy the code

Of course, if you want to add HTTP to automatically jump to HTTPS, add an 80 Server configuration block.

server { if ($host = www.example.com) { return 301 https://$host$request_uri; } # automatic jump server_name www.example.com; listen 80; Return 404; }Copy the code

Traefik

Traefik is another Ingress Controller on Kubernetes, but not just Kubernetes. Traefik is one of the simpler and faster open source edge routing products of the container era.

What I like about it is that it’s a natural fit for Kubernetes, easy to use and comes with a UI Dashboard. In Kubernetes cluster installation only need to use helm Chart, configuration using Ingress or CRD, very container.

Traefik itself provides integration with Let’s Encrypt to automatically apply for and update regular certificates. The Traefik container startup parameter plus TLS resolver configuration is not complicated.

args: - ... - "-- entryPoints. Websecure. Address = : 443" entrypoint # 443 port, if you use the helm chart, Already configured - certificatesresolvers. Default. Acme. Tlschallenge = true # configuration acme challenge - - [email protected] # configure mail - -- certificatesresolvers. Default. Acme. Storage = / data/acme. # json configuration file storage, can be persistentCopy the code

We then expose the service with IngressRoute, a CRD provided by Traefik that provides more power than Ingress.

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutetls
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`your.example.com`) && PathPrefix(`/tls`)
    kind: Rule
    services:
    - name: whoami
      port: 80
  tls:
    certResolver: default
Copy the code

The last line specifies that the resolver is default, and Traefik will automatically apply for and update the certificate for us. A complete example can be found here.

Of course, we apply for a wildcard certificate, and how to configure it?

Tlsstore CRD is available in Traefik 2.2 to help us manage wildcard certificates.

First, create a Secret to hold our certificate chain and private key information.

apiVersion: v1
kind: Secret
metadata:
  name: domainsecret
stringData:
  tls.crt: |- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----  tls.key: |- -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----Copy the code

CRT is the content of fullchain-pem, and tls.key is the content of privkey.pem.

After installing Secret, create a tlsStore object associated with the Secret you just created.

apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
  name: default
  namespace: default
spec:
  defaultCertificate:
    secretName:  domainsecret
Copy the code

Finally, do the following configuration in TLS of IngressRoute.

tls:
  store:
    name: default
Copy the code

All configured domain names will automatically use wildcard certificates, and future updates will only need to update Secret.

reference

  • Let’s Encrypt
  • DNS Proviers
  • DNSViz
  • The certificate authority authorizes CAA
  • Certbot Instructions
  • Certbot docs manual
  • Certbot Nginx
  • Traefik
  • Traefik Helm Chart