ACME: Implementation

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
good morning everybody and welcome back to Next Door netadmin this is part three of our Acme Deep dive part one we looked at pki Basics what a certificate is and a little bit about how the math Works between a public and private key pair second week we looked at a little bit more of the acne protocol itself how the validations actually work whether you're doing it through HTTP or through DNS this week is the big one we're looking at implementation I mentioned before that I have three tools that I typically use I'm going to mention all of them and I'm going to cover where I use them generally speaking but I'm not going to go into depth on all three of them I'm going to go into depth on one of them and from what we've discussed previously and having a look at how we go on to configure the one that we're going to go in depth on it should give you a pretty solid foundation for working with the other two so what are these tools let's let's get that out of the way um the tools that I have preferentially used are dehydrated acme.sh and win Acme it had a previous name previously but win Acme is what it's got right now dehydrated is a shell script it's written in bash shell script specifically which means that this is very much meant for Linux systems dehydrated has the capability to work with a bunch of different usage scenarios the thing that I typically use it for is where I just need it to work with a a web server specifically uh dehydrated has a way of being able to accept the token validation values and just put them in the file system as the the web server serves that out so it's very simple to use in that case if you're going to use it for other challenges such as DNS then you need to write a hook script or use a hook script that somebody else has written that can do the interfacing for you and that tends to get a little more complicated so I use it for what it's best at I just need a simple shell script that will interface with a web server boom dehydrated done and dusted it's easy another tool I use is acme.sh acme.sh is what I will use on the Linux side of things or BSD um it comes built into open sense for example so so it's an excellent choice to use there but in Linux or a star NX environment acme.sh is what I'll use if I need something a little more complex like working with DNS validations and I'll use this because it has a lot of DNS providers built in it has support for those providers already built in so I don't have to write or find the correct extension to do that it's already there I will say something that always trips me up with using acme.sh however is that if you're using just the program itself it defaults to using zero SSL as the certificate Authority this is not a problem I just have the desire to use a consistent certificate authority of let's encrypt which is what I use on everything so when I use acme.sh I want it to use the same thing you can do that it's just not the default and I always forget that and I always wind up with a certificate from Zer SSL and go oh that's not what I wanted I have to go fix this but that's my only gripe and it's a minor one it's really really minor when Acme is the one that we're going to go in depth on because that is what I use on Windows servers exclusively and that's the one where I expect a lot of people will find it quite useful at least in the windows world in the Linux World you've already got other tools uh and a lots of tools that can be used to work with Acme certificates and use ually if you're not somebody who comes to me telling me there's no such thing as an Acme account um usually people who are using Linux are a little bit more up to speed on the details of what they're doing but I'm generalizing so we're going to go into depth on the Windows side of things and I'm going to show you how to get win Acme what you need to use win Acme how to configure win me both for HTTP validations and for DNS validations and discuss some of the things that you can do with it so let's get started all right then so here we are on a wonderful little server this is actually one of my development servers that I use for various reasons uh and it already has win Acme set up on it but that's not the point of this particular video so let's start by taking a look at the win Acme website win- acme.com very simple even says it's simple right there it's got a lot of features it's got some sponsors most of what you're going to be looking for if you need help with figuring out various parts of it is going to be under manual and reference there's useful bits of information on both of those pages so I recommend that you give both of them a thorough read if you want to do something that is slightly more out of the ordinary than what we're going to go through today if you go to download There's a recommended version there's a larger download with plug-in support there's other builds release notes older versions I will usually just go to release notes because that actually takes us to the GitHub page for the project and under assets if you show all you'll notice that in addition to the various versions of win Acme itself there's also a lot of plugins for various stores validations these are all DNS validation plugins this is what is really useful to me in the windows world is I can grab a plugin for GoDaddy d NS let's say and it'll just integrate cleanly now what are the difference between these uh particular releases most of the time I'm going to get an x64 release if I want web server support only I'll go for the trimmed version if I need something that can take one of these plugins and work with that I'll go for the pluggable version you'll notice there is a between these two that's the only difference there is that this one has the capability to automatically detect and extend itself with plugins so in that case I would use the pluggable version but know that you can use the trimmed version if you're just looking to get web server support this is what it looks like when you open the zip file there's a script directory which has a bunch of scripts that are already provided for your use your mileage may vary I never use any of these if I need a script and we'll cover that in a little bit I'll generally speaking write it myself there's a default settings file there's a version there's the application itself this all looks fine that being said I'll generally install this by just copying these files into C program files win Acme and in this case this particular version if we take a look at the version this is actually an older version 2.1.2 um upgrading this is really really simple because all you really need to do is copy the files out of this ZIP and copy it over top of what you've already got in there I'm not going to do that right the second because I'd want to back up the directory and review settings and a bunch of other stuff that uh is not necessarily great content because it's pretty tedious but when you extract the files into your winac me folder the easiest thing to do is to get your settings uncore default copy it to settings. Json just on its own there's a lot of initial settings in here that you can set up and then I'll just typically drag it into notepad if you're using a current version of notepad it will handle whatever line endings it has and you'll just be able to get started without having to do any line ending conversions most of this is stuff that you don't need to touch if you want to learn more about it the information is there in the reference on their on the win Acme website most of the things I will change will be for the scheduled task the start boundary by default is at 9:00 a.m. 9:00 a.m. is not necessarily a great time to be renewing certificates I find if only because there's going to be a momentary disruption to Services when the certificate renews it'll be very minor but if that's going to happen I want that to happen sometime in the morning so I'll usually do 2: a.m. random delay is it may delay at random up to 4 hours this creates a window so that we don't have everybody hitting the certificate servers at the top of an hour for example so with my start boundary at 2 in the morning I know it's going to fire a renewal somewhere between 2 and 6:00 in the morning which is still okay for what I'm doing notification you can set this up to send notification emails if something goes wrong I highly recommend it this is my development server so I don't actually have that set up here but this is where you can set up uh reference to a local mail server or you can have it send directly into Office 365 or another service using SMTP relay hey what do you know I did a video on that already cool and there's a bunch of uh settings that you can use to configure that security this as far as I recall is not 2048 by default I set it down to 2048 because that is considered solid enough for an SSL certificate at the current time and I'll set the ECC curve I'm pretty sure this is uh the 384bit curve by default and I set that down to 256 again because that's considered solid security at this point and I don't need anything more private key exportable if you want to be able to export a certificate from the server you'll want to set that to true I generally don't because if I need the certificate somewhere else I can just set this up on the other server and run it from there and get a new certificate issued it's no biggie it's no biggie whatsoever the rest of this validation if you want when you're doing DNS validation it will use these servers to uh look up and make sure that the record is there newer versions have this set to system DNS whatever this server has its local DNS server set up to I usually set that to something public just to make sure that we're referencing public records and not something that's been cashed internally because uh the ca is not going to have access to that internal cach the the rest of this I will pretty much leave as is once you have your settings set up with that then you can open a command prompt I recommend running it as administrator and go to your directory and you just run the executable you can see that right now I'm using the trimmed version in here the scheduled task looks healthy I'll never actually create a certificate using default settings because it makes some assumptions that I prefer to replace with my own choices so I will go through the full options version and that's also better for this video so that you can see all the options that are available you can get your uh domain names from Reading bindings in IIs I don't uh because I want to manually specify that so I'll do manual input all right here's a test domain that I already set up for a different project okay friendly name this is how it will uh display the certificate in Windows if you're looking at it through the certificates console or something else this is not necessary to adjust so here I'll just typically hit enter to accept it there we go and then it wants to say okay how are you going to do the this verification and you can see it's actually listing HTTP 01 or DNS 01 or TLS alpen 01 these are your available validation methods because this is the trimmed version we don't have the ability to actually accept plugins so for this I would usually use option number two serve verification files from memory this will harmoniously coexist with IIs so that if you already have a web server running win Acme will just kind of Sidle into place with that and serve the verification files itself without you having to make any configuration changes to your web server which is really nice and convenient it's going to ask if you want an elliptic curve certificate or an RSA certificate I'll generally go with elliptic curve the only thing I know of that really requires an RSA key is exchange and some older firewall software that hasn't been updated to anything new where do you want to store it well there is such a thing as an IIs Central certificate store there you can uh save it to a pem file which is a very typical format for Apache engine X and some other Linux uses a pfx archive is more of the windows uh style of file or you can just install it into the windows certificate store which is usually good enough for what we want to do and where do you want to store it do you want to store it in web hosting which is a dedicated store for your web server or you can put it in my which is the general computer store there are some applications like it's telling you exchange remote desktop services that will not actually look at any other certificate store other than my so it's something that you need to pay attention to and make sure you choose the correct store for what you're doing in this case I'll put it into my you can store it in multiple places so once you've chosen one store you can choose another I'm going to say no additional store steps just cuz I don't need anything else right now once it's been stored how do you want to install it you can install it directly into IIs uh by using this create or update bindings you can start an external script or program this is what I would use if I want to take that certificate and I have to do something specific with it for example with exchange I might have a script that uh runs enable exchange certificate so that it adds the correct services to it through Powershell and you can do multiple installation steps so for example if I do this okay I can put this on any of these particular websites all right I'll put that there and I could also start an external script or program this will be less useful for me because I don't actually have a script setup but the path to the script file you could do something as simple as scripts uh and then make it script. PS1 or you could do a CMD or a bat or whatever else you want it's smart enough to tell me that doesn't actually exist yeah my mistake I'm sorry but when you have a suitable script that you want to run it will also ask you if there are any arguments that you want to supply arguments are variables that you can replace at runtime for example one of the common arguments I will often use is thumb print this is replaced by the thumb print of the certificate that you're running again if I'm using a script for example to enable exchange services it wants the thumb print of the certificate that it's enabling so that option is very useful there in this case though I can't give it a zero so I'll give it the script name of something else I'll do this import exchange just for fun am I going to do import Exchange yeah why not I don't have exchange on This Server so it'll probably throw a massive error but hey it's something that we get to see my mistake it says parameters not arguments but these are arguments to the script so I'll just do Thum print because that's what I would normally do cool no additional installation steps but you could chain mult mle scripts to it if you want it at this point it's going to try and authorize it using our HTTP 01 validation the result is valid cool then it's going to download the certificate it's going to install it to the certificate store great it's updated it knows that this is an FTP site okay fine and then for the script yeah I know this was not set up to be the way it should be so we've got a bunch of errors but okay cool we've created the certificate and we've gone ahead and requested it via HTTP 01 and we're good cool all right well now I'm going to quit that clear the screen and what I'm actually going to do now is store all of this in a wonderful little new old folder yeah go ahead move all of it move all of it keep moving all of it you know what I should just do do this for all current items there we go all right then let's go and open up our ZIP file again and I'll show you because this is the pluggable version I'll show you how we do this with GoDaddy as an example of using a plugin copy the new stuff in just like I said before we'll want to actually copy this to settings. Json like so then I'll pop that open shove it over here see random the start boundary is not 9:00 a.m. not really what I want DNS servers are system and I'm going to for this particular example just set that to your standard Google public DNS RSA key bits is 2048 the curve I want is 256 the options clearly have changed a little bit between the versions but while they look a little different the intent is still the same so you can always figure that out okay that's what I want yes I want you to save it as settings. Json yes I want to replace it but I don't have the permissions to do so because I didn't open this with admin rights this is one of those things that occasionally you need to futs with as a system administrator you have to open it with admin rights and then you can't drag it because you can't drag files from a non-elevated session to an elevated session okay fine open settings there we go set that to 2048 again set that back to 256 set this to 8.8.8.8 wonderful and then we'll also want the correct plug-in GoDaddy wonderful the plugin comes as a pair of dll files and all you need to do is copy these into the same folder as where you have your version of win actme set up which incidentally WCS stands for Windows Acme client simple cool too many posts were made to a semaphor that's fascinating I've never seen that before but it works cool unblocking these is more of a beneficial thing than a requirement but it helps to make sure that everything is taken care of the way it should be so then if we go back here and run our new version all right this is now the plugable release okay cool scheduled task start time mismatch because it doesn't match what we configured in settings previously it exists but does not look healthy okay fine we're going to leave that at the moment because again we're just doing this as a demonstration I'm going to do manual input again and the host this time is going to be something like test two with my test domain there we go yeah that's fine you can do when newer versions separate certificates for each domain or each subdomain you can do separate certificates for each IIs site I will typically do a single certificate per order because that works for me and you can see that we've got a new verification method for creating verification records in GoDaddy DNS which is being provided by our plug-in cool let's do that all right now it's asking you for a GoDaddy API key where do you go to get this well if you go to developer. godaddy.com SL keys for this API Keys section you'll get API Key Management there are two environments available here OT is the online test environment this is a good thing to use if you're just testing API use but you won't be able to get any live DNS records and therefore will not be able to request any certificates with it production is what you need when you're actually ready to do this for real Z and you can see I've got a couple here I've got a test one in the online test environment and I've got the regular one in production we're going to go through and create a new API key all righty we've got a name here I'm just going to call this a test Acme key and I'm going to make it in production this is very important you can see the key in future you cannot see the SE this is the one and only time it will be shown if you are not saving it and you'll see an option as we go to save it in the vault for reuse if you do not save this somewhere else you will never be able to get it again so very important that you save it if necessary in a place where you can get at it I'm just going to paste this into the console there we go I'm not going to save it to the vault because we're just doing this as a demonstration then you get the secret all right again I'm going to type this in there we are and I'm not going to save it to the Vault I am going to choose an elliptic certificate again I'm going to save this particular certificate to the windows certificate store I'm going to put this one in the web hosting store just because no additional store steps and this time I'm not even going to bother installing it anywhere because again we're just doing a demo all right so now it's going to authorize this using DNS 01 validation it's going to create the record these are the validators the validators that it's working with did not find any of the text records because DNS sometimes takes a little bit of time to propagate but it will retry in 30 seconds and typically it does not take more than one or two retries for this to actually go through there's your preliminary validation succeeded authorized successfully and then it deletes the record immediately thereafter it's exactly what we want to see downloads the certificate stores it there was nothing to install so that's done and and it's still prompting us do you want to change your scheduled task no I don't leave the settings as they are cool all right and it's just like that it's done the renewals are saved they're all ready to go and they'll just run via the scheduled task every however often you've defined it at the time that you've defined it and when you go here you hit got it cool and you see the key is saved there but there's no way to access the secret ever again the only thing you can do is edit the key name and that's it or in this case delete it entirely there it is so that is Win Acme and then you can just hit Q to quit and you're all done wasn't that simple very simple indeed but there's actually one other thing I want to show you if we go back here and go back to the main win Acme website if you hit support the person who creates win Acme has a patreon he's from the Netherlands and I have no idea how to pronounce this so I'm not going to try because I don't want to offend anybody but there is a very low cost to supporting them and I do recommend supporting it because it's a fabulous application and it works very well if you're work using it in a commercial environment you can also do full sponsorship on a monthly basis which has the benefits listed but if you're just using this on a personal basis or on a test basis or whatever even you know $2 $3 750 a month that's practically the same price as a coffee at Starbucks for crying out loud it's not a big ask and every little bit helps it's something that I would recommend because this is a fabulously valuable application to me anyway but that's just my editorial opinion and there you have it we have gone through most if not all not all most of how I would use win Acme in most cases and for the most part I expect that this will hold you in good stead so that wraps up our Acme Deep dive if you have any questions or comments feel free to let me know uh in the comments down below and I'll address anything that comes up in next week's free form because why not so for now thank you very much for watching I am your next door netadmin we'll see you next time
Info
Channel: NextDoorNetAdmin
Views: 108
Rating: undefined out of 5
Keywords:
Id: dE1AQJvUtDs
Channel Id: undefined
Length: 32min 30sec (1950 seconds)
Published: Mon Apr 22 2024
Related Videos
API Documentation and Why it Matters
AltexSoft
18K
ACME: PKI Basics
NextDoorNetAdmin
36
ACME: Accounts and Validations
NextDoorNetAdmin
54
Beyond secrets, using Vault to automate PKI
HashiCorp
3.5K
Learning to Program React/Blazor: Creating react ladder app
ActiveMindGamer
18
New Server: Choosing the Parts
NextDoorNetAdmin
46
ZFS vs. RAID - vdevs and more!
NextDoorNetAdmin
42
NDNA: May 2024 Freeform
NextDoorNetAdmin
9
Which way??? (How routers choose where to send your traffic!)
NextDoorNetAdmin
6
How ACME helps Automate X509 Certificate Issuance and Renewal
Keytos Security
85
Configuring SMTP Relay
NextDoorNetAdmin
708
Golang Web Server and RSS Scraper | Full Tutorial
Boot dev
44K
ACME (P.S.): SSL Tips and Tools
NextDoorNetAdmin
31
802.1q VLAN tagging
NextDoorNetAdmin
21
More about ZFS - datasets and zvols!
NextDoorNetAdmin
99
CIDR house rules: IP network classes
NextDoorNetAdmin
20
I just wanted a cheap Epyc server...
Craft Computing
66K
First Look! Microsoft Entra Suite
Andy Malone MVP
6.7K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.