Let's Encrypt Explained: Free SSL

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
those of you who have set up secure web services with ssl know and understand the pain of dealing with ssl certificates you have to order these certificates upfront and then have an entire team sit on a conference bridge to rotate these certificates to avoid accidental downtime and it's not rotating on just one server but sometimes it's many servers across your entire organization which scales the level of pain when dealing with these certificates so what if we could set up a secure http web server and have it automatically obtain its own browser trusted certificate without any human intervention automated for free well how does it work web servers are usually hosted behind the domain for let's encrypt to work we have to prove that we own the domain this step is called domain validation on google domains i have this domain that i own now if i click on my domain and i go to dns and i scroll down you can see it's currently pointing to an ip address so you can see i pointed my dns to my web server using an a record now you can use a c name you can point it to an azure load balancer an amazon ec2 instance or google kubernetes you can even point it to a kubernetes ingress controller it doesn't really matter you can even point it to your wordpress website that you're hosting at home to validate your domain let's encrypt identifies us using a public key it asks us to complete a set of challenges we would run a utility on our web server to prove that we own the server since the domain points to it let's encrypt will ask us to place a file on the web server at a given path by adding the file to the server we're proving that we are the server admin and we verify this by signing anons let's encrypt will make a web request to get the file and make sure it has the expected content and will verify the signature on the provided nonce once the challenges are complete and verified by the ca our utility that's identified by the key pair is authorized to do certificate management on our domain so let's see what it takes to issue secure certificates using let's encrypt if we take a look at my github repo i have a security folder and under that i have a let's encrypt folder with an introduction folder in here i have a readme and this lists out all the steps that i'm going to show you guys today and this will help us build a fundamental understanding about how certificates issuing works using let's encrypt and then in a future video we can take this knowledge and provision certificates on something like a kubernetes ingress controller so be sure to check out the links to the source code down below so you can follow along so let's get a simple http web server running on port 80. so to do that i'm going to say docker run i'm going to expose port 80 and i'm going to run nginx as my web server that'll start up a container with nginx and in a separate terminal i need the public ip address that points to this web server so i'm just going to say curl ifconfig.com we can see we have an ip address here for the web server and if we open up the browser we can access that ip address we can see we have an insecure nginx web server running on port 80. so you can see it's very simple to get a server up and running using a docker container and access it over the internet so now we have a web server it has an ip address so let's go ahead and point our dns to this ip address so now if i go back to google domains and i click on my domain and i go to dns and i scroll down to custom records i can go to my nginx server grab the ip address and i can go ahead and edit this record and paste the ip address in the box and let's go ahead and save that and this will take some time to complete but after that our dns will be pointing to that ip and after some time dns gets updated and we can now see that if we ping the domain it resolves to our new ip address and this time if we access our server we can see we can access it over the dns record but it's still insecure the next step is to start the domain validation process for this we need that let's encrypt utility the utility is called certbot certbot is the tool that automates the let's encrypt challenge process certificate issuing and the renewal process we simply have to run certbot behind our domain to prove that we own it certbot will request the certificate challenge from let's encrypt let's encrypt will ask us to place a file behind the domain over a path somewhere let's encrypt will issue a nonce certbot will generate the file and sign the nons it'll let the ca know we're done and the certificate will be issued to certbot so with certbot the best place to start is the documentation certbot has really awesome documentation with really clear instructions on how to get certbot running anywhere on any system it has really clear instructions on how to install cert bots how to get a certificate and how to renew the certificate now although my example web server is running nginx in this demo i'm going to select none of the above this is because as part of this demo i want to show you how to issue a certificate that you can use almost anywhere not just nginx so we'll take a look at the installation process and since most of you probably already have a web server we'll take a look at how to issue a certificate with an existing web server that's running so let's see what it takes to have certbot issuer certificates so to do that what i'm going to do is install certbot using a docker container so i'm going to change directory into the security let's encrypt introduction folder and in here i have a docker file so you can see this very simple debian container that i used to install certbot so to build this i'm going to say docker build dot minus t i'm going to tag it as certbot this is going to go ahead and build a debian container with certbot that we can run to issue certificates for our web server now i have all the instructions listed here so to run this container it's very simple i just say docker run minus it minus rm i give the name certbot and i mount two very important folders into the container now the first one is very simple because we're running certbot and our web server and a container we need some common folder that can be shared between the two containers so i'm just mounting a shared folder called slash let's encrypt so this is a common folder that both our nginx web server and cert bot can access now what this let's encrypt folder is used for is basically just the challenges for let's encrypt as part of domain validation let's encrypt will ask us to place some files on our web server our cert bot will spit out the files to this let's encrypt folder and our web server will be able to serve these files up now also remember in a production environment you may have many web servers running not just one and they may be running behind a load balancer so you don't want every single web server instance to be generating a certificate so the best practice is to have one cert bot and then have a shared volume so you can just serve the files up to let's encrypt and then you can either manually copy the generated certificates or you can have another shared volume where you can share these certificates with your web servers and the key here is that we want one certbot instance to generate the certificate and then either copy or distribute them using a volume to each of our web server instances the next volume is very simple we're going to be mounting a local folder called search you can see it on the left here i have a placeholder for that folder and we're gonna mount it to etc let's encrypt this is the folder that let's encrypt uses to store all its data as well as the certificates that it generates so we're gonna want to persist this folder as well every time certbot does certificate renewal it will keep updating this folder so it's critical to make a backup of this folder or have it persisted somewhere using something like a docker volume an nfs share or persisted volume in kubernetes so to run my surfboard container i'm going to copy this command and i'm going to paste it in the terminal and to test if it's working i can just say certbot and we can see certbot is installed now certbot is ready to issue certificates the first thing certbot will do is start the let's encrypt challenge process let's encrypt will ask certbot to serve a file on a path since we're running certbot in a separate container we've already shared a common folder where certbot can dump the files and our web server will have access to that common folder as well it can serve the files to let's encrypt now for my web server that i'm running here i have a stock standard nginx configuration file on the left side here now this web server at the moment only serves an index.html file our web server does not know anything about let's encrypt and how to share any files to let's encrypt so the first change we need to do is to tell our web server where to serve any challenge files that let's encrypt ask us to serve so this is what the path will look like when let's encrypt issues as the challenge and what we will do is we'll tell our web server to serve these files from our let's encrypt folder that we've mounted into the container this is the folder that certbot will write the challenge files too our web server will then be easily able to share that file and serve it up to let's encrypt now when the challenge request comes from let's encrypt our web server will know where to serve the files from so it does not matter how many instances we run behind a load balancer since they will all share this common path certbot will write the request to challenge files here so now that we've modified our nginx configuration i'm going to go ahead and run our web server again so i'm going to say cd change directory to our let's encrypt introduction folder and i'm going to mount this nginx config into our nginx container so to run our nginx container i'm going to say docker run i'm going to call the container nginx i'm going to mount in our nginx configuration i'm also going to mount the two folders for our cert bot the first folder is the folder where certbot will write the challenge file so this nginx will serve these up to let's encrypt and the second one is where we will finally get access to the ssl certificate i'm also going to expose port 80 and since we're going to be enabling ssl i'm going to also expose port 443 so to run the container i'm going to copy this i'm going to paste it into the terminal so if i go back to the browser we can see our web server is now up and running but it's still insecure so let's see what it takes to issue a certificate so to do that i'm going to hop back into my cert bot container and i'm going to say certbot cert only webroot it's going to ask me for an email address i can agree to the terms of service i can opt out of the news i then type in the domain we wish to issue a certificate for and we can see it's starting to perform the challenge and now it's looking for the web route for the certificate this is the folder where nginx will be serving the challenges from so since we mounted the folder called let's encrypt we have to tell certbot that we want to use the slash let's encrypt folder as our web root and when we do so it'll go ahead and push those files to that folder and it will start the verification process and you can see here congratulations your certificate has been saved and the default location for storing certificates is under the etc let's encrypt folder this is the folder that we mounted into certbot as well as nginx so nginx now our web server has access to those ssl certificates and it stores these under a live folder with the name of the domain and then you'll see a bunch of certificates in that folder because we've created a docker mount we can see those files been created in the search directory we can see the live folder we can see our domain folder and all the certificates and private keys have been generated in this docker volume so as i said before it's very important to backup this folder or create some kind of persistent storage like a network share or something that you can share with all your web servers so now we don't have to copy these to our web server since they all have this mounted in our web server can just access it even if they're running behind a load balancer so now that we have our ssl certificates issued all we need to do is tell our web server to turn on ssl and tell it where that certificate is located so to do that i go to my nginx configuration file and i just create a new server block and in the server block i enable port 443 i tell it that i want ssl on i give it a server name and this is the domain name it's going to be expecting traffic on and i pass in two certificate paths one is to the full chain pen file and the other one is to the private key and then i just have a copied location here to serve a static file so this is how you enable ssl on nginx and use our let's encrypt certificate so to enable that now i'm just gonna have to restart that container mount in those certificates and the container is running and if i go back to the browser and i use https in front of the url we can see now we have a secure web server running with a valid certificate we can see that the certificate will expire in three months and it's issued by let's encrypt [Music] so the general idea is to have certbot with its own storage monitor its local certificate this can be done with a cron job when we run the certificate renew command at various intervals it can automatically renew that certificate with let's encrypt we can then either copy this manually to all our web servers or we can have some kind of shared volume to distribute the certificates so to renew the certificate all we need to do is run certbot renew and we can see because we've mounted in our certificate folder certbot will see that the search is not yet due for renewal so this allows us to put this stuff in a cron job and at various intervals we can run this and when the certificate is due for renewal certbot will go ahead and update the certificate in the local file system we can also test this using a dry run so we can say certbot renew dry run and this will basically practice the process to make sure it's working so this will go ahead and issue the challenge wait for verification and then clean up the challenge and then pretend to issue a new certificate now if your web server is running and there's a new ssl cert that's been generated you may have to go and tell your web server to reload that certificate now nginx has a graceful reload command and i can execute that using docker exec so if i run that that'll send a signal through to our container to tell nginx to reload its configuration so it'll pick up the new certificates automatically now this highly depends on your setup and what sort of web server you're running there are different various plugins for let's encrypt as well that'll automatically do this rotation for you as well depending on the web server that you're running you can also use your existing automation and if you have something like ssh commands that you can run on your various servers or you have other automation tools you can use that as well and if you're running your applications in kubernetes you might want to update your cron job to store this ssl certificate inside of a kubernetes secret and then have a mechanism to restart those pods gracefully some ingress controllers also has the capability to automatically pick up certificates when they are updated inside of kubernetes secrets so i hope this video helped you guys understand the fundamentals of let's encrypt and certbot and how to automate the process of issuing and renewing certificates for your web servers now if you liked the video be sure to like and subscribe as i'll take a deeper dive on how to use let's encrypt on services like ingress controllers on kubernetes and let me know down in the comments what sort of videos you'd like me to cover in the future and also check the link down below to the community server if you want to join the community and if you want to support the channel even further be sure to check out the join button down below to become a member and as always thanks for watching and until next time [Music] peace you
Info
Channel: That DevOps Guy
Views: 67,241
Rating: undefined out of 5
Keywords: devops, infrastructure, as, code, azure, aks, kubernetes, k8s, cloud, training, course, cloudnative, az, github, development, deployment, containers, docker, messge, broker, queues, aws, amazon, web, services, google, gcp, letsencrypt, tls, ssl, security, certificates, free, microservices, ingress, traffic, servers
Id: jrR_WfgmWEw
Channel Id: undefined
Length: 15min 3sec (903 seconds)
Published: Sun Oct 25 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.