 Okay. Hello everybody. I'm Yerk. This is my Twitter handle, if you want to follow me. What I'm doing, I'm working as a technical lead at a digital agency, CARDS, a pretty awesome shop. And one of my responsibilities is handling SSL certificates. We work with a lot of clients, a lot of custom domains. Usually one of the requirements is SSL these days. And so we have to order SSL certificates for these guys. It's quite a lot. So usually when that comes up, my face starts looking like this because getting an SSL certificate the traditional way is a pretty much pain in the ass exercise. You have to generate your RSA key. You have to generate a CSR certificate signing request. You have to log into some certificate authorities, terrible web interface like, I don't know, using global sign that looks a bit like the 90s are calling. You have to fill out there like really, really weird forms. Pay a lot of money. Usually it's like 30 euros, 40 euros. Correct me if I'm wrong. For wildcards it gets even more. It's really like talking about hundreds partially. Then if you happen to work for a company like mine where your CTO is in another country, you have to wait for that guy to wake up, give you the OTPs for that visa card transaction you just did because you had that guy in France. It's a French card. You have to verify that domain. That's the worst part. Try to verify a certificate for a wildcard domain. That's a really pain in the ass because you actually, they ask you to put a file on some domain. It's just that domain isn't the one that has an air record. You have to come up with something. Last time I tried that. It took me like an afternoon just to figure out a way to verify the domain. Once you have that done, you finally get that email, your certificate has been issued. You have to upload that. In the worst case, you have to manually set up the certificate chain. All in all, it's a really, really time consuming process. It takes an hour at least, an hour of working time. That's every year. These certificates usually, they need to be renewed. I have every month at least two or three renewals coming up. That sucks. I'm not the only one to recognize that. Somebody came up with this. It's called Let's Encrypt. The website, Let's Encrypt.org, they are basically a free, automated and open certificate authority. It comes from, not just anybody, it's from Mozilla. Akamai Cisco put themselves together, Facebook, Chrome, on board. If you check their website, they have a really impressive number of logos of big internet names that are behind them and backing that. This is really something that is definitely going to be big. The organization behind it calls themselves ISRG, Internet Security Research Group. It's a California-based non-profit. It's a really registered non-profit organization. Their mission is to basically reduce technological and financial barriers. That's what I'm just talking about. To what's secure internet communication or in other ways just let's encrypt all the things without any hassle. Yeah, that's pretty awesome. What does it do? How does it work? It still does all that stuff. It still does the keys and CSRs and the domain verification and getting that certificate. The only difference is it's automated. That's the first difference. That's what makes us happy and it's free. That's what makes your boss happy. So yeah, let's try a quick demo. Since I have no other domains I can safely use, I'm going to use my own which luckily doesn't have anything on it. I'm going to use, you don't see that. I'll have to go out of full screen and give you my terminal. This way. So what I'm going to use is basically my own, that's, where are you? Hello. I think it just terminated the session. So I'm going to use another one. So I'm going to use an EC2 instance which I just created for this particular purpose. So don't try to do anything nasty because it's going to disappear very soon. So what I'm going to do here, the first thing you have to do is you have to get there, client software, which apparently, which apparently there are supposed to be binaries for this client, but they're not available for every OS. So so far what you have to do is, where am I? Okay, don't do that at home. Don't do it as usually. I'm just doing it for presentation. What you have to do is you have to clone digital repo which contains the client. This is, okay, I'm going to talk about the client stuff later. It's essentially the whole thing is an open thing. That's an open protocol. So this is essentially just a reference implementation. Technically, everybody could build a client and people did build other clients. So but for now, let's just do the absolute manual way. Yeah, the whole thing is written in Python. That means usually you have to install a lot of shit to get it running, to make that life also a bit easier. They created something called, let's include auto, which essentially just makes sure that you get all the dependencies and all the Python stuff. Where is it? Now it goes ahead and stores all that stuff on your system. I guess you can just, if you're suspicious, you can guess just like the script, make sure it doesn't do anything nasty. Hope this is going to, this isn't going to take forever. Okay, let's see if I have that. I think. No, it's not. Shit. Okay. Even though I think it should be local. Yeah, here it is. Okay, it's not there. Okay, I have to do it. Sorry. Okay, so let's go. Okay, that's nasty. Apparently Amazon Linux isn't very well supported, but yet, I did it on Ubuntu, it worked fine. It didn't have that warning. But it basically just says it, please enable, please set up the debug flag. And it works. So I tried it in my experiment. It worked very well. There was no problem. But there's this warning. So I guess you shouldn't use it in production on Amazon Linux yet. But who's using Amazon Linux? Just deploy Ubuntu and you're fine. I'm not exactly sure why it takes so long. Thanks Microsoft for the fast Wi-Fi. It's actually, it's running on it. Yeah, actually, it should be fast. It was a lot faster this morning. Question? So this, this let's encrypt. You say it's a consortium of a couple of different companies. Yeah. I thought I saw Mozilla there. So does that mean Firefox browser would automatically recognize these? I'm gonna talk about that in a minute about browser support, client support. That's obviously something I asked myself. That's why I'm having this talk. I want to share that what I found out. I did use Sudo. I'm rude. Okay, let's just, it might just be working. Let's just give it a try. What it does is essentially it installs. So what let's encrypt auto does it just let's installs let's encrypt itself into this directory until you're actually in your home directory dot local. So you can just root dot local share. I guess you can also install it somewhere else. I guess there should be some binary package for you boom boom and major distros at some point been and according to the website there are just not for this. Let's just try to call you help. Yeah, it doesn't. That's Murphy's law at its best. It did work perfectly and it's the same box. I don't get it. I guess that's why they say it's not supported on Amazon Linux. Let me just go back. Okay, it works. Apparently you shouldn't be rude while you're installing it. But okay. So what we want to do I have on this machine I have engine X running. So let's just get is it running? That's running. So okay. Why? That's the problem with HTTPS redirects right now. I'm I can't open the page because it forces it works if I just go into the mode. Okay, so this is just engine X with its default start page running. You see there's no SSL here. So it's super, super unsecure and all that awesome stuff I'm gonna do on that website isn't gonna be encrypted for users. So now I want to change that. So the way I go about is to just why I have this stuff. No, it's it's okay. I'm just thinking. Here we go. So what we do is let's encrypt. So this whole thing is designed to be basically plug-in base. So they have a plug-in for Apache, but essentially takes care of everything. It configures your web server, installs the certificate, restarts the web server, etc. etc. I think the one for engine X I haven't checked if it exists. I want to show it to you manually. So basically that plug-in or command they call that cert only. So that's essentially that we'll just download the certificate and I can just do whatever I want with that. What it needs to do though is have to verify the domain automatically. So if you ever ordered SSL certificate that usually goes there are usually two ways to do that. Set up some DNS record or you put some file or some header into some file on your server and then try to that CA will basically try to get that file and check if that information is correct. What you ultimately need to do is you need to prove that you are the one who controls the server you want to get that certificate for. So what this one needs to do is it needs to be, I think it was web root, check there was. Does anybody agree that the window management on OS 6 is just bad? Okay I think it's called web root. So what would be, essentially we just go home. I think I have to, now I have to be root because I can't run that on, I cannot write into this directory. Now I'm giving it the folder, share nginx html. This is where I want to, this is the root directory for my web server, this is where the content is. I have to give them the domain, in this case it's mydomain.me and I can actually have multiple domains in one certificate. It doesn't do wildcards but it does multiple domains and that's usually something you want to do if you want to have both the regular one and the WWW1. I hope this is Python, Python, Python. Actually yeah, don't use the Let's Encrypt Auto actually just use that binary it installs into your local root then it doesn't do all this weird dependency management stuff. Okay let's try that the other way. So this is the actual binary and that's gonna be a lot easier. So now that's where we can get our SSL certificate. That's first thing it does, it's gonna ask us for an email address for, if you ever want to drop me a message use this email address. You don't have to enter it actually you can do it without email address. It's still gonna give you a certificate it's just in terms of any kind of recovery stuff you can't do it. What it does it does create an account on DCI's server so that account is basically per domain or per server base. It doesn't really have any personalized information with it which is good thing it's also a bad thing in some way. I have some terms of service which I'm not gonna read as usual and what happened? Okay that didn't happen. It's probably, yeah maybe the domain is just not mapped let's just try to get rid of this. I think there is no A record for WWW1. Still again? No no no here you go. Congratulations your certificate has been saved that so now it tells you where these certificates are. We can have a look at that. So let's just go LS, ATC, Let's Encrypt Live. And then you have okay you have your certificate. This is the full train certificate. Normally it's not only your actual certificate you also need to add some intermediate CAs for that to be resolved properly and my private key. So yeah okay this is this is the stuff we actually use. So now okay except for all this slightly confusing stuff I had but normally you just really need to do this the last command and within a minute or so you get your certificate so that's the part that normally takes an hour to do and requires visa card payments. Okay let's just quickly set up ATC, EngineX, EngineX.con. So what's the way how do we set up a server? I could use some help learning Vim if anybody's interested. So what else do we have to do? We have to. Okay I did prepare this just for. Okay put in your SSL certificates. Okay that should do. Just test the config. Does everything work? Everything works. EngineX. EngineX is so much easier to work with than Apache but there is no it's the different dash s reload signal reload. Okay that should be it. Here we go this is the certificate. Yeah that's actually Chrome already knows this Let's Encrypt Authority. I'm gonna talk about the authorities in a minute. What you can do does everybody know how to verify SSL certificates. There is this pretty cool website SSL Labs which basically runs a bunch of tests against any SSL certificate domain and checks if the certificate checks out, if the cypher's check out, if the certificate chain that's the most important part the certificate chain must be intact in one piece. So that's gonna take a while but I can guess it's gonna be an A. It's gonna be a great SSL. So it's actually really something that works. It's not just like something a bit better than a Southside certificate that thing is actually accepted as a proper certificate. Yeah unfortunately this takes a while so maybe we can check it out later. I'm gonna continue with the presentation. Let's just go on here. So this was the demo. I guess I leave it up to everybody. So far this domain is still available on HTTP, right? It doesn't do any forced redirect but that's a trivial exercise to do for everybody. So how does it this actually how does all that magic actually work? It's described on their website. There's also a pretty detailed document which is under IETF stewardship that exactly describes that protocol. This is finally called ECME protocol. If anybody knows what ECME means in relation to that coyote then you had a pretty awesome childhood. Yeah it basically specifies that process how that works. So how does your client and that CA server interact and what kind of challenge does the CA server give to the client? Like how does that file look like? That kind of stuff is described there. So that basically means everybody can write a client and also everybody can write a CA which is even more important. It's not this particular organization controlling everything. You can just basically roll your own CA. So it's all clean and open and nice. If you don't want to read that long document which is I didn't read it, it looks pretty boring you can check out this one. It's less technical. It's still technical but it's less. It's easier to digest. Your server is identified by some private key which is generated on the client so it's not sent to them. Every communication, the actual certificate request is signed with that key pair so it's actually verified that way. Yeah and then again the CA basically issues these challenges that kind of stuff you have to do manually so far you do that automatically. The other DNS record which is usually not working because you don't have access to the DNS but that file on the server. You can also revoke certificates that way. You can also renew. That's probably the most... Actually that's the second most. Maybe it's in the most important aspect to it. Renewals work automatically as well because these certificates are usually valid for a year. So what you have to do is at some point you have to issue let's encrypt.renew. Since this is still kind of unsupported you have to give the debug flag and you have to do a dry run. Okay that gives a couple of... What's wrong here? No, that's actually... Yeah you have to accept that. This email is just a warning but you have to accept the TOS. Which you do via this flag. I think I have some... Agree? Was it agree? Okay. So it's agree... TOS. So now it's talking the challenge stuff things. So now everything has renewed. So it basically let's encrypt. It has this ETC let's encrypt directory right. This is where it stores all the stuff and it knows exactly what domains are managed on that server. So you just have to do that thing once and it's going to renew everything. So their recommendation is to set that up as a con job. Like daily or weekly or monthly or something. I'm not sure if you get an email. I haven't just started using it. So I have no certificates that are expiring. But let's see if there's something coming at some point next year. Yeah. Okay that's so much for how it works. Some pitfalls something I went into. It actually puts that file on your server and it puts it in the directory which is dot. Basically it tries to get this file dot well known. Now some smart people put that rule into the NGNX which is a pretty good idea to not serve dot files. Denies access to dot files. So if you have that rule in place in your NGNX config that's not going to work. So you have to take it out at least temporarily. But yeah you have to... Well actually at least you have to build some exception for this particular path. Because for the renewal you also need that stuff. So it needs to stay in place. Obviously also that user you're using needs to have access. So I had access to the web server root directory. I'm giving a really bad example by using the root user for simplicity but usually you want to have something more sophisticated as a setup. What about these certificates themselves? That's the question that came. They are issued by SCA which calls itself ISRG root x1. They have some intermediaries. That one is the actual one. Everything assigned with this one. This one is kind of a disaster recovery CA. Obviously since this whole thing is pretty new most browsers don't have that installed yet. Usually you have some kind of trust store. Windows has it. Linux has it. Where all the known CA's are. Root CA's are. So since this isn't widely known yet they use something like this certificate CA by Eden Trust which is essentially about online payment stuff. So they're not really a CA that sells certificate. They sell other stuff and they cross-sign these certificates. So they kind of get widely known. Because this DST root CA x3 is really widely supported by most browsers clients. Something else. These two things I haven't had the time to really check them out but apparently you can actually search your certificate here and the status so you could actually check if it's been revoked for some reason or if it's sometimes stuff gets issued to hackers and then they revoked the certificate so you can check it if you really want to be safe. In terms of clients there is some post on their community site what is supported and what isn't. So essentially everything Android since 2.3. So something Firefox since version 2. Windows to later versions. I think Internet Explorer Chrome they basically use the trust store of Windows. They don't use their own trust stores. Safari since version 4. iOS since version 3. Debian Ubuntu. I also checked out CentOS myself. It seems to work. It doesn't work with Java. What a surprise. They applied for some kind of Oracle root CA process. So things are working slowly in Java and apparently so it's gonna. I think if you do that on your server you can still manually import that root CA. So for enterprise applications there's always a way to solve that but it doesn't come out of the box. Even though Android is a different story. Android does support it. Older Android versions anything less than 2.3.5 if anybody's still using that. Windows XP if anybody's still using that out of luck. But if you use Windows XP then security's obviously not your main primary concern. Blackberry apparently also not. I did some quick tests with Node.js and PHP. I think they're both using the underlying operating system. So it's essentially the platform. Yeah that's something that is to keep in mind. There are some rate limits. This is not something like free tier and premium tier. This is really just stuff that they use since the whole thing is still kind of maturing and the infrastructure isn't in place. So you can only do five certificates per domain per week which is totally okay because normally you need one certificate per domain per year. It's just if you test and play around with stuff you should probably use this test sort flag and staging flag to make sure that you don't hit their production service. These rate limits are not on the staging server. They're just on the production systems. There are others registrations per IP 500 per three hours so this is I don't know which kind of company would ever hit that limit. It's very unlikely. There's no limit on the total number of certificates anybody can have. You can just have as many as you want. Okay. There are pretty nice integrations. There is Apache has something. I haven't tried it yet because I'm not using Apache anymore. These days KD server is pretty awesome if you never heard of it. It's new. It's written in Go. It's a... I can just throw you the website because we're getting pretty late. I don't want to give you another demo. It's basically it's one binary. You download that thing. Put something called a KD file into directory and say KD and then it fires up the web server and serves your website. There's no... It's the fastest way to get a running web server. It's really awesome. Check it out. What it also can do it fully manages the SSL process. You start it up if your website is not local host. If you run it locally, it doesn't work. But if it has a server name, if it's running on port 80, if it's not explicitly restricted to port 80. A couple of things you have to keep in mind. But if all these conditions match, it's going to get this SSL certificate as it boots. So if a server comes up, gets a certificate and then you have an SSL certificate running on your website within one minute. It's just really cool stuff. I mean, let's just... Okay, I've got to show you. Let's just stop NGINX because it's going to block the port. I think it's just stop. Are we still there? Okay, it's... No, let's... Shit. Okay, I guess it's... Okay, let's just... Okay, NGINX is stopped. Is that... Fine. Where did I put that? I did demo. Okay, I can't show you. Sorry. It's going to take too long. But, yeah, check it. It's really, really cool. There's also some express middleware, apparently, that handles that as well. So you don't even have to handle this engineering stuff. Why should I use it? Apparently, obviously, it's less work once you figured it out. It's free, so your boss is also going to be really happy. It's encrypted, so everything is safe. It's automated. So, therefore, people will also be happy because they can integrate that into their deployment management processes. It has some limitations, though. One thing is really important. It's only domain validated. So, obviously, since that is automated, nobody's going to verify the identity of the guy who ordered that certificate. It's only really just saying, that guy owns the server. So you can still do your PayPal service, evilhackers.net stuff, and get a valid SSL certificate for that, and your users will think, yeah, awesome, this is safe because it's green. But it's not. It's just some hacker that got that certificate. But then again, you can also do that already as a hacker. Nothing's going to stop you from doing it. Let's encrypt yes or no. So, yeah. Last thing. Any questions for that so far? Let's just stick with that. Thank you. Just don't make a good message. There's no encryption for it. No, no, no. I mean, it's encrypted. But normally, if you have an SSL certificate, it does a lot of things right. Like this one is going to tell me that first-year connection is encrypted. But it also tells me who's encrypted it. Who's owning the server. So it's essentially just saying, this is Google. While my certificate, it's just saying some, it's just saying something like domain-validated, and that's it. So the ownership of the certificate, that's the point here. Encryption is to. Sorry? No, no, no. Encryption is fine. It's just somebody else. It's if you open your browser and you see PayPal in the address bar. And usually on banking sites, for instance, if I go like, let's just use a local bank. Let's just use my local bank. I hope that's encrypted at some point. Yeah, here. It says DVS Bank. So it's verified that this site is owned by that company, which is DVS. So somebody actually had to manually verify that the certificate is actually issued to this bank. And now, if I go to let's encrypt, they can't do that. They're just going to verify that I controlled the main, and all the traffic between the website and the server is encrypted. And it goes to the right server. But it doesn't tell you that it's... It's the cheapest thing which you may need to have a certificate. Sorry? It's basically like getting, right now, getting the cheapest certificate for like a fiber, which basically shows that we can keep the block and that's it. Essentially, it gives you an encryption key, private, public key pair and stuff so you can do the encryption. And it verifies that that certificate is owned by the server and nothing else. This is the lowest level of privacy you can get. And this is perfectly okay for most cases. It's just if you do online banking or e-commerce, you might want to go a step further. Because then you want to tell your users that you're actually PayPal or DBS or whoever you want to be. So in terms of pure technical encryption safety, it's as safe as any other encryption level. So it's obviously compromisable at some point, but it's as safe as it can get. Just the trust between the user and you isn't the highest level you can get. So this is one important limitation to know about this stuff. This is why GlobalSign and how they call, they're not going to go out of business anytime soon because they still have to do this. What about Windows XP, any of the browser? Firefox probably, Firefox has its own, I never tried. Internet Explorer, most likely not. It's also the next problem is that Windows XP doesn't support all the cipher suits. So even the encryption level required for modern secure communication isn't supported by Windows XP anymore. So pre-SP free, don't even try to encrypt because it's just useless. With SP free, it gets a bit better, but still, just don't use XP, that's the lesson. I think, necessarily just between the browser and the server, why operating system is playing more? Because of the certificate chain, you basically, you get a certificate, that certificate is backed by another certificate and by another certificate. Ultimately, you have some root authority that finally says some big, well-known player that says, okay, this certificate was issued to this guy and I did that, so I verify it. And these root certificates need to be installed on your machine, on the client. And some clients just don't have these root certificates. You can manually install them. Always, you can also, if you use Linux and you can just note the correct folder, I don't know exactly which one it is, but they are all there, ETC, SSL, whatever. And so, if the root certificate is not in that folder, the certificate will not be accepted. And so, this list I just gave you is basically the default setup. You can always modify that. Even though, again, XP is just an operating system level, it doesn't support the necessary level of encryption. So even if you have the root certificate on XP, it's still not going to give you secure communication. But for everything else, I think it should be just installable. Okay. And most, I have, why is it, not the browser, usually use the existing CAs installed in the operating system so they don't use their own list of certificates or CAs. They just use whatever is available on the host system. Even though I think for Firefox, it might be different, I'm not sure. I think Firefox has its own list. So Firefox could be working independently of OS. There's no new version of Firefox coming out from Windows XP anyways. Yeah, why would they? Okay, last thing. If you're looking for a job, it happened to be in Chennai. Or if you know anybody in Chennai, we're hiring. If you know these guys, commitstrip, that guy's my boss, pretty cool guy. So if you're looking for a job or know anybody looking for a job, be looking for PHP, JavaScript, full stack, frontend, all that kind of stuff. And please come to FOSSAsia. It's in two weeks, three days full of talks, open technology, web technology, hardware, Internet of Things, a lot of people, big people, big open source guys, contributors. And over to the website, we have a discount code, WheelofPHP. You get 20% discount for a ticket. Okay, that's it. Thanks and sorry for the long talk.