Meetup #2 : le chiffrement - https://tinyurl.com/y5mg6s2q May 23, 2019 Mickael PALMA @ L’Argus

1. Free valid SSL certificate
For local development with Let’s Encrypt
Meetup #2 : le chiffrement - May 23, 2019 - Mickael PALMA @ L’Argus

2. whoami
• Mickael PALMA
mpalma@largus.fr
• Argus API CTO
• LinkedIn

3. Let’s Encrypt
• non-profit certificate authority
Internet Security Research Group
• Free X.509 certificates for TLS
• Easy SSL configuration
• Valid certificates for 90 days
• Automatic certificate renewal

4. Issued certificates
Inmillionissued
0
90
180
270
360
450
March8,2016
April21,2016
June3,2016
June22,2016
September9,2016
November27,2016
December12,2016
June28,2017
August6,2018
September14,2018
380
115
100
2420105421

5. ACME Protocol
• HTTP-01 challenge
• DNS-01 challenge
• TLS-SNI-01 challenge
Disabled in March 2019
• TLS-ALPN-01 challenge

6. • API v2
March 13, 2018
• incompatible with v1
• single domains - HTTP / DNS
example.com, www.example.com
• wildcard domains - DNS
*.example.com
Let’s Encrypt API
• API v1
April 12, 2016
• single domains - HTTP / DNS
example.com, www.example.com
• DEPRECATED

7. Certbot
• Let’s Encrypt “official” client
Python
• Most extensive client
HTTP → HTTPS redirects
OCSP stapling
HSTS
upgrade-insecure-requests

8. DEMO
File samples on Gist

9. Recipe
• Register a domain name (domain.me)
• Use Cloudflare as name server
• Point wildcards (*) to 127.0.0.1
• Get certificate with certbot
With Cloudflare plugin and DNS-01 challenge
• Configure your web server with it

10. Resources
• Let's Encrypt official website
• ACME challenges types
• Certbot / Github
Alternative acme.sh
• TLS-SNI-01 vulnerability
discovery story
• Gist

11. Mickael PALMA
“MERCI”