Let’s Encrypt Proxy: How to SSL/TLS the world!
The author of this article, Romain, is a security engineer/pentester at vpTech since 2 years.
His day to day job is to hunt security issues and help the other team to fix them.
He also design and implement solutions to improve the security level of vente-privee.
What is Let’s Encrypt?
As you can read it on their website (https://letsencrypt.org/):
“Let’s Encrypt is a free, automated, and open Certificate Authority.”
To shorten, this is a way to have a free and automated way to generate trusted certificates to protect your secure connections, such as HTTPS, FTPS, LDAPS and so on.
As it is free, it allows the average citizen to secure the connections to his website, not only companies with big money.
As it is automated, it forces you to prepare for the time when you will be required to renew the certificates, usually after 2 years. This painful experience which forces you to go over all your servers to change the precious certificate is over. Now, with Let’s Encrypt, the process is automated and every 60 to 90 days, your servers will update their certificates by themselves.
This project is sponsored by a lot of IT actors, such as Google, Mozilla, The EFF, Akamai, Facebook, Cisco, and so on.
Why use Let’s Encrypt in a Corporate environment?
The cost is a reason, of course, but not the most relevant one.
As told in the previous section, it is painful to renew the certificates and update them on all the servers. This problem can be solved thanks to Let’s Encrypt automation.
Also, since Let’s encrypt is free, you can shape your certificate policy another way. You are not required to make all certificates match the expensive wildcard certificate you just bought! You can divide them by product or by application, even by server. This way, you can reduce the impact of a certificate leak.
Finally, the security reason, Let’s Encrypt allows you to improve your security by splitting the certificates and because the certificate is valid only 90 days.
How to use Let’s Encrypt in a Corporate environment?
When you are at home, it is easy to use Let’s Encrypt. You download the client, you run it, you get a certificate.
In a corporate environment, it can be a little more tricky. For example, if a web application is hosted on a server cluster, the server requesting the certificate is not always the server getting the validation request from Let’s Encrypt.
We identified 2 ways to validate the challenge in such environment.
The easy way is to redirect all the validation challenges to the server making the certificate requests but some time the path changes and you must add the new path to the redirection pattern. Thus, this can break the automation and requires monitoring.
The best way is to change the challenge type from HTTP to DNS. For this, you will need to be able to automate the creation/modification of a DNS record.
Why do I need a proxy?
As told in the previous section, the best challenge type for Let’s Encrypt is the DNS one. But you do not want to give access to your DNS records to anyone.
This is where the proxy came to us. The proxy will handle the talking with Let’s Encrypt and the DNS servers.
This way all the servers in the infrastructure will only have one point of contact and you will not need to allow them to talk with Let’s Encrypt through the Internet.
First implementation (the easy one)
We wanted to start using Let’s Encrypt as fast as possible. Thus, we created a first implementation of the concept which is in production since January.
In this implementation, the SRE (DevOps) make a certificate request to the Security team.
Then, the security team generate the certificate and give the credentials to get this certificate to the SRE.
Finally, the SRE can take the renewal script provided for his kind of server. We already handle HAProxy, Apache, Nginx and Microsoft Lync.
The next step is to make a more automated implementation where the SRE will be able to request a certificate through a GUI/API and after a permission validation they will get their certificate.
Author: Romain LÉONARD