Centralized Let's Encrypt Certificate management

Dan Langille
Talk Description: 

Let's Encrypt is a popular and free certificate authority (CA) and many end-user clients exist. Most seem to be designed to run on the webserver in question. What if you're not running a webserver? What if you don't want to maintain N-instances of a client? What if you want to centrally manage all of your certificate in a secure manner?

This talk describes how to create a centrally managed certificate service. It is specific to the Let's Encrypt acme.sh client, but the strategy can be applied to any CA and any client.

The solution automates the renewal of certificates and relies upon a small shell script for downloading new certs from a webserver. All components are lightweight & commonly used tools. When used, shell scripts are easily configured and understood and are meant to run from cron jobs for unattended updates.

Distribution of keys is not automated and occurs out of band.

The solution authenticates via dns-01 challenges and uses nsupdate to modify TXT records on a hidden master. DNS changes are then propagated to the public servers, where Let's Encrypt can validate the certificate request.

Each step of the process is designed to minimize attach vectors and reduce exposure should a break-in occur.

The talk is designed for those who run their own websites or mail servers, are familiar with setting up a webserver, and already know how to install a new certificate.

Dan Langille works as a sysadmin for a well-known big company. He has been contributing to open source since 1998, and is active in several projects. He particularly likes updating his blogs so that the next time he has the same problem, he can read about how he fixed it.