Security/Automation/Winter Of Security 2015/Certificate Automation tooling for Lets Encrypt
Team
Introduction
The team for this project is composed of the two Mozilla advisors J.C. Jones and Richard Barnes, Professor Martin Schmiedecker and the developer Klaus Krapfenbauer. Prof. Schmiedecker is professor and researcher at the security institute SBA Research at the Vienna University of Technology. He is also the supervisor of the M.Sc. thesis of Mr. Krapfenbauer, a graduate student at the university. The thesis consists of the project described here as its practical part.
Members
- Klaus Krapfenbauer github
- Professor Martin Schmiedecker (former Mulazzani)
- Mozilla Advisor: J.C. Jones and Richard Barnes
Project
Description
Let's Encrypt is a certificate authority that aims to streamline the issuance and management of X.509 Certificates, the authentication mechanism behind Transport Layer Security (TLS). Today, Let's Encrypt provides a tool to manipulate server configuration files to enable TLS. This project would be to write a module or patch for a popular web server such that it natively speaks the ACME protocol for Certificate Management. For example, the team could produce an Apache module (mod_acme) to handle certificate issuance and renewal automatically, with the eventual goal of being included in Apache distributions by default.
Scope
The scope of this project is to demonstrate the utility of implementing ACME integrated within a common web server software package. Therefore a module for such a web server will be developed which roughly features the following points:
- Extension of the configuration parameters for configuring retrieval of SSL/TLS certificates
- Automatic retrieval of SSL/TLS certificates from the Let's Encrypt CA using the ACME protocol
- Automatic renewal of soon-to-expire SSL/TLS certificates
Success Criteria
This project is successful if it can show a substantial improvement in usability, scalability, and/or reliability by making the chosen Web Server software package "ACME-aware". Metrics for this success criteria could be derived by comparing the time it takes for an administrator to renew domains against the official Let's Encrypt client, and/or against certificate management from a different Certificate Authority. Alternative metrics can also be proposed to similarly show, quantitatively, an improvement in some aspect of certificate management versus the official Let's Encrypt client.
The ultimate goal of all Let's Encrypt efforts is to take the work out of getting HTTPS, and thus that is this project's ultimate goal as well.
Updates
Week Ending 2015-11-27
- Reading and spoofing the SSL module's directives to use the certificates from our module
Week Ending 2015-11-20
- Restructuring the module hooks
Week Ending 2015-11-13
- Copying locally available certificate in place for use by NginX's SSL module
Week Ending 2015-11-06
- Draft story for configuration parameters and where we store files
Week Ending 2015-10-30
- First ideas of the configuration directives and their structure
- Studied SSL module code base for providing the certificate to it
Week Ending 2015-10-23
- Compiling NginX and find the right hooks needed for the module
- First version of module that hooks there and says "Hello, World!"
- Scheduled milestones and refined them
Week Ending 2015-10-16
- Rough project structure and time schedule
Week Ending 2015-10-09
- Read up on NginX module development
Week Ending 2015-10-02
- Registration and setup of
- IRC account at irc.mozilla.org
- Bugzilla account
- access to the code repository (https://github.com/mozilla/mwos-letsencrypt-2015)
- Wiki account
- Survey/research on which common web server to choose
- Agreement on the web server: NginX
Week Ending 2015-09-25
- Introduction of all team members
- Kick-off meeting
- Agreement on the project scope and success criteria
- Definition of the first tasks for starting the project setup