Let’s Encrypt ACME on Alibaba Cloud — Part 1

Is This Article Series for Me?

Let’s Encrypt is a popular topic; a lot of information about it are already available online. However, this article can be useful if you want to know more about these topics:

  1. Learn how to use and benefit from Let’s Encrypt, and how to use the ACME v2 API.
  2. Creating an automated client for Alibaba Cloud API Gateway and Alibaba Cloud CDN to request, validate, issue, and install an SSL certificate without multiple manual methods.
  3. Developing an inexpensive solution for protecting numerous cloud services as purchasing SSL certificates for each service can quickly get expensive.
  4. Quick setup of SSL for services; unlike the process of getting conventional commercial certificates, which is time consuming.

What Is an SSL Certificate?

An SSL Certificate binds together:

  1. A domain name, server name or hostname.
  2. An organizational identity, such as company name and location.

What Is Let’s Encrypt?

According to Wikipedia, Let’s Encrypt is a certificate authority that provides free X.509 certificates for Transport Layer Security (TLS) encryption via an automated process designed to eliminate the hitherto complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites. It launched on April 12, 2016.

What Is a Certificate Authority (CA)?

Certificate authorities (CAs) are entities that cryptographically sign SSL certificates to vouch for their authenticity. Browsers and operating systems have a list of trusted CAs that they use to verify site certificates.

Types of SSL Certificates

There are many types of SSL certificates, but the three most common types are Domain Validated (DV), Organization Validated (OV), and Extended Validated (EV).

  1. Domain Validated (CABF OID 2.23.140.1.2.1) — The most common type and verified using only the domain name.
  2. Organization Validated (CABF OID 2.23.140.1.2.2) — Requires more validation compared with DV because the organization’s name is attached to the certificate.
  3. Extended Validated (CABF OID 2.23.140.1.1) — Requires the most effort by the CA to validate, providing the maximum amount of trust to visitors (shows up as a green bar on your web browser).
  4. Miscellaneous types such as Self Signed, Individual Validated, Test, Code Signing, etc.

What Is ACME?

ACME stands for: Automatic Certificate Management Environment. ACME is a communications protocol for a client to interface with a CA (Certificate Authority) for the management of SSL certificates (issue, renew, and revoke).

ACME API Python Examples

This article series will show how to use each ACME API with small, easy to understand Python programs. We will also show you how to use the Alibaba Cloud APIs for automating DNS record changes and installing an SSL certificate into the Alibaba Cloud services (API Gateway and CDN) so that you have a custom domain name for each service protected with SSL.

  1. cryptography version 2.2.2 (March 27, 2018)
  2. pyOpenSSL version 18.0.0 (May 16, 2018)
  3. requests version 2.19.1 (June 14, 2018)
  1. Python version 3.6.5 for Windows (March 28, 2018)
  2. https://slproweb.com/products/Win32OpenSSL.html">OpenSSL version 1.1.0h for Windows (March 27, 2018)
  1. Create a working directory on your system.
  2. Download the package above.
  3. Unzip the package into your working directory.
  4. Create your Let’s Encrypt Account Key — python make_account_key.py.
  5. Display your account information — python get_account-info.py.
  6. Read the article series and study the example source code.

Summary

Once you have created your Account Key, Certificate Key and CSR you have everything you need to request an SSL Certificate through Let’s Encrypt. Before Let’s Encrypt will issue an SSL certificate, it needs to validate your certificate request (called an order in Let’s Encrypt terminology) by validating that you control the domain name via either an HTTP validation file or DNS TXT record. The examples in this article series only support DNS validation as most cloud services, such as API Gateway, do not support HTTP file-based validation.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com