Inhaltsverzeichnis

ACME integracija

ACME integracija

Složenost: Srednja
Trajanje: 1-2 sata postavljanja
Preduvjet: Pristup DNS/HTTP izazovu

Integracija ACME protokola (RFC 8555) za automatsku obnovu certifikata s Post-Quantum podrškom.

Arhitektura

sequenceDiagram participant Client as ACME klijent participant CA as ACME CA participant DNS as DNS/HTTP Server participant App as Aplikacija Client->>CA: 1. Stvaranje računa Client->>CA: 2. Stvaranje narudžbe (CSR) CA->>Client: 3. Izazov (DNS-01/HTTP-01) Client->>DNS: 4. Ispunjenje izazova CA->>DNS: 5. Validacija izazova CA->>Client: 6. Izdavanje certifikata Client->>App: 7. Deploy certifikata Client->>App: 8. Ponovno učitavanje servisa

Instalacija Certbota

# Debian/Ubuntu
apt update && apt install certbot python3-certbot-nginx
 
# RHEL/CentOS
dnf install certbot python3-certbot-nginx
 
# S DNS pluginom (Cloudflare)
apt install python3-certbot-dns-cloudflare

HTTP-01 izazov

Za javno dostupne web servere:

# Nginx
certbot --nginx -d example.com -d www.example.com
 
# Apache
certbot --apache -d example.com -d www.example.com
 
# Samostalno (Port 80 slobodan)
certbot certonly --standalone -d example.com
 
# Webroot (postojeći server)
certbot certonly --webroot -w /var/www/html -d example.com

Auto-Renewal Cron:

# Automatski aktivirano pri instalaciji certbota
# Ručna provjera:
systemctl status certbot.timer
 
# Ručno testiranje
certbot renew --dry-run

DNS-01 izazov

Za interne servere ili wildcards:

Cloudflare

# /etc/letsencrypt/cloudflare.ini
dns_cloudflare_api_token = YOUR_API_TOKEN

chmod 600 /etc/letsencrypt/cloudflare.ini
 
certbot certonly \
    --dns-cloudflare \
    --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
    -d example.com \
    -d "*.example.com"

Route53 (AWS)

# AWS vjerodajnice u ~/.aws/credentials
certbot certonly \
    --dns-route53 \
    -d example.com \
    -d "*.example.com"

Azure DNS

# S certbot-dns-azure pluginom
pip install certbot-dns-azure
 
certbot certonly \
    --authenticator dns-azure \
    --dns-azure-credentials /etc/letsencrypt/azure.ini \
    -d example.com

Deployment Hooks

Hooks se izvršavaju nakon uspješne obnove.

Nginx Reload

# /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh
#!/bin/bash
systemctl reload nginx
echo "$(date): Nginx reloaded" >> /var/log/certbot-deploy.log

chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh

Apache Reload

# /etc/letsencrypt/renewal-hooks/deploy/reload-apache.sh
#!/bin/bash
systemctl reload apache2

Docker Container

# /etc/letsencrypt/renewal-hooks/deploy/docker-reload.sh
#!/bin/bash
docker exec nginx nginx -s reload
# ili
docker-compose restart nginx

Obavijest

# /etc/letsencrypt/renewal-hooks/post/notify.sh
#!/bin/bash
DOMAINS=$(echo $RENEWED_DOMAINS | tr ' ' '\n')
echo "Obnovljeno: $DOMAINS" | mail -s "Certifikat obnovljen" admin@example.com

Privatna ACME CA (Step-CA)

Za internu PKI s ACME podrškom:

# Instalacija Step-CA
wget https://github.com/smallstep/certificates/releases/download/v0.25.0/step-ca_0.25.0_amd64.deb
dpkg -i step-ca_0.25.0_amd64.deb
 
# Inicijalizacija CA
step ca init --name="Internal CA" --dns=ca.internal.example.com --address=:443

Dodavanje ACME Provisionera:

step ca provisioner add acme --type ACME

Certbot s privatnom CA:

certbot certonly \
    --server https://ca.internal.example.com/acme/acme/directory \
    --standalone \
    -d internal-server.example.com

Post-Quantum napomena

Stanje 2024: ACME protokol i Let's Encrypt još ne podržavaju PQ potpise.

Hibridna strategija:

# 1. ACME certifikat za TLS handshake (ECDSA)
certbot certonly --nginx -d example.com
 
# 2. Dodatni PQ certifikat za hibridni način
# (paralelno putem vlastite PKI s WvdS)

// C#: Stvaranje hibridnog certifikata paralelno
using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP384);
var request = new CertificateRequest(
    "CN=example.com", ecdsa, HashAlgorithmName.SHA384);
 
// S PQ ekstenzijom za klijente spremne za budućnost
var cert = request.CreateSelfSigned(
    DateTimeOffset.UtcNow,
    DateTimeOffset.UtcNow.AddDays(90),
    CryptoMode.Hybrid);

Nadzor

# Certbot logovi
tail -f /var/log/letsencrypt/letsencrypt.log
 
# Provjera isteka certifikata
certbot certificates
 
# Prometheus Exporter (cert-exporter)
# Prati sve certifikate za istek

Rješavanje problema

Problem	Uzrok	Rješenje
———	——-	———-
`Challenge failed`	Port 80/443 blokiran	Provjeriti vatrozid
`DNS propagation`	DNS predmemorija	Čekati (do 60 min) ili smanjiti TTL
`Rate limit exceeded`	Previše zahtjeva	Koristiti staging server
`unauthorized`	Validacija domene nije uspjela	Provjeriti DNS zapise

# Staging server za testove (bez rate limita)
certbot certonly --staging --nginx -d test.example.com
 
# Debug način
certbot certonly --nginx -d example.com --debug

Kontrolna lista

#	Točka provjere	Gotovo
—	—————-	——–
1	DNS/HTTP izazov konfiguriran	☐
2	Certbot instaliran i testiran	☐
3	Auto-renewal aktiviran (Timer)	☐
4	Deploy-Hook konfiguriran	☐
5	Nadzor postavljen	☐
6	Obavijest o grešci	☐

Povezana dokumentacija

Zakazana obnova - Alternativa bez ACME
Nadzor isteka - Praćenje certifikata
TLS/mTLS - Konfiguracija servera

« <- Automatizacija | -> CI/CD potpisivanje koda »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional

acme, letsencrypt, certbot, automatizacija, operator