Security/Automation/Winter Of Security 2015/Certificate Automation tooling for Lets Encrypt

From MozillaWiki
Jump to: navigation, search
WinterOfSecurity logo light horizontal.png



The team for this project is composed of the two Mozilla advisors J.C. Jones and Richard Barnes, Professor Martin Schmiedecker and the developer Klaus Krapfenbauer. Prof. Schmiedecker is professor and researcher at the security institute SBA Research at the Vienna University of Technology. He is also the supervisor of the M.Sc. thesis of Mr. Krapfenbauer, a graduate student at the university. The thesis consists of the project described here as its practical part.




Let's Encrypt is a certificate authority that aims to streamline the issuance and management of X.509 Certificates, the authentication mechanism behind Transport Layer Security (TLS). Today, Let's Encrypt provides a tool to manipulate server configuration files to enable TLS. This project would be to write a module or patch for a popular web server such that it natively speaks the ACME protocol for Certificate Management. For example, the team could produce an Apache module (mod_acme) to handle certificate issuance and renewal automatically, with the eventual goal of being included in Apache distributions by default.


The scope of this project is to demonstrate the utility of implementing ACME integrated within a common web server software package. Therefore a module for such a web server will be developed which roughly features the following points:

  • Extension of the configuration parameters for configuring retrieval of SSL/TLS certificates
  • Automatic retrieval of SSL/TLS certificates from the Let's Encrypt CA using the ACME protocol
  • Automatic renewal of soon-to-expire SSL/TLS certificates

Success Criteria

This project is successful if it can show a substantial improvement in usability, scalability, and/or reliability by making the chosen Web Server software package "ACME-aware". Metrics for this success criteria could be derived by comparing the time it takes for an administrator to renew domains against the official Let's Encrypt client, and/or against certificate management from a different Certificate Authority. Alternative metrics can also be proposed to similarly show, quantitatively, an improvement in some aspect of certificate management versus the official Let's Encrypt client.

The ultimate goal of all Let's Encrypt efforts is to take the work out of getting HTTPS, and thus that is this project's ultimate goal as well.


Week Ending 2016-05-27

  • Drafting an outline for the blog post
  • Updating the module to the latest Nginx version 1.11.0

Weeks Ending 2016-05-05 - 2016-05-20

  • Implementing the ACME logic for domain authentication

Week Ending 2016-04-29

  • Finishing terms-of-service agreement
  • Implementing challenge solving with the mongoose library

Week Ending 2016-04-22

  • Implementing authorization for new cert and terms-of-service agreement
  • Implementing challenge solving with embedded web server for HTTP challenge

Week Ending 2016-04-15

  • Finding and evaluating new strategies of how to solve the HTTP challenge

Week Ending 2016-04-08

  • Struggling with challenge implementation concept
    • We are in a too early state of nginx to listen to connections (our routines run while parsing the config, before the web server starts to listen)

Weeks Ending 2016-03-18 - 2016-04-01

  • Implementation of JWS signature
  • Finishing logic for replay protection
  • Challenge implementation
    • Looking for synchronization techniques for getting the HTTP challenge response

Week Ending 2016-03-11

  • Finishing JWS implementation
    • Struggling with the replay nonce
  • Finishing registration of new account on the ACME server

Week Ending 2016-03-04

  • Still implementing JWS for signing the requests
  • Looking for strategies on how to implement the HTTP challenge

Week Ending 2016-02-26

  • Implementation of JWS for signing the requests
  • Implementation of JWK for saving the account key

Another two weeks break due to illness of Klaus Krapfenbauer

Week Ending 2016-02-05

  • Parsing JSON response data from the ACME server with Jansson
  • Plans for further project milestones
  • Implementation of data structs and logic for the ACME protocol

Long break due to illness of Klaus Krapfenbauer

Week Ending 2016-01-08

  • Retrieving the ACME directory JSON string using the cURL library (NginX internal methods didn't work for me :( )

Week Ending 2015-12-18

  • Polishing on the key pair generation and some general restructuring
  • Formatting the keys and meta infos in JSON for account registration with ACME
  • Updated source to NginX version 1.9.9

Week Ending 2015-12-11

  • Getting into ACME for directory retrieval

Week Ending 2015-12-04

  • Key pair generation with the OpenSSL library

Week Ending 2015-11-27

  • Reading and spoofing the SSL module's directives to use the certificates from our module

Week Ending 2015-11-20

  • Restructuring the module hooks

Week Ending 2015-11-13

  • Copying locally available certificate in place for use by NginX's SSL module

Week Ending 2015-11-06

  • Draft story for configuration parameters and where we store files

Week Ending 2015-10-30

  • First ideas of the configuration directives and their structure
  • Studied SSL module code base for providing the certificate to it

Week Ending 2015-10-23

  • Compiling NginX and find the right hooks needed for the module
  • First version of module that hooks there and says "Hello, World!"
  • Scheduled milestones and refined them

Week Ending 2015-10-16

  • Rough project structure and time schedule

Week Ending 2015-10-09

  • Read up on NginX module development

Week Ending 2015-10-02

  • Registration and setup of
  • Survey/research on which common web server to choose
  • Agreement on the web server: NginX

Week Ending 2015-09-25

  • Introduction of all team members
  • Kick-off meeting
  • Agreement on the project scope and success criteria
  • Definition of the first tasks for starting the project setup