Vault + LetsEncrypt what is the best practice?
4,820 views
Skip to first unread message
Yaroslav Molochko
Feb 15, 2018, 8:08:34 AM2/15/18
to Vault
We use lego for LetsEncrypt certificate generation. This is cumbersome, because you need to do renew every 90 days. You need to securely deliver certificates and there are a lot of chicken and egg problems for us.
Vault has PKI engine, with certificate renewal etc. Do you think it is worth the try to implement LetsEncrypt plugin for Vault, or that doesn't make any sense and we should stick to plain secrets and automate certificate renewal outside of the vault, meaning use vault as just a secret storage, but not secret (in our case SSL certificates) lifecycle management?
Jeff Mitchell
Feb 15, 2018, 8:18:15 AM2/15/18
to Vault
Hi Yaroslav,
LE and Vault are complementary, not at odds; LE is designed to prove identity on the public Internet to get certs, and Vault is designed to use other mechanisms of policy and authorization to allow machines within intranets to get certs.
There are some specific real-world ramifications for this: LE does not have flexibility in terms of certificate lifecycle, whereas Vault will allow you to issue certs for 1 second or 1 millenium (and much of what people use Vault's PKI for are automated, short-lived certificates for machines). LE's root certs are cross signed by other CAs and are accepted by normal browsers and crypto stacks; certs issued by Vault will in almost all cases require you to distribute your CA cert as well. LE has a few methods of proving identity; Vault can allow anyone that can get a token via any method to be given access to get certs with a very flexible set of controls.
Best,
Jeff
On Thu, Feb 15, 2018 at 8:08 AM, Yaroslav Molochko <ono...@gmail.com> wrote:
We use lego for LetsEncrypt certificate generation. This is cumbersome, because you need to do renew every 90 days. You need to securely deliver certificates and there are a lot of chicken and egg problems for us.Vault has PKI engine, with certificate renewal etc. Do you think it is worth the try to implement LetsEncrypt plugin for Vault, or that doesn't make any sense and we should stick to plain secrets and automate certificate renewal outside of the vault, meaning use vault as just a secret storage, but not secret (in our case SSL certificates) lifecycle management?
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/393b1b43-850a-4875-b12b-2530fc5f2271%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Yaroslav Molochko
Feb 15, 2018, 8:29:05 AM2/15/18
to Vault
Thank you for explanation. I understand the difference between both solutions. We need lets encrypt for public facing certificates without distributing of our CA certificates, as well as private certificates for our internal infrastructure. That is the reason I'm considering implementing some plugin, which instead of creating certificate would do API call to LetsEncrypt to get one. And then do all the lifecycle on it's own, using the same API to lets encrypt.
Do you believe that is something Vault community would like to see and will be merged mainline, or that will be a waste of time?
On Thursday, February 15, 2018 at 3:18:15 PM UTC+2, Jeff Mitchell wrote:
Hi Yaroslav,LE and Vault are complementary, not at odds; LE is designed to prove identity on the public Internet to get certs, and Vault is designed to use other mechanisms of policy and authorization to allow machines within intranets to get certs.There are some specific real-world ramifications for this: LE does not have flexibility in terms of certificate lifecycle, whereas Vault will allow you to issue certs for 1 second or 1 millenium (and much of what people use Vault's PKI for are automated, short-lived certificates for machines). LE's root certs are cross signed by other CAs and are accepted by normal browsers and crypto stacks; certs issued by Vault will in almost all cases require you to distribute your CA cert as well. LE has a few methods of proving identity; Vault can allow anyone that can get a token via any method to be given access to get certs with a very flexible set of controls.Best,Jeff
On Thu, Feb 15, 2018 at 8:08 AM, Yaroslav Molochko <ono...@gmail.com> wrote:
We use lego for LetsEncrypt certificate generation. This is cumbersome, because you need to do renew every 90 days. You need to securely deliver certificates and there are a lot of chicken and egg problems for us.Vault has PKI engine, with certificate renewal etc. Do you think it is worth the try to implement LetsEncrypt plugin for Vault, or that doesn't make any sense and we should stick to plain secrets and automate certificate renewal outside of the vault, meaning use vault as just a secret storage, but not secret (in our case SSL certificates) lifecycle management?
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
Jeff Mitchell
Feb 15, 2018, 8:52:40 AM2/15/18
to Vault
Hi Yaroslav,
I honestly don't have a conception of what a Vault LE plugin would look like or what the workflows would be, so I couldn't say. Even if such a plugin weren't merged, you don't need code in Vault mainline to use it... That's why we now have a plugin system :-)
Best,
Jeff
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/2e115b94-bf00-47b8-8bb8-cbcb9b88a037%40googlegroups.com.
Ho-Sheng Hsiao
Dec 4, 2018, 8:45:51 PM12/4/18
to Vault
On Thursday, February 15, 2018 at 6:52:40 AM UTC-7, Jeff Mitchell wrote:
I honestly don't have a conception of what a Vault LE plugin would look like or what the workflows would be, so I couldn't say. Even if such a plugin weren't merged, you don't need code in Vault mainline to use it... That's why we now have a plugin system :-)
A letsencrypt bot (without Vault) has to do the following:
- Manage a list of certs
- Trigger ACME protocol for new certs
- Trigger ACME protocol for renewals
- The protocol can involve HTTP-01, TLS-ALPN-01, or DNS-01 (the latter being for wildcard)
- Because Letsencrypt certs are issued for 90 days, there needs to be a periodic or on-demand renewal for those certs. Due to rate limiting, the certs themselves need to be checked for expiration. Many sites are set to renew within about 30 days of expiray.
Depending upon the ACME client, these files are often stored right on the disk in a normal file, protected by filesystem permissions, and otherwise not encrypted. When it comes time to distribute these certs, that becomes an issue.
Vault is a natural fit for managing access to these certs and distributing them to apps that make use of them. I think that is why people ask about at letsencrypt plugin that someone can mount and have it securely store and distribute certs. It is certainly why I am looking for one. I don't always want to use the PKI is because I'm trying to generate a cert that doesn't also require me to distribute the CA cert as well.
I have seen several external tools that were written to store the certs in Vault. They are kinda of janky because they usually don't fetch the certs to check if it needs to renewed.
One possibility for a plugin is not to implement the entire ACME protocol, but rather, an interface for uploading certs and being able to get information about the cert without having to access the entire cert. (Mainly, the expiration info; or even getting a list of certs that will expire within X would help). I think though, some people would prefer an ACME protocol plugin so that there is less chance for the private keys to be leaked out somewhere.
Depending upon the ACME client, these files are often stored right on the disk in a normal file, protected by filesystem permissions, and otherwise not encrypted. When it comes time to distribute these certs, that becomes an issue.
Vault is a natural fit for managing access to these certs and distributing them to apps that make use of them. I think that is why people ask about at letsencrypt plugin that someone can mount and have it securely store and distribute certs. It is certainly why I am looking for one. I don't always want to use the PKI is because I'm trying to generate a cert that doesn't also require me to distribute the CA cert as well.
I have seen several external tools that were written to store the certs in Vault. They are kinda of janky because they usually don't fetch the certs to check if it needs to renewed.
One possibility for a plugin is not to implement the entire ACME protocol, but rather, an interface for uploading certs and being able to get information about the cert without having to access the entire cert. (Mainly, the expiration info; or even getting a list of certs that will expire within X would help). I think though, some people would prefer an ACME protocol plugin so that there is less chance for the private keys to be leaked out somewhere.
Ho-Sheng Hsiao
Reply all
Reply to author
Forward
0 new messages