[PYTHON] Encrypt ACME on Alibaba Cloud: Concepts Related to SSL Certificates

In this multi-part article, you'll learn how to use the Let's Encrypt ACME version 2 API with ** Python ** for ** SSL certificates **.

About this article

Let's Encrypt is a popular topic and much information about it is already available online. However, this article is useful if you want to know more about these topics.

  1. Explains how to use Let's Encrypt, its benefits, and how to use the ACME v2 API.
  2. Alibaba Cloud API Gateway and Alibaba Cloud CDN Create an automated client to request, verify, issue, and install an SSL certificate without using multiple manual methods
  3. Since purchasing an SSL certificate for each service can quickly become expensive, we have developed an inexpensive solution to protect a large number of cloud services.
  4. Unlike the conventional time required to obtain a commercial certificate, you can quickly set up SSL for services.

When cloud services become universally accepted, API Gateway and CDN With popular services such as ja / product / cdn), it is difficult to apply for, issue, and install an SSL certificate. In this article, I'd like to show you how to do this easily and correctly. Instead of focusing on website SSL certificates, we are focusing on cloud services and REST endpoints that are difficult to configure.

These articles focus on SSL certificates for services that certbot and third-party products do not support existing Let's Encrypt clients. For example, certbot provides excellent support for automating the creation and renewal of SSL certificates for Apache web servers. However, there is little support for Windows IIS servers. In the final part, we will demonstrate creating an SSL certificate for IIS, bundling it in PKCS # 12 format and importing it into IIS.

What is an SSL certificate?

The SSL certificate is as follows.

1, domain name, server name, host name. 2. Organizational identity such as company name and location. The details that are combined with an SSL certificate depend on the type of validation performed by the Certificate Authority (CA) before issuing the SSL certificate.

An SSL certificate is a set of one or more small data files that digitally binds an encryption key to your organization's details. When installed on a web server, it enables padlocks, https protocols and allows a secure connection from the web server to your browser. Installed on services such as API Gateway protects communication between systems.

What is Let's Encrypt?

According to Wikipedia, Let's Encrypt is an automated process designed to eliminate the previously complex process of manually creating, validating, signing, installing, and renewing certificates for secure websites. A certificate authority that provides free X.509 certificates for Transport Layer Security (TLS) encryption through. It was released on April 12, 2016.

In short, Let's Encrypt offers free SSL certificates for websites and many cloud services such as API Gateway, CDN and ECS.

What is a Certificate Authority (CA)?

A certificate authority (CA) is an entity that cryptographically signs an SSL certificate and guarantees its authenticity. Your browser or operating system has a list of trusted certificate authorities that you can use to verify your site's certificate.

Until recently, most certificate authorities had a commercial operation that charged money for their verification and signing services. Let's Encrypt has made this process available to users for free by fully automating the process and relying on sponsors and donations to fund the necessary infrastructure.

Let's Encrypt is a CA that issues domain-verified SSL certificates. The Let's Encrypt server uses the ACME protocol to communicate with ACME clients to request, issue, renew, and revoke SSL certificates.

SSL certificate type

There are many types of SSL certificates, but the three most common are Domain Validated (DV), Organization Validated (OV), and Extended Validated (EV).

1, Domain Validated (CABF OID most common type, validated using only the domain name. 2. Organization verified (CABF OID organization name is attached to the certificate and requires more verification compared to DV. 3, Extended Validated (CABF OID requires the most effort to be validated by a certificate authority and provides the maximum trust to the visitor (green bar is displayed on the web browser). 4, self-signed, personal authentication, testing, code signing and other types.

Also, SSL certificates can be single domain, multi-domain, or wildcard for each type. This is really just a marketing feature, as all SSL certificates support one or more domain names, including wildcard domain names.

Let's Encrypt only issues DV SSL certificates. If you need an OV or EV SSL certificate, you will need to use a commercial CA such as Alibaba Cloud SSL Certificate Services (https://www.alibabacloud.com/en/product/certificates). There is no difference in the certificate other than the amount and type of information stored in the certificate. Not just the domain name, but the time and process that the CA completes to validate the organization that manages the domain name. For services that offer financial transactions, consider EV SSL certificates strongly. DV certificates are best suited for services such as CDNs and API gateways.

For web servers and cloud services, the types of SSL certificates (DV, OV, EV) are no different. Clients (web browsers and real people) may care. If I was connected to a bank and the bank only had a DV SSL certificate, I would be wondering why. It's important to assess the value of what you protect and the cost of failure to protect it. The DV SSL certificate for the website contact form is just right. An EV certificate is required to process your credit card. Anyone who sends money wants to be fully validated at the extended validation level, not just domain validation.

What is ACME?

ACME is an abbreviation for "ACME". Abbreviation for Automatic Certificate Management Environment. ACME is a communication protocol that allows clients to interface with a CA (Certificate Authority) for SSL certificate management (issuance, renewal, revocation).

The ACME protocol is based on passing JSON-formatted messages over HTTPS. The request is signed with the private key and authenticated with the corresponding public key. This key pair is called your account key. Keep in mind that this key pair is different from the key pair used to create a Certificate Signing Request (CSR).

** Account key ** The account key is used to provide the ID of the account requesting certificate service. No method such as login / password is used. It is very important to keep your account key pair in a safe place, as your account key is used to issue, renew, and revoke your SSL certificate. If you lose your account key, the certificates created under that account will be put on hold. These certificates cannot be renewed or revoked. In this case, you need to create a new account key and issue a new SSL certificate in place of the lost certificate. If a malicious third party gains access to your account key, you can change your contact email address and revoke your certificate. You cannot issue a new SSL certificate for your domain because it requires HTTP or DNS validation of your domain name.

** Certificate key ** A certificate key is a key pair used to sign a CSR (Certificate Signing Request). This is not an account key, even though both are key pairs. For security reasons, you should avoid signing your account key in the CSR. In general, it is common to create a new certificate key for each SSL certificate.

** CSR-Certificate signing request ** A CSR is a file (message) sent to a CA (Certificate Authority --Let's Encrypt) to apply for an SSL certificate. The CSR contains details such as the company name, location, and domain name of the person applying for the SSL certificate. Since Let's Encrypt issues only DV (Domain Validated) SSL certificate, only the domain name is verified in the generated SSL certificate, only the domain name is described, and the contact information is described. An optional email address for is also listed. Details such as company name and location are not included.

ACME API Python example

In this series of articles, we will show you how to use each ACME API in a small and easy-to-understand Python program. You can also use Alibaba Cloud API to automate DNS record changes, and Alibaba Cloud services (API Gateway and [CDN]( We will also show you how to install an SSL certificate on https://www.alibabacloud.com/en/product/cdn)) to have a custom domain name for each SSL-protected service.

The required environment is as follows. Python 3.6 or later (not compatible with Python 2)

Platform: Tested on Windows 10

Python library: (tested version)

1, encrypted version 2.2.2 (March 27, 2018) 2, pyOpenSSL version 18.0.0 (May 16, 2018) 3, Request version 2.19.1 (June 14, 2018)

Program: (tested version)

1, Python version for Windows 3.6.5 (March 28, 2018) 2, [https://slproweb.com/products/Win32OpenSSL.htm](https://www.alibabacloud.com/blog/let%27s-encrypt-acme-on-alibaba-cloud-%E2%80%93 -part-1_593777) l "> OpenSSL version for Windows (March 27, 2018) Download: [ACME example in Python (Zip-20 KB)](https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/neoprime_acme_examples_python.zip?spm=a2c65.11461447.0.0.481312958mBJIP&file= neoprime_acme_examples_python.zip)

Note: Antivirus software will warn you about this download as this download is a ZIP file containing the Python source code.

How to use the ACME example.

  1. Create a working directory on the system. 2, please download the above package.
  2. Unzip the package into your working directory. 4, Create Let's Encrypt Account Key-python make_account_key.py. 5, Display account information --python get_account-info.py.
  3. Read the series of articles and study source code examples.


Once you have created your account key, certificate key, and CSR, you have everything you need to request an SSL certificate through Let's Encrypt. Before Let's Encrypt issues an SSL certificate, Let's Encrypt needs to validate your certificate request by verifying that you manage your domain name through an HTTP validation file or a DNS TXT record. (In Let's Encrypt terminology, it's called an order). Most cloud services, such as API Gateway, do not support HTTP file-based validation, so the examples in this series of articles only support DNS validation.

Now is a good time to download the Python setup, the required Python packages, and the source code for the ACME samples.

[Part 2 of the series](https://www.alibabacloud.com/blog/let%27s-encrypt-acme-with-alibaba-cloud-api-gateway-and-cdn-%E2%80%93-part- 2_593778? Spm = a2c65.11461447.0.0.481312958mBJIP) creates an account key, certificate key, certificate signing request (CSR) and starts working on each ACME API in Python.

Recommended Posts

Encrypt ACME on Alibaba Cloud: Concepts Related to SSL Certificates
Encrypt ACME on Alibaba Cloud: Create ACME endpoints, directories, ACME accounts
Encrypt ACME on Alibaba Cloud: Create account key, certificate key, certificate signing request
Encrypt ACME on Alibaba Cloud: Build an ACME request and sign the JWS payload
How to deploy a Django application on Alibaba Cloud
How to deploy a web application on Alibaba Cloud as a freelancer
Upgraded mysql on Cloud9 (Amazon Linux) (5.5 to 5,7)
Install Odoo on Alibaba Cloud ECS instance
How to install Fast.ai on Alibaba Cloud GPU and run it on Jupyter notebook