In this multi-part article, you'll learn how to use the Let's Encrypt ACME version 2 API with ** Python ** for ** SSL certificates **.
Let's Encrypt is a popular topic and much information about it is already available online. However, this article is useful if you want to know more about these topics.
When cloud services become universally accepted, API Gateway and CDN With popular services such as ja / product / cdn), it is difficult to apply for, issue, and install an SSL certificate. In this article, I'd like to show you how to do this easily and correctly. Instead of focusing on website SSL certificates, we are focusing on cloud services and REST endpoints that are difficult to configure.
These articles focus on SSL certificates for services that certbot and third-party products do not support existing Let's Encrypt clients. For example, certbot provides excellent support for automating the creation and renewal of SSL certificates for Apache web servers. However, there is little support for Windows IIS servers. In the final part, we will demonstrate creating an SSL certificate for IIS, bundling it in PKCS # 12 format and importing it into IIS.
The SSL certificate is as follows.
1, domain name, server name, host name. 2. Organizational identity such as company name and location. The details that are combined with an SSL certificate depend on the type of validation performed by the Certificate Authority (CA) before issuing the SSL certificate.
An SSL certificate is a set of one or more small data files that digitally binds an encryption key to your organization's details. When installed on a web server, it enables padlocks, https protocols and allows a secure connection from the web server to your browser. Installed on services such as API Gateway protects communication between systems.
According to Wikipedia, Let's Encrypt is an automated process designed to eliminate the previously complex process of manually creating, validating, signing, installing, and renewing certificates for secure websites. A certificate authority that provides free X.509 certificates for Transport Layer Security (TLS) encryption through. It was released on April 12, 2016.
In short, Let's Encrypt offers free SSL certificates for websites and many cloud services such as API Gateway, CDN and ECS.
A certificate authority (CA) is an entity that cryptographically signs an SSL certificate and guarantees its authenticity. Your browser or operating system has a list of trusted certificate authorities that you can use to verify your site's certificate.
Until recently, most certificate authorities had a commercial operation that charged money for their verification and signing services. Let's Encrypt has made this process available to users for free by fully automating the process and relying on sponsors and donations to fund the necessary infrastructure.
Let's Encrypt is a CA that issues domain-verified SSL certificates. The Let's Encrypt server uses the ACME protocol to communicate with ACME clients to request, issue, renew, and revoke SSL certificates.
There are many types of SSL certificates, but the three most common are Domain Validated (DV), Organization Validated (OV), and Extended Validated (EV).
1, Domain Validated (CABF OID 22.214.171.124.2.1)-The most common type, validated using only the domain name. 2. Organization verified (CABF OID 126.96.36.199.2.2)-The organization name is attached to the certificate and requires more verification compared to DV. 3, Extended Validated (CABF OID 188.8.131.52.1)-It requires the most effort to be validated by a certificate authority and provides the maximum trust to the visitor (green bar is displayed on the web browser). 4, self-signed, personal authentication, testing, code signing and other types.
Also, SSL certificates can be single domain, multi-domain, or wildcard for each type. This is really just a marketing feature, as all SSL certificates support one or more domain names, including wildcard domain names.
Let's Encrypt only issues DV SSL certificates. If you need an OV or EV SSL certificate, you will need to use a commercial CA such as Alibaba Cloud SSL Certificate Services (https://www.alibabacloud.com/en/product/certificates). There is no difference in the certificate other than the amount and type of information stored in the certificate. Not just the domain name, but the time and process that the CA completes to validate the organization that manages the domain name. For services that offer financial transactions, consider EV SSL certificates strongly. DV certificates are best suited for services such as CDNs and API gateways.
For web servers and cloud services, the types of SSL certificates (DV, OV, EV) are no different. Clients (web browsers and real people) may care. If I was connected to a bank and the bank only had a DV SSL certificate, I would be wondering why. It's important to assess the value of what you protect and the cost of failure to protect it. The DV SSL certificate for the website contact form is just right. An EV certificate is required to process your credit card. Anyone who sends money wants to be fully validated at the extended validation level, not just domain validation.
ACME is an abbreviation for "ACME". Abbreviation for Automatic Certificate Management Environment. ACME is a communication protocol that allows clients to interface with a CA (Certificate Authority) for SSL certificate management (issuance, renewal, revocation).
The ACME protocol is based on passing JSON-formatted messages over HTTPS. The request is signed with the private key and authenticated with the corresponding public key. This key pair is called your account key. Keep in mind that this key pair is different from the key pair used to create a Certificate Signing Request (CSR).
** Account key ** The account key is used to provide the ID of the account requesting certificate service. No method such as login / password is used. It is very important to keep your account key pair in a safe place, as your account key is used to issue, renew, and revoke your SSL certificate. If you lose your account key, the certificates created under that account will be put on hold. These certificates cannot be renewed or revoked. In this case, you need to create a new account key and issue a new SSL certificate in place of the lost certificate. If a malicious third party gains access to your account key, you can change your contact email address and revoke your certificate. You cannot issue a new SSL certificate for your domain because it requires HTTP or DNS validation of your domain name.
** Certificate key ** A certificate key is a key pair used to sign a CSR (Certificate Signing Request). This is not an account key, even though both are key pairs. For security reasons, you should avoid signing your account key in the CSR. In general, it is common to create a new certificate key for each SSL certificate.
** CSR-Certificate signing request ** A CSR is a file (message) sent to a CA (Certificate Authority --Let's Encrypt) to apply for an SSL certificate. The CSR contains details such as the company name, location, and domain name of the person applying for the SSL certificate. Since Let's Encrypt issues only DV (Domain Validated) SSL certificate, only the domain name is verified in the generated SSL certificate, only the domain name is described, and the contact information is described. An optional email address for is also listed. Details such as company name and location are not included.
In this series of articles, we will show you how to use each ACME API in a small and easy-to-understand Python program. You can also use Alibaba Cloud API to automate DNS record changes, and Alibaba Cloud services (API Gateway and [CDN]( We will also show you how to install an SSL certificate on https://www.alibabacloud.com/en/product/cdn)) to have a custom domain name for each SSL-protected service.
The required environment is as follows. Python 3.6 or later (not compatible with Python 2)
Platform: Tested on Windows 10
Python library: (tested version)
1, encrypted version 2.2.2 (March 27, 2018) 2, pyOpenSSL version 18.0.0 (May 16, 2018) 3, Request version 2.19.1 (June 14, 2018)
Program: (tested version)
1, Python version for Windows 3.6.5 (March 28, 2018) 2, [https://slproweb.com/products/Win32OpenSSL.htm](https://www.alibabacloud.com/blog/let%27s-encrypt-acme-on-alibaba-cloud-%E2%80%93 -part-1_593777) l "> OpenSSL version 184.108.40.206h for Windows (March 27, 2018) Download: [ACME example in Python (Zip-20 KB)](https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/neoprime_acme_examples_python.zip?spm=a2c65.114614220.127.116.111312958mBJIP&file= neoprime_acme_examples_python.zip)
Note: Antivirus software will warn you about this download as this download is a ZIP file containing the Python source code.
How to use the ACME example.
Once you have created your account key, certificate key, and CSR, you have everything you need to request an SSL certificate through Let's Encrypt. Before Let's Encrypt issues an SSL certificate, Let's Encrypt needs to validate your certificate request by verifying that you manage your domain name through an HTTP validation file or a DNS TXT record. (In Let's Encrypt terminology, it's called an order). Most cloud services, such as API Gateway, do not support HTTP file-based validation, so the examples in this series of articles only support DNS validation.
Now is a good time to download the Python setup, the required Python packages, and the source code for the ACME samples.
[Part 2 of the series](https://www.alibabacloud.com/blog/let%27s-encrypt-acme-with-alibaba-cloud-api-gateway-and-cdn-%E2%80%93-part- 2_593778? Spm = a2c65.11461418.104.22.1681312958mBJIP) creates an account key, certificate key, certificate signing request (CSR) and starts working on each ACME API in Python.