One of my favorite current open source projects is Let’s Encrypt.  If you’re not already familiar with Let’s Encrypt, it’s both a set of software packages and a backend service layer that freely provides x.509 certificates that are implicitly trusted by most major browsers and operating systems.  Basically, with Let’s Encrypt, you can break free of the certificate authority cartel and get certificates that are just as cryptographically strong and secure at no cost.

I was recently talking to a customer about Let’s Encrypt and they asked me about using LE issued certificates with Twistlock, so I wrote this quick blog post to show how easy it is.  Remember that Twistlock has always shipped with it’s own self-signed CA that automatically issues x.509 certificates both for authentication to Twistlock and to protect our web UI and API via TLS.  While those certs are just as cryptographically strong as those issued by a well known CA, it’s a good practice to have that additional layer of defense in depth by making it easy for users to trust the signer.  While it’s technically possible to distribute our self-signed CA cert to your users, it’s much easier to just get LE certs that are trusted automatically.

The process we’ll follow to get the LE certs will be completely Dockerized – I’ll just run an LE provided image that will automate the entire process for certificate request and issuance using LE’s Certbot app and ACME request protocol.  As a user, I don’t need to do anything other than answer a few prompts and my certificates will be instantly issued to me and ready to use with Twistlock.

Note that the specific steps I’m following below uses LE’s online validation.  In this flow, the LE service will attempt to connect back to my host (where the Certbot app is running).  If you’re making a request in an environment where you can’t expose the host directly, you can also use their DNS based validation

First, let’s run a Dockerized version of Certbot:
root@my-host:/home/my-host# docker run -it --rm -p 443:443 --name certbot   -v /etc/letsencrypt:/etc/letsencrypt            -v /var/log/letsencrypt:/var/log/letsencrypt    quay.io/letsencrypt/letsencrypt:latest certonly --standalone -d my-host.lab.twistlock.com

As you can see from the parameters I’m passing in Docker run, I provide the port that Certbot will listen on, the paths to write keys and log files, and the name I’m making the request for. Note that depending on my use cases, I may write the certificates to a volume that I map into another container later to make it easy to automate the entire flow.  In this example, though, we’ll keep it simple since we’ll be pasting these certificates into the Twistlock UI anyway.

When Certbot runs, it’ll automatically make the requests via ACME based on my inputs:

Unable to find image 'quay.io/letsencrypt/letsencrypt:latest' locally
latest: Pulling from letsencrypt/letsencrypt
3f992ab3df53: Pull complete
0aa0bd28396f: Pull complete
db7bb15088de: Pull complete
1b6d2bb5ddaa: Pull complete
a2bc8c956e6b: Pull complete
a3ed95caeb02: Pull complete
0188a1eb6a72: Pull complete
15e203f8acaf: Pull complete
5e51e50ba02e: Pull complete
76720957858d: Pull complete
d1c078317f7a: Pull complete
4c5b15d830d2: Pull complete
0c73a2e57e91: Pull complete
d373f519f3d0: Pull complete
03ca8876644f: Pull complete
f0a6a7ea38af: Pull complete
e32c63690ebd: Pull complete
Digest: sha256:8d8d3ae2e40846d402fa80436b59e4a50be02133f3b1861ea2a0c9f013b0736c
Status: Downloaded newer image for quay.io/letsencrypt/letsencrypt:latest
Warning: This Docker image will soon be switching to Alpine Linux.
You can switch now using the certbot/certbot repo on Docker Hub.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): my-name@twistlock.com

——————————————————————————-

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a

——————————————————————————-
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
——————————————————————————-
(Y)es/(N)o: n
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for my-host.lab.twistlock.com
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/my-host.lab.twistlock.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/my-host.lab.twistlock.com/privkey.pem
Your cert will expire on 2017-10-15. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
“certbot renew”
– Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

After the line about donating to EFF and Let’s Encrypt (which you totally should do!), you’re done with Certbot and the container exits.

Now, let’s look at the actual cert that was created (note the path ends with the hostname the request was issued to).

root@my-host:/home/my-host# openssl x509 -in /etc/letsencrypt/live/my-host.lab.twistlock.com/fullchain.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:31:eb:a3:99:fe:c2:c9:af:6c:98:68:f0:44:8b:95:df:0b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Jul 17 17:18:00 2017 GMT
Not After : Oct 15 17:18:00 2017 GMT
Subject: CN=my-host.lab.twistlock.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ac:b4:88:89:3b:00:e4:2b:b3:05:0e:58:f7:df:
83:d4:a8:a2:2f:f1:6c:25:4b:81:8e:a1:02:e3:e3:
ae:3a:69:e5:12:1c:d2:f0:8d:59:1f:61:8c:06:8e:
87:62:1e:aa:f0:6b:d8:b1:89:82:52:4b:9e:72:b3:
92:39:ae:ea:41:b5:5c:ff:2a:92:d2:17:94:f7:ba:
61:3e:04:4b:57:6f:25:6a:ef:f9:45:fe:6b:e0:f0:
01:ed:b4:8e:44:e4:09:82:d5:22:aa:b0:18:97:af:
9b:f3:a7:50:f4:8c:dd:92:54:73:e5:4f:2e:3a:7a:
e6:4e:df:d9:cf:ca:d6:6d:61:83:f3:7a:1e:e2:c0:
e3:a9:36:cf:e3:70:e1:cc:2d:3a:3b:c3:8e:54:8f:
02:a6:ad:0f:e6:6b:c7:a3:ed:91:9f:f0:d1:16:91:
a4:35:00:48:2d:e7:94:ee:f0:55:c6:21:b0:5f:4d:
ac:41:5f:c7:f4:a9:64:db:c6:ee:fe:97:54:d6:3c:
31:3c:ac:5b:d7:05:ec:c8:c0:09:71:c8:04:f2:d9:
c1:65:fd:0b:0b:65:d2:63:26:7f:3b:fe:2b:d4:b7:
f3:76:16:d6:c0:81:49:00:3e:52:dd:99:3c:36:92:
82:7c:97:b7:a1:4c:5c:a0:c6:8e:4e:4c:8c:ce:cf:
6c:73
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
9D:BA:CB:CA:6A:C6:B5:B1:83:45:F4:58:3E:31:01:7F:AC:76:10:FA
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

X509v3 Subject Alternative Name:
DNS:my-host.lab.twistlock.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

Let’s look at the other files in this path:

root@my-host:/home/my-host# ls /etc/letsencrypt/live/my-host.lab.twistlock.com/
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

Finally, to use this cert with Twistlock, we just need to copy and paste the combined PEM of the certificate and key into the Console UI (shortened for brevity):

root@my-host:/home/my-host# cat /etc/letsencrypt/live/my-host.lab.twistlock.com/cert.pem /etc/letsencrypt/live/my-host.lab.twistlock.com/privkey.pem>; keys.pem
root@my-host:/home/my-host# cat keys.pem
-----BEGIN CERTIFICATE-----
MIIFDzCCA/egAwIBAgISAzHro5n+wsmvbJho8ESLld8LMA0GCSqGSIb3DQEBCwUA
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCstIiJOwDkK7MF
...
-----END PRIVATE KEY-----

Now, we just need to paste it into Twistlock:

After I do that, all future TLS connections are implicitly trusted using my new LE certificate:

Note that this validity and trust is implicit on macOS (and in Chrome, and on Windows) using the system wide CA trust store (as indicated by “Use System Defaults” above).

Pretty easy right?!  If you’ve worked in IT for very long, you’ve undoubtedly spent hundreds of dollars and many hours gettings certificates in the past, so it’s awesome to see how Let’s Encrypt has made this process as easy and accessible as it now is.

← Back to All Posts Next Post →