One of my favorite current open source projects is Let’s Encrypt. If you’re not already familiar with Let’s Encrypt, it’s both a set of software packages and a backend service layer that freely provides x.509 certificates that are implicitly trusted by most major browsers and operating systems. Basically, with Let’s Encrypt, you can break free of the certificate authority cartel and get certificates that are just as cryptographically strong and secure at no cost.
I was recently talking to a customer about Let’s Encrypt and they asked me about using LE issued certificates with Twistlock, so I wrote this quick blog post to show how easy it is. Remember that Twistlock has always shipped with it’s own self-signed CA that automatically issues x.509 certificates both for authentication to Twistlock and to protect our web UI and API via TLS. While those certs are just as cryptographically strong as those issued by a well known CA, it’s a good practice to have that additional layer of defense in depth by making it easy for users to trust the signer. While it’s technically possible to distribute our self-signed CA cert to your users, it’s much easier to just get LE certs that are trusted automatically.
The process we’ll follow to get the LE certs will be completely Dockerized – I’ll just run an LE provided image that will automate the entire process for certificate request and issuance using LE’s Certbot app and ACME request protocol. As a user, I don’t need to do anything other than answer a few prompts and my certificates will be instantly issued to me and ready to use with Twistlock.
Note that the specific steps I’m following below uses LE’s online validation. In this flow, the LE service will attempt to connect back to my host (where the Certbot app is running). If you’re making a request in an environment where you can’t expose the host directly, you can also use their DNS based validation.
First, let’s run a Dockerized version of Certbot:
root@my-host:/home/my-host# docker run -it --rm -p 443:443 --name certbot -v /etc/letsencrypt:/etc/letsencrypt -v /var/log/letsencrypt:/var/log/letsencrypt quay.io/letsencrypt/letsencrypt:latest certonly --standalone -d my-host.lab.twistlock.com
As you can see from the parameters I’m passing in Docker run, I provide the port that Certbot will listen on, the paths to write keys and log files, and the name I’m making the request for. Note that depending on my use cases, I may write the certificates to a volume that I map into another container later to make it easy to automate the entire flow. In this example, though, we’ll keep it simple since we’ll be pasting these certificates into the Twistlock UI anyway.
When Certbot runs, it’ll automatically make the requests via ACME based on my inputs:
Unable to find image 'quay.io/letsencrypt/letsencrypt:latest' locally latest: Pulling from letsencrypt/letsencrypt 3f992ab3df53: Pull complete 0aa0bd28396f: Pull complete db7bb15088de: Pull complete 1b6d2bb5ddaa: Pull complete a2bc8c956e6b: Pull complete a3ed95caeb02: Pull complete 0188a1eb6a72: Pull complete 15e203f8acaf: Pull complete 5e51e50ba02e: Pull complete 76720957858d: Pull complete d1c078317f7a: Pull complete 4c5b15d830d2: Pull complete 0c73a2e57e91: Pull complete d373f519f3d0: Pull complete 03ca8876644f: Pull complete f0a6a7ea38af: Pull complete e32c63690ebd: Pull complete Digest: sha256:8d8d3ae2e40846d402fa80436b59e4a50be02133f3b1861ea2a0c9f013b0736c Status: Downloaded newer image for quay.io/letsencrypt/letsencrypt:latest Warning: This Docker image will soon be switching to Alpine Linux. You can switch now using the certbot/certbot repo on Docker Hub. Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): firstname.lastname@example.org
Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: a
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for my-host.lab.twistlock.com
Waiting for verification…
Cleaning up challenges
– Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
Your cert will expire on 2017-10-15. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
– Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
– If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
After the line about donating to EFF and Let’s Encrypt (which you totally should do!), you’re done with Certbot and the container exits.
Now, let’s look at the actual cert that was created (note the path ends with the hostname the request was issued to).
root@my-host:/home/my-host# openssl x509 -in /etc/letsencrypt/live/my-host.lab.twistlock.com/fullchain.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 03:31:eb:a3:99:fe:c2:c9:af:6c:98:68:f0:44:8b:95:df:0b Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 Validity Not Before: Jul 17 17:18:00 2017 GMT Not After : Oct 15 17:18:00 2017 GMT Subject: CN=my-host.lab.twistlock.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ac:b4:88:89:3b:00:e4:2b:b3:05:0e:58:f7:df: 83:d4:a8:a2:2f:f1:6c:25:4b:81:8e:a1:02:e3:e3: ae:3a:69:e5:12:1c:d2:f0:8d:59:1f:61:8c:06:8e: 87:62:1e:aa:f0:6b:d8:b1:89:82:52:4b:9e:72:b3: 92:39:ae:ea:41:b5:5c:ff:2a:92:d2:17:94:f7:ba: 61:3e:04:4b:57:6f:25:6a:ef:f9:45:fe:6b:e0:f0: 01:ed:b4:8e:44:e4:09:82:d5:22:aa:b0:18:97:af: 9b:f3:a7:50:f4:8c:dd:92:54:73:e5:4f:2e:3a:7a: e6:4e:df:d9:cf:ca:d6:6d:61:83:f3:7a:1e:e2:c0: e3:a9:36:cf:e3:70:e1:cc:2d:3a:3b:c3:8e:54:8f: 02:a6:ad:0f:e6:6b:c7:a3:ed:91:9f:f0:d1:16:91: a4:35:00:48:2d:e7:94:ee:f0:55:c6:21:b0:5f:4d: ac:41:5f:c7:f4:a9:64:db:c6:ee:fe:97:54:d6:3c: 31:3c:ac:5b:d7:05:ec:c8:c0:09:71:c8:04:f2:d9: c1:65:fd:0b:0b:65:d2:63:26:7f:3b:fe:2b:d4:b7: f3:76:16:d6:c0:81:49:00:3e:52:dd:99:3c:36:92: 82:7c:97:b7:a1:4c:5c:a0:c6:8e:4e:4c:8c:ce:cf: 6c:73 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 9D:BA:CB:CA:6A:C6:B5:B1:83:45:F4:58:3E:31:01:7F:AC:76:10:FA X509v3 Authority Key Identifier: keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
X509v3 Certificate Policies:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
Let’s look at the other files in this path:
root@my-host:/home/my-host# ls /etc/letsencrypt/live/my-host.lab.twistlock.com/ cert.pem chain.pem fullchain.pem privkey.pem README
Finally, to use this cert with Twistlock, we just need to copy and paste the combined PEM of the certificate and key into the Console UI (shortened for brevity):
root@my-host:/home/my-host# cat /etc/letsencrypt/live/my-host.lab.twistlock.com/cert.pem /etc/letsencrypt/live/my-host.lab.twistlock.com/privkey.pem>; keys.pem root@my-host:/home/my-host# cat keys.pem -----BEGIN CERTIFICATE----- MIIFDzCCA/egAwIBAgISAzHro5n+wsmvbJho8ESLld8LMA0GCSqGSIb3DQEBCwUA ... -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCstIiJOwDkK7MF ... -----END PRIVATE KEY-----
Now, we just need to paste it into Twistlock:
After I do that, all future TLS connections are implicitly trusted using my new LE certificate:
Note that this validity and trust is implicit on macOS (and in Chrome, and on Windows) using the system wide CA trust store (as indicated by “Use System Defaults” above).
Pretty easy right?! If you’ve worked in IT for very long, you’ve undoubtedly spent hundreds of dollars and many hours gettings certificates in the past, so it’s awesome to see how Let’s Encrypt has made this process as easy and accessible as it now is.
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
Cryptomining Malware Emerges
I have been watching for the spread of malware that, primarily, uses c...
Calling the Twistlock API from PowerShell
The Problem This morning, a colleague was looking for situations where...
What Makes Distributed Security ‘Cloud Native’: Podcast Overview
I caught up with Scott Fulton III on this edition of The New Stack Mak...
Reflections on the 20th Anniversary of Open Source Technology
Exactly twenty years ago in February 1998, the term “open source” ...
Enhanced Syslog Data Streams: 2.3 Deep Dive
In each of our Twistlock releases, we publish some truly remarkable fe...