SlideShare ist ein Scribd-Unternehmen logo

Let's Encrypt failures

Als ODP, PDF herunterladen
Marian Marinov
Marian Marinov

Description of a lot of things that went wrong, when we increased the scale of the deployment of Let's Encrypt

Ingenieurwesen
1 von 34
How we broke How we broke  Let's EncryptLet's Encrypt Marian MarinovMarian Marinov mm@siteground.commm@siteground.com Chief System ArchitectChief System Architect Head of the DevOps departmentHead of the DevOps department
❖❖ Who am I?Who am I? - Chief System Architect of SiteGround.com- Chief System Architect of SiteGround.com - Sysadmin since 1996- Sysadmin since 1996 - Organizer of OpenFest, BG Perl- Organizer of OpenFest, BG Perl Workshops, LUG-BG and othersWorkshops, LUG-BG and others - Teaching Network Security and- Teaching Network Security and Linux System AdministrationLinux System Administration courses in Sofia Universitycourses in Sofia University and SoftUniand SoftUni
GoogleGoogle Sep 8, 2016 in the end of Jan.2017 it will mark sites with CC data or passwords without HTTPS as "Not secure" Jan 31, 2017 it happened Apr 27, 2017 http sites which have forms will be added to "Not secure" in October Feb 8, 2018 it will mark all HTTP sites that don't have HTTPS as "Not secure"
❖❖ Announced in the beginning of 2016Announced in the beginning of 2016 ❖❖ Lunched on April 12, 2016Lunched on April 12, 2016 ❖❖ SiteGround is one of the first sponsors of Let's Encrypt ❖❖ Wildcard certificates were introduced in March 2018 Let's EncryptLet's Encrypt
SiteGroundSiteGround ❖❖ In the beginning 2016 we started working on cPanel plugin for Let's Encrypt ❖❖ In Oct 2017 we started work on wildcard certsIn Oct 2017 we started work on wildcard certs
SiteGroundSiteGround ❖❖ In the beginning of Dec 2017 we decided to issue certs to every host that is hosted on our infrastructure...
Let the failuresLet the failures begin!!!begin!!!
❖❖ We first decided to create accountWe first decided to create account for every client that we have, sofor every client that we have, so everyone can take their own Let'severyone can take their own Let's Encrypt account with them if they areEncrypt account with them if they are leaving...leaving... Creating that many accounts:Creating that many accounts: - it was slow... so we decided to do it- it was slow... so we decided to do it in parallelin parallel - about 10 requests per server- about 10 requests per server - but all servers in the same time- but all servers in the same time
❖❖ We broke the infrastructure ofWe broke the infrastructure of Let's EncryptLet's Encrypt
❖❖ We got a call from Let's Encrypt :)We got a call from Let's Encrypt :)
❖❖ They had oneThey had one SIMPLESIMPLE request:request: Implement a global limit(across allImplement a global limit(across all of our Data Centers) to create max 2of our Data Centers) to create max 2 accounts per secondaccounts per second
❖❖ Implementing such lock, withImplementing such lock, with performance and reliability in mindperformance and reliability in mind is not simple...is not simple... ❖❖ We decided to use HashiCorp'sWe decided to use HashiCorp's Consul locking for thatConsul locking for that
❖❖ We have a lot of customers... suchWe have a lot of customers... such a limit was never going to bea limit was never going to be enough...enough... ❖❖ So we decided to go with a singleSo we decided to go with a single account for all servers (proposed byaccount for all servers (proposed by Let's Encrypt)Let's Encrypt)
❖❖ At that point everything started toAt that point everything started to work...work... ❖❖ But we issued certs only to peopleBut we issued certs only to people that wanted SSL, not everyonethat wanted SSL, not everyone
❖❖ Using certbot it took around 1minUsing certbot it took around 1min to issue a single certificateto issue a single certificate
❖❖ Using certbot it took around 1minUsing certbot it took around 1min to issue a single certificateto issue a single certificate ❖❖ But we had millions of hosts...But we had millions of hosts...
❖❖ Using certbot it took around 1minUsing certbot it took around 1min to issue a single certificateto issue a single certificate ❖❖ But we had millions of hosts...But we had millions of hosts... ❖❖ 1,000,000 min ~ 16,667h ~ 694 days1,000,000 min ~ 16,667h ~ 694 days
❖❖ Using certbot it took around 1minUsing certbot it took around 1min to issue a single certificateto issue a single certificate ❖❖ But we had millions of hosts...But we had millions of hosts... ❖❖ 1,000,000 min ~ 16,667h ~ 694 days1,000,000 min ~ 16,667h ~ 694 days ❖❖ No problem :) We have thousands ofNo problem :) We have thousands of machines...machines...
❖❖ Using certbot it took around 1minUsing certbot it took around 1min to issue a single certificateto issue a single certificate ❖❖ But we had millions of hosts...But we had millions of hosts... ❖❖ 1,000,000 min ~ 16,667h ~ 694 days1,000,000 min ~ 16,667h ~ 694 days ❖❖ No problem :) We have thousands ofNo problem :) We have thousands of machines...machines... ❖❖ We will issue them in parallel fromWe will issue them in parallel from all servers :)all servers :)
➢ I don't remember why, but we decided to issue all certs between Christmas and New year :) SiteGroundSiteGround
Can you imagineCan you imagine the DDoSthe DDoS we caused?we caused?
❖❖ 6 Data Centers on 3 continents6 Data Centers on 3 continents
❖❖ 6 Data Centers on 3 continents6 Data Centers on 3 continents ❖❖ Every server trying to issue up toEvery server trying to issue up to 6 certificates in parallel6 certificates in parallel
❖❖ 6 Data Centers on 3 continents6 Data Centers on 3 continents ❖❖ Every server trying to issue up toEvery server trying to issue up to 6 certificates in parallel6 certificates in parallel ❖❖ Let's Encrypt did not had limitsLet's Encrypt did not had limits for this...for this...
❖❖ Needless to say... we had a callNeedless to say... we had a call from Let's Encrypt :)from Let's Encrypt :)
❖❖ They had oneThey had one SIMPLESIMPLE request:request: Implement a global limit(across allImplement a global limit(across all of our Data Centers) to issue lessof our Data Centers) to issue less then 10 certificates at the same timethen 10 certificates at the same time
❖❖ While we were again implementingWhile we were again implementing Consul lock for this...Consul lock for this... ❖❖ Let's EncryptLet's Encrypt implemented specificimplemented specific limits, because of us :)limits, because of us :) ❖❖ for a week there were intermittentfor a week there were intermittent issues with Let's Encrypt, but it wasissues with Let's Encrypt, but it was between Christmas and New year... sobetween Christmas and New year... so both we and Let's Encrypt didn't hadboth we and Let's Encrypt didn't had the people to address the issuethe people to address the issue
In March renewing became a problem :)In March renewing became a problem :) - we hit different limits- we hit different limits - number of issues of a cert with the same- number of issues of a cert with the same hostshosts - number of errors per-server- number of errors per-server - number of new certs- number of new certs
❖❖ unintentionally one of my DevOps guysunintentionally one of my DevOps guys switched from single account to oneswitched from single account to one account per serveraccount per server - now, we had a new challenge, when- now, we had a new challenge, when moving an account, we also had to movemoving an account, we also had to move its certs, because otherwise it reachesits certs, because otherwise it reaches the limit of issuesthe limit of issues - the certs were still slow to issue- the certs were still slow to issue - we had to do some changes to certbot- we had to do some changes to certbot in order to be able to finalize somein order to be able to finalize some interrupted issue of certsinterrupted issue of certs
I wrote our own certbot, calledI wrote our own certbot, called acmebot, based on Net::ACME2.acmebot, based on Net::ACME2. Next 2 months we spent adding the sameNext 2 months we spent adding the same limits that LE havelimits that LE have
While doing that...While doing that... The next wave of renewals came...The next wave of renewals came... Again we had issues.Again we had issues.
We implemented per LE account limitWe implemented per LE account limit for every server that had its ownfor every server that had its own account.account. We implemented a sliding window limit for allWe implemented a sliding window limit for all servers that use the big account.servers that use the big account.
Marian MarinovMarian Marinov mm@siteground.commm@siteground.com

Empfohlen

Managing a lot of servers
Managing a lot of serversManaging a lot of servers
Managing a lot of serversMarian Marinov
 
Eduardo Silva - monkey http-server everywhere
Eduardo Silva - monkey http-server everywhereEduardo Silva - monkey http-server everywhere
Eduardo Silva - monkey http-server everywhereStarTech Conference
 
JavaScript is the new black - Why Node.js is going to rock your world - Web 2...
JavaScript is the new black - Why Node.js is going to rock your world - Web 2...JavaScript is the new black - Why Node.js is going to rock your world - Web 2...
JavaScript is the new black - Why Node.js is going to rock your world - Web 2...Tom Croucher
 
T.Pollak y C.Yaconi - Prey
T.Pollak y C.Yaconi - PreyT.Pollak y C.Yaconi - Prey
T.Pollak y C.Yaconi - PreyStarTech Conference
 
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)Ontico
 
Boyan Ivanov - latency, the #1 metric of your cloud
Boyan Ivanov - latency, the #1 metric of your cloudBoyan Ivanov - latency, the #1 metric of your cloud
Boyan Ivanov - latency, the #1 metric of your cloudShapeBlue
 
Tools used for debugging
Tools used for debuggingTools used for debugging
Tools used for debuggingMarian Marinov
 
Dhcp security #netseckh
Dhcp security #netseckhDhcp security #netseckh
Dhcp security #netseckhHEM Sothon
 

Empfohlen

Managing a lot of servers
Managing a lot of serversManaging a lot of servers
Managing a lot of serversMarian Marinov
 
Eduardo Silva - monkey http-server everywhere
Eduardo Silva - monkey http-server everywhereEduardo Silva - monkey http-server everywhere
Eduardo Silva - monkey http-server everywhereStarTech Conference
 
JavaScript is the new black - Why Node.js is going to rock your world - Web 2...
JavaScript is the new black - Why Node.js is going to rock your world - Web 2...JavaScript is the new black - Why Node.js is going to rock your world - Web 2...
JavaScript is the new black - Why Node.js is going to rock your world - Web 2...Tom Croucher
 
T.Pollak y C.Yaconi - Prey
T.Pollak y C.Yaconi - PreyT.Pollak y C.Yaconi - Prey
T.Pollak y C.Yaconi - PreyStarTech Conference
 
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)Ontico
 
Boyan Ivanov - latency, the #1 metric of your cloud
Boyan Ivanov - latency, the #1 metric of your cloudBoyan Ivanov - latency, the #1 metric of your cloud
Boyan Ivanov - latency, the #1 metric of your cloudShapeBlue
 
Tools used for debugging
Tools used for debuggingTools used for debugging
Tools used for debuggingMarian Marinov
 
Dhcp security #netseckh
Dhcp security #netseckhDhcp security #netseckh
Dhcp security #netseckhHEM Sothon
 
Varnish: Making eZ Publish sites fly
Varnish: Making eZ Publish sites flyVarnish: Making eZ Publish sites fly
Varnish: Making eZ Publish sites flyPeter Keung
 
Lighting fast rails with zeus
Lighting fast rails with zeusLighting fast rails with zeus
Lighting fast rails with zeusPhilipp Fehre
 
Docker
DockerDocker
DockerKamil Grabowski
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPFastly
 
Server-Side JavaScript Developement - Node.JS Quick Tour
Server-Side JavaScript Developement - Node.JS Quick TourServer-Side JavaScript Developement - Node.JS Quick Tour
Server-Side JavaScript Developement - Node.JS Quick Tourq3boy
 
JCache is here. Say Goodbye to proprietary Caching APIs!
JCache is here. Say Goodbye to proprietary Caching APIs!JCache is here. Say Goodbye to proprietary Caching APIs!
JCache is here. Say Goodbye to proprietary Caching APIs!Jaromir Hamala
 
Frontend Track NodeJS
Frontend Track NodeJSFrontend Track NodeJS
Frontend Track NodeJSMarcelo Serpa
 
HTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy TalesHTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy TalesOVHcloud
 
JCache is here. Say goodbye to proprietary Caching API's", jDays 2015 Speaker...
JCache is here. Say goodbye to proprietary Caching API's", jDays 2015 Speaker...JCache is here. Say goodbye to proprietary Caching API's", jDays 2015 Speaker...
JCache is here. Say goodbye to proprietary Caching API's", jDays 2015 Speaker...hamidsamadi
 
Максим Барышиков-«WoT: Geographically distributed cluster of clusters»
Максим Барышиков-«WoT: Geographically distributed cluster of clusters»Максим Барышиков-«WoT: Geographically distributed cluster of clusters»
Максим Барышиков-«WoT: Geographically distributed cluster of clusters»Tanya Denisyuk
 
My journey from PHP to Node.js
My journey from PHP to Node.jsMy journey from PHP to Node.js
My journey from PHP to Node.jsValentin Lup
 
Getting Started with MongoDB and Node.js
Getting Started with MongoDB and Node.jsGetting Started with MongoDB and Node.js
Getting Started with MongoDB and Node.jsGrant Goodale
 
Laravel Poznań Meetup #12 - "Speed up web API with Laravel and Swoole using ...
Laravel Poznań Meetup #12 - "Speed up web API with Laravel and Swoole using ... Laravel Poznań Meetup #12 - "Speed up web API with Laravel and Swoole using ...
Laravel Poznań Meetup #12 - "Speed up web API with Laravel and Swoole using ...HighSolutions Sp. z o.o.
 
Groovy VFS
Groovy VFSGroovy VFS
Groovy VFSSchalk Cronjé
 
Warsztaty ansible
Warsztaty ansibleWarsztaty ansible
Warsztaty ansiblegnosek
 
體驗 Hhvm
體驗 Hhvm體驗 Hhvm
體驗 HhvmChen Cheng-Wei
 
Rails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in Rails
Rails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in RailsRails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in Rails
Rails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in RailsJonathan Weiss
 
Vagrant and CentOS 7
Vagrant and CentOS 7Vagrant and CentOS 7
Vagrant and CentOS 7Julien Pivotto
 
Squid server
Squid serverSquid server
Squid serverRohit Phulsunge
 
Create a RESTful API with NodeJS, Express and MongoDB
Create a RESTful API with NodeJS, Express and MongoDBCreate a RESTful API with NodeJS, Express and MongoDB
Create a RESTful API with NodeJS, Express and MongoDBHengki Sihombing
 
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan KnudsenTI Safe
 
Test driven infrastructure development (2 - puppetconf 2013 edition)
Test driven infrastructure development (2 - puppetconf 2013 edition)Test driven infrastructure development (2 - puppetconf 2013 edition)
Test driven infrastructure development (2 - puppetconf 2013 edition)Tomas Doran
 

Weitere ähnliche Inhalte

Was ist angesagt?

Varnish: Making eZ Publish sites fly
Varnish: Making eZ Publish sites flyVarnish: Making eZ Publish sites fly
Varnish: Making eZ Publish sites flyPeter Keung
 
Lighting fast rails with zeus
Lighting fast rails with zeusLighting fast rails with zeus
Lighting fast rails with zeusPhilipp Fehre
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPFastly
 
Server-Side JavaScript Developement - Node.JS Quick Tour
Server-Side JavaScript Developement - Node.JS Quick TourServer-Side JavaScript Developement - Node.JS Quick Tour
Server-Side JavaScript Developement - Node.JS Quick Tourq3boy
 
JCache is here. Say Goodbye to proprietary Caching APIs!
JCache is here. Say Goodbye to proprietary Caching APIs!JCache is here. Say Goodbye to proprietary Caching APIs!
JCache is here. Say Goodbye to proprietary Caching APIs!Jaromir Hamala
 
Frontend Track NodeJS
Frontend Track NodeJSFrontend Track NodeJS
Frontend Track NodeJSMarcelo Serpa
 
HTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy TalesHTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy TalesOVHcloud
 
JCache is here. Say goodbye to proprietary Caching API's", jDays 2015 Speaker...
JCache is here. Say goodbye to proprietary Caching API's", jDays 2015 Speaker...JCache is here. Say goodbye to proprietary Caching API's", jDays 2015 Speaker...
JCache is here. Say goodbye to proprietary Caching API's", jDays 2015 Speaker...hamidsamadi
 
Максим Барышиков-«WoT: Geographically distributed cluster of clusters»
Максим Барышиков-«WoT: Geographically distributed cluster of clusters»Максим Барышиков-«WoT: Geographically distributed cluster of clusters»
Максим Барышиков-«WoT: Geographically distributed cluster of clusters»Tanya Denisyuk
 
My journey from PHP to Node.js
My journey from PHP to Node.jsMy journey from PHP to Node.js
My journey from PHP to Node.jsValentin Lup
 
Getting Started with MongoDB and Node.js
Getting Started with MongoDB and Node.jsGetting Started with MongoDB and Node.js
Getting Started with MongoDB and Node.jsGrant Goodale
 
Laravel Poznań Meetup #12 - "Speed up web API with Laravel and Swoole using ...
Laravel Poznań Meetup #12 - "Speed up web API with Laravel and Swoole using ... Laravel Poznań Meetup #12 - "Speed up web API with Laravel and Swoole using ...
Laravel Poznań Meetup #12 - "Speed up web API with Laravel and Swoole using ...HighSolutions Sp. z o.o.
 
Warsztaty ansible
Warsztaty ansibleWarsztaty ansible
Warsztaty ansiblegnosek
 
Rails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in Rails
Rails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in RailsRails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in Rails
Rails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in RailsJonathan Weiss
 
Create a RESTful API with NodeJS, Express and MongoDB
Create a RESTful API with NodeJS, Express and MongoDBCreate a RESTful API with NodeJS, Express and MongoDB
Create a RESTful API with NodeJS, Express and MongoDBHengki Sihombing
 

Was ist angesagt? (20)

Varnish: Making eZ Publish sites fly
Varnish: Making eZ Publish sites flyVarnish: Making eZ Publish sites fly
Varnish: Making eZ Publish sites fly
 
Lighting fast rails with zeus
Lighting fast rails with zeusLighting fast rails with zeus
Lighting fast rails with zeus
 
Docker
DockerDocker
Docker
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
 
Server-Side JavaScript Developement - Node.JS Quick Tour
Server-Side JavaScript Developement - Node.JS Quick TourServer-Side JavaScript Developement - Node.JS Quick Tour
Server-Side JavaScript Developement - Node.JS Quick Tour
 
JCache is here. Say Goodbye to proprietary Caching APIs!
JCache is here. Say Goodbye to proprietary Caching APIs!JCache is here. Say Goodbye to proprietary Caching APIs!
JCache is here. Say Goodbye to proprietary Caching APIs!
 
Frontend Track NodeJS
Frontend Track NodeJSFrontend Track NodeJS
Frontend Track NodeJS
 
HTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy TalesHTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy Tales
 
JCache is here. Say goodbye to proprietary Caching API's", jDays 2015 Speaker...
JCache is here. Say goodbye to proprietary Caching API's", jDays 2015 Speaker...JCache is here. Say goodbye to proprietary Caching API's", jDays 2015 Speaker...
JCache is here. Say goodbye to proprietary Caching API's", jDays 2015 Speaker...
 
Максим Барышиков-«WoT: Geographically distributed cluster of clusters»
Максим Барышиков-«WoT: Geographically distributed cluster of clusters»Максим Барышиков-«WoT: Geographically distributed cluster of clusters»
Максим Барышиков-«WoT: Geographically distributed cluster of clusters»
 
My journey from PHP to Node.js
My journey from PHP to Node.jsMy journey from PHP to Node.js
My journey from PHP to Node.js
 
Getting Started with MongoDB and Node.js
Getting Started with MongoDB and Node.jsGetting Started with MongoDB and Node.js
Getting Started with MongoDB and Node.js
 
Laravel Poznań Meetup #12 - "Speed up web API with Laravel and Swoole using ...
Laravel Poznań Meetup #12 - "Speed up web API with Laravel and Swoole using ... Laravel Poznań Meetup #12 - "Speed up web API with Laravel and Swoole using ...
Laravel Poznań Meetup #12 - "Speed up web API with Laravel and Swoole using ...
 
Groovy VFS
Groovy VFSGroovy VFS
Groovy VFS
 
Warsztaty ansible
Warsztaty ansibleWarsztaty ansible
Warsztaty ansible
 
體驗 Hhvm
體驗 Hhvm體驗 Hhvm
體驗 Hhvm
 
Rails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in Rails
Rails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in RailsRails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in Rails
Rails Conf Europe 2007 - Utilizing Amazon S3 and EC2 in Rails
 
Vagrant and CentOS 7
Vagrant and CentOS 7Vagrant and CentOS 7
Vagrant and CentOS 7
 
Squid server
Squid serverSquid server
Squid server
 
Create a RESTful API with NodeJS, Express and MongoDB
Create a RESTful API with NodeJS, Express and MongoDBCreate a RESTful API with NodeJS, Express and MongoDB
Create a RESTful API with NodeJS, Express and MongoDB
 

Ähnlich wie Let's Encrypt failures

[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan KnudsenTI Safe
 
Test driven infrastructure development (2 - puppetconf 2013 edition)
Test driven infrastructure development (2 - puppetconf 2013 edition)Test driven infrastructure development (2 - puppetconf 2013 edition)
Test driven infrastructure development (2 - puppetconf 2013 edition)Tomas Doran
 
We broke up with the monolith, and started dating #eventSourcing - #symfonyCat
We broke up with the monolith, and started dating #eventSourcing - #symfonyCatWe broke up with the monolith, and started dating #eventSourcing - #symfonyCat
We broke up with the monolith, and started dating #eventSourcing - #symfonyCatJavier Ferrer González
 
Experiences with Microservices at Tuenti
Experiences with Microservices at TuentiExperiences with Microservices at Tuenti
Experiences with Microservices at TuentiAndrés Viedma Peláez
 
Put a Button on It: Removing Barriers to Going Fast
Put a Button on It: Removing Barriers to Going FastPut a Button on It: Removing Barriers to Going Fast
Put a Button on It: Removing Barriers to Going FastOSCON Byrum
 
Как сделать высоконагруженный сервис, не зная количество нагрузки / Олег Обле...
Как сделать высоконагруженный сервис, не зная количество нагрузки / Олег Обле...Как сделать высоконагруженный сервис, не зная количество нагрузки / Олег Обле...
Как сделать высоконагруженный сервис, не зная количество нагрузки / Олег Обле...Ontico
 
Introduction to vSphere APIs Using pyVmomi
Introduction to vSphere APIs Using pyVmomiIntroduction to vSphere APIs Using pyVmomi
Introduction to vSphere APIs Using pyVmomiMichael Rice
 
Superb Supervision of Short-lived Servers with Sensu
Superb Supervision of Short-lived Servers with SensuSuperb Supervision of Short-lived Servers with Sensu
Superb Supervision of Short-lived Servers with SensuPaul O'Connor
 
Midwest php 2013 deploying php on paas- why & how
Midwest php 2013 deploying php on paas- why & howMidwest php 2013 deploying php on paas- why & how
Midwest php 2013 deploying php on paas- why & howdotCloud
 
Deploying PHP on PaaS: Why and How?
Deploying PHP on PaaS: Why and How?Deploying PHP on PaaS: Why and How?
Deploying PHP on PaaS: Why and How?Docker, Inc.
 
Clearly, I Have Made Some Bad Decisions
Clearly, I Have Made Some Bad DecisionsClearly, I Have Made Some Bad Decisions
Clearly, I Have Made Some Bad DecisionsJonathan Hitchcock
 
London Hashicorp Meetup #22 - Congruent infrastructure @zopa by Ben Coughlan
London Hashicorp Meetup #22 - Congruent infrastructure @zopa by Ben CoughlanLondon Hashicorp Meetup #22 - Congruent infrastructure @zopa by Ben Coughlan
London Hashicorp Meetup #22 - Congruent infrastructure @zopa by Ben CoughlanBen Coughlan
 
DevOps Naughties Style - How We DevOps at MP3.com in the Early 2000's
DevOps Naughties Style - How We DevOps at MP3.com in the Early 2000'sDevOps Naughties Style - How We DevOps at MP3.com in the Early 2000's
DevOps Naughties Style - How We DevOps at MP3.com in the Early 2000'stechopsguru
 
Communication Amongst Microservices: Kubernetes, Istio, and Spring Cloud with...
Communication Amongst Microservices: Kubernetes, Istio, and Spring Cloud with...Communication Amongst Microservices: Kubernetes, Istio, and Spring Cloud with...
Communication Amongst Microservices: Kubernetes, Istio, and Spring Cloud with...VMware Tanzu
 
Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?Kris Buytaert
 
ZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSIZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSISSIMeetup
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKMarian Marinov
 
Ssh that wonderful thing
Ssh that wonderful thingSsh that wonderful thing
Ssh that wonderful thingMarc Cluet
 
Networking in Kubernetes
Networking in KubernetesNetworking in Kubernetes
Networking in KubernetesMinhan Xia
 

Ähnlich wie Let's Encrypt failures (20)

[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen[CLASS 2014] Palestra Técnica - Jonathan Knudsen
[CLASS 2014] Palestra Técnica - Jonathan Knudsen
 
Test driven infrastructure development (2 - puppetconf 2013 edition)
Test driven infrastructure development (2 - puppetconf 2013 edition)Test driven infrastructure development (2 - puppetconf 2013 edition)
Test driven infrastructure development (2 - puppetconf 2013 edition)
 
We broke up with the monolith, and started dating #eventSourcing - #symfonyCat
We broke up with the monolith, and started dating #eventSourcing - #symfonyCatWe broke up with the monolith, and started dating #eventSourcing - #symfonyCat
We broke up with the monolith, and started dating #eventSourcing - #symfonyCat
 
Experiences with Microservices at Tuenti
Experiences with Microservices at TuentiExperiences with Microservices at Tuenti
Experiences with Microservices at Tuenti
 
Put a Button on It: Removing Barriers to Going Fast
Put a Button on It: Removing Barriers to Going FastPut a Button on It: Removing Barriers to Going Fast
Put a Button on It: Removing Barriers to Going Fast
 
Как сделать высоконагруженный сервис, не зная количество нагрузки / Олег Обле...
Как сделать высоконагруженный сервис, не зная количество нагрузки / Олег Обле...Как сделать высоконагруженный сервис, не зная количество нагрузки / Олег Обле...
Как сделать высоконагруженный сервис, не зная количество нагрузки / Олег Обле...
 
Introduction to vSphere APIs Using pyVmomi
Introduction to vSphere APIs Using pyVmomiIntroduction to vSphere APIs Using pyVmomi
Introduction to vSphere APIs Using pyVmomi
 
Superb Supervision of Short-lived Servers with Sensu
Superb Supervision of Short-lived Servers with SensuSuperb Supervision of Short-lived Servers with Sensu
Superb Supervision of Short-lived Servers with Sensu
 
Midwest php 2013 deploying php on paas- why & how
Midwest php 2013 deploying php on paas- why & howMidwest php 2013 deploying php on paas- why & how
Midwest php 2013 deploying php on paas- why & how
 
Openvpn
OpenvpnOpenvpn
Openvpn
 
Deploying PHP on PaaS: Why and How?
Deploying PHP on PaaS: Why and How?Deploying PHP on PaaS: Why and How?
Deploying PHP on PaaS: Why and How?
 
Clearly, I Have Made Some Bad Decisions
Clearly, I Have Made Some Bad DecisionsClearly, I Have Made Some Bad Decisions
Clearly, I Have Made Some Bad Decisions
 
London Hashicorp Meetup #22 - Congruent infrastructure @zopa by Ben Coughlan
London Hashicorp Meetup #22 - Congruent infrastructure @zopa by Ben CoughlanLondon Hashicorp Meetup #22 - Congruent infrastructure @zopa by Ben Coughlan
London Hashicorp Meetup #22 - Congruent infrastructure @zopa by Ben Coughlan
 
DevOps Naughties Style - How We DevOps at MP3.com in the Early 2000's
DevOps Naughties Style - How We DevOps at MP3.com in the Early 2000'sDevOps Naughties Style - How We DevOps at MP3.com in the Early 2000's
DevOps Naughties Style - How We DevOps at MP3.com in the Early 2000's
 
Communication Amongst Microservices: Kubernetes, Istio, and Spring Cloud with...
Communication Amongst Microservices: Kubernetes, Istio, and Spring Cloud with...Communication Amongst Microservices: Kubernetes, Istio, and Spring Cloud with...
Communication Amongst Microservices: Kubernetes, Istio, and Spring Cloud with...
 
Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?
 
ZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSIZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSI
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
 
Ssh that wonderful thing
Ssh that wonderful thingSsh that wonderful thing
Ssh that wonderful thing
 
Networking in Kubernetes
Networking in KubernetesNetworking in Kubernetes
Networking in Kubernetes
 

Mehr von Marian Marinov

Dev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingDev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingMarian Marinov
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsMarian Marinov
 
Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?Marian Marinov
 
Introduction and replication to DragonflyDB
Introduction and replication to DragonflyDBIntroduction and replication to DragonflyDB
Introduction and replication to DragonflyDBMarian Marinov
 
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQMessage Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQMarian Marinov
 
How to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdfHow to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdfMarian Marinov
 
How to survive in the work from home era
How to survive in the work from home eraHow to survive in the work from home era
How to survive in the work from home eraMarian Marinov
 
Improve your storage with bcachefs
Improve your storage with bcachefsImprove your storage with bcachefs
Improve your storage with bcachefsMarian Marinov
 
Control your service resources with systemd
Control your service resources with systemd Control your service resources with systemd
Control your service resources with systemd Marian Marinov
 
Comparison of-foss-distributed-storage
Comparison of-foss-distributed-storageComparison of-foss-distributed-storage
Comparison of-foss-distributed-storageMarian Marinov
 
Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?Marian Marinov
 
Securing your MySQL server
Securing your MySQL serverSecuring your MySQL server
Securing your MySQL serverMarian Marinov
 
Challenges with high density networks
Challenges with high density networksChallenges with high density networks
Challenges with high density networksMarian Marinov
 
SiteGround building automation
SiteGround building automationSiteGround building automation
SiteGround building automationMarian Marinov
 
Preventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel trackingPreventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel trackingMarian Marinov
 
Preventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel trackingPreventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel trackingMarian Marinov
 
How to build your own anycast service
How to build your own anycast serviceHow to build your own anycast service
How to build your own anycast serviceMarian Marinov
 

Mehr von Marian Marinov (20)

Dev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingDev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & Logging
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanisms
 
Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?
 
Introduction and replication to DragonflyDB
Introduction and replication to DragonflyDBIntroduction and replication to DragonflyDB
Introduction and replication to DragonflyDB
 
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQMessage Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
 
How to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdfHow to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdf
 
How to survive in the work from home era
How to survive in the work from home eraHow to survive in the work from home era
How to survive in the work from home era
 
Managing sysadmins
Managing sysadminsManaging sysadmins
Managing sysadmins
 
Improve your storage with bcachefs
Improve your storage with bcachefsImprove your storage with bcachefs
Improve your storage with bcachefs
 
Control your service resources with systemd
Control your service resources with systemd Control your service resources with systemd
Control your service resources with systemd
 
Comparison of-foss-distributed-storage
Comparison of-foss-distributed-storageComparison of-foss-distributed-storage
Comparison of-foss-distributed-storage
 
Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?
 
Securing your MySQL server
Securing your MySQL serverSecuring your MySQL server
Securing your MySQL server
 
Sysadmin vs. dev ops
Sysadmin vs. dev opsSysadmin vs. dev ops
Sysadmin vs. dev ops
 
Challenges with high density networks
Challenges with high density networksChallenges with high density networks
Challenges with high density networks
 
SiteGround building automation
SiteGround building automationSiteGround building automation
SiteGround building automation
 
Preventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel trackingPreventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel tracking
 
Preventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel trackingPreventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel tracking
 
How to build your own anycast service
How to build your own anycast serviceHow to build your own anycast service
How to build your own anycast service
 
Electrical workshop
Electrical workshopElectrical workshop
Electrical workshop
 

Kürzlich hochgeladen

BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxfenichawla
 
Glass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesGlass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesPrabhanshu Chaturvedi
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Dr.Costas Sachpazis
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISrknatarajan
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Christo Ananth
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduitsrknatarajan
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 

Kürzlich hochgeladen (20)

BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
 
Glass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesGlass Ceramics: Processing and Properties
Glass Ceramics: Processing and Properties
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 

Let's Encrypt failures

  • 1. How we broke How we broke  Let's EncryptLet's Encrypt Marian MarinovMarian Marinov mm@siteground.commm@siteground.com Chief System ArchitectChief System Architect Head of the DevOps departmentHead of the DevOps department
  • 2. ❖❖ Who am I?Who am I? - Chief System Architect of SiteGround.com- Chief System Architect of SiteGround.com - Sysadmin since 1996- Sysadmin since 1996 - Organizer of OpenFest, BG Perl- Organizer of OpenFest, BG Perl Workshops, LUG-BG and othersWorkshops, LUG-BG and others - Teaching Network Security and- Teaching Network Security and Linux System AdministrationLinux System Administration courses in Sofia Universitycourses in Sofia University and SoftUniand SoftUni
  • 3.
  • 4. GoogleGoogle Sep 8, 2016 in the end of Jan.2017 it will mark sites with CC data or passwords without HTTPS as "Not secure" Jan 31, 2017 it happened Apr 27, 2017 http sites which have forms will be added to "Not secure" in October Feb 8, 2018 it will mark all HTTP sites that don't have HTTPS as "Not secure"
  • 5. ❖❖ Announced in the beginning of 2016Announced in the beginning of 2016 ❖❖ Lunched on April 12, 2016Lunched on April 12, 2016 ❖❖ SiteGround is one of the first sponsors of Let's Encrypt ❖❖ Wildcard certificates were introduced in March 2018 Let's EncryptLet's Encrypt
  • 6. SiteGroundSiteGround ❖❖ In the beginning 2016 we started working on cPanel plugin for Let's Encrypt ❖❖ In Oct 2017 we started work on wildcard certsIn Oct 2017 we started work on wildcard certs
  • 7. SiteGroundSiteGround ❖❖ In the beginning of Dec 2017 we decided to issue certs to every host that is hosted on our infrastructure...
  • 9. ❖❖ We first decided to create accountWe first decided to create account for every client that we have, sofor every client that we have, so everyone can take their own Let'severyone can take their own Let's Encrypt account with them if they areEncrypt account with them if they are leaving...leaving... Creating that many accounts:Creating that many accounts: - it was slow... so we decided to do it- it was slow... so we decided to do it in parallelin parallel - about 10 requests per server- about 10 requests per server - but all servers in the same time- but all servers in the same time
  • 10. ❖❖ We broke the infrastructure ofWe broke the infrastructure of Let's EncryptLet's Encrypt
  • 11. ❖❖ We got a call from Let's Encrypt :)We got a call from Let's Encrypt :)
  • 12. ❖❖ They had oneThey had one SIMPLESIMPLE request:request: Implement a global limit(across allImplement a global limit(across all of our Data Centers) to create max 2of our Data Centers) to create max 2 accounts per secondaccounts per second
  • 13. ❖❖ Implementing such lock, withImplementing such lock, with performance and reliability in mindperformance and reliability in mind is not simple...is not simple... ❖❖ We decided to use HashiCorp'sWe decided to use HashiCorp's Consul locking for thatConsul locking for that
  • 14. ❖❖ We have a lot of customers... suchWe have a lot of customers... such a limit was never going to bea limit was never going to be enough...enough... ❖❖ So we decided to go with a singleSo we decided to go with a single account for all servers (proposed byaccount for all servers (proposed by Let's Encrypt)Let's Encrypt)
  • 15. ❖❖ At that point everything started toAt that point everything started to work...work... ❖❖ But we issued certs only to peopleBut we issued certs only to people that wanted SSL, not everyonethat wanted SSL, not everyone
  • 16. ❖❖ Using certbot it took around 1minUsing certbot it took around 1min to issue a single certificateto issue a single certificate
  • 17. ❖❖ Using certbot it took around 1minUsing certbot it took around 1min to issue a single certificateto issue a single certificate ❖❖ But we had millions of hosts...But we had millions of hosts...
  • 18. ❖❖ Using certbot it took around 1minUsing certbot it took around 1min to issue a single certificateto issue a single certificate ❖❖ But we had millions of hosts...But we had millions of hosts... ❖❖ 1,000,000 min ~ 16,667h ~ 694 days1,000,000 min ~ 16,667h ~ 694 days
  • 19. ❖❖ Using certbot it took around 1minUsing certbot it took around 1min to issue a single certificateto issue a single certificate ❖❖ But we had millions of hosts...But we had millions of hosts... ❖❖ 1,000,000 min ~ 16,667h ~ 694 days1,000,000 min ~ 16,667h ~ 694 days ❖❖ No problem :) We have thousands ofNo problem :) We have thousands of machines...machines...
  • 20. ❖❖ Using certbot it took around 1minUsing certbot it took around 1min to issue a single certificateto issue a single certificate ❖❖ But we had millions of hosts...But we had millions of hosts... ❖❖ 1,000,000 min ~ 16,667h ~ 694 days1,000,000 min ~ 16,667h ~ 694 days ❖❖ No problem :) We have thousands ofNo problem :) We have thousands of machines...machines... ❖❖ We will issue them in parallel fromWe will issue them in parallel from all servers :)all servers :)
  • 21. ➢ I don't remember why, but we decided to issue all certs between Christmas and New year :) SiteGroundSiteGround
  • 23. ❖❖ 6 Data Centers on 3 continents6 Data Centers on 3 continents
  • 24. ❖❖ 6 Data Centers on 3 continents6 Data Centers on 3 continents ❖❖ Every server trying to issue up toEvery server trying to issue up to 6 certificates in parallel6 certificates in parallel
  • 25. ❖❖ 6 Data Centers on 3 continents6 Data Centers on 3 continents ❖❖ Every server trying to issue up toEvery server trying to issue up to 6 certificates in parallel6 certificates in parallel ❖❖ Let's Encrypt did not had limitsLet's Encrypt did not had limits for this...for this...
  • 26. ❖❖ Needless to say... we had a callNeedless to say... we had a call from Let's Encrypt :)from Let's Encrypt :)
  • 27. ❖❖ They had oneThey had one SIMPLESIMPLE request:request: Implement a global limit(across allImplement a global limit(across all of our Data Centers) to issue lessof our Data Centers) to issue less then 10 certificates at the same timethen 10 certificates at the same time
  • 28. ❖❖ While we were again implementingWhile we were again implementing Consul lock for this...Consul lock for this... ❖❖ Let's EncryptLet's Encrypt implemented specificimplemented specific limits, because of us :)limits, because of us :) ❖❖ for a week there were intermittentfor a week there were intermittent issues with Let's Encrypt, but it wasissues with Let's Encrypt, but it was between Christmas and New year... sobetween Christmas and New year... so both we and Let's Encrypt didn't hadboth we and Let's Encrypt didn't had the people to address the issuethe people to address the issue
  • 29. In March renewing became a problem :)In March renewing became a problem :) - we hit different limits- we hit different limits - number of issues of a cert with the same- number of issues of a cert with the same hostshosts - number of errors per-server- number of errors per-server - number of new certs- number of new certs
  • 30. ❖❖ unintentionally one of my DevOps guysunintentionally one of my DevOps guys switched from single account to oneswitched from single account to one account per serveraccount per server - now, we had a new challenge, when- now, we had a new challenge, when moving an account, we also had to movemoving an account, we also had to move its certs, because otherwise it reachesits certs, because otherwise it reaches the limit of issuesthe limit of issues - the certs were still slow to issue- the certs were still slow to issue - we had to do some changes to certbot- we had to do some changes to certbot in order to be able to finalize somein order to be able to finalize some interrupted issue of certsinterrupted issue of certs
  • 31. I wrote our own certbot, calledI wrote our own certbot, called acmebot, based on Net::ACME2.acmebot, based on Net::ACME2. Next 2 months we spent adding the sameNext 2 months we spent adding the same limits that LE havelimits that LE have
  • 32. While doing that...While doing that... The next wave of renewals came...The next wave of renewals came... Again we had issues.Again we had issues.
  • 33. We implemented per LE account limitWe implemented per LE account limit for every server that had its ownfor every server that had its own account.account. We implemented a sliding window limit for allWe implemented a sliding window limit for all servers that use the big account.servers that use the big account.