Let’s Encrypt 自动提交 Certificate Transparency 的一个思路

This topic created in 3733 days ago, the information mentioned may be changed or developed.

我试了一个简单的方法，基于 @clanned 的 /t/241819

在 letsencrypt.sh 结尾处增加：

# Note: when acme-tiny fails to generate certs (rate limit for example), the # following code won't run, you can run it mannally via Ansible: # # $ ansible-playbook prepare.yml --limit hostname --tags "ct_submit" # # Generate CT CT_SUBMIT_DIR="/tmp/ct-submit" if [ -d "$CT_SUBMIT_DIR" ]; then echo "ct-submit detected, updating..." cd $CT_SUBMIT_DIR git pull go build else echo "No ct-submit detected, cloning..." cd /tmp/ git clone https://github.com/grahamedgecombe/ct-submit.git cd ct-submit go build fi CT_CWD="$DIRNAME/sct/$KEY_PREFIX" echo "Submitting Certificates Transparency..." mkdir -p "$CT_CWD" $CT_SUBMIT_DIR/ct-submit ct.googleapis.com/aviator <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/aviator.sct $CT_SUBMIT_DIR/ct-submit ct.googleapis.com/pilot <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/pilot.sct $CT_SUBMIT_DIR/ct-submit ct.googleapis.com/rocketeer <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/rocketeer.sct $CT_SUBMIT_DIR/ct-submit log.certly.io <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/certly.sct echo -e "\e[01;32mDone: $DOMAIN_CHAINED_CRT CTs have been submitted\e[0m"

这样签证完毕会自动提交 CT 信息

另外也可以创建独立的脚本，单独提交 CT 信息，这样可以避免 LE 的 rate limit ：

#!/bin/bash # # Usage: /etc/nginx/le/le-ct-submit.sh /etc/nginx/le/domain.tld.conf CONFIG=$1 if [ -f "$CONFIG" ];then . "$CONFIG" DIRNAME=$(dirname "$CONFIG") cd/span> "$DIRNAME" else echo "Missing config" exit 1 fi KEY_PREFIX="${DOMAIN_KEY%.*}" DOMAIN_CHAINED_CRT="$KEY_PREFIX.chained.crt" # Generate CT CT_SUBMIT_DIR="/tmp/ct-submit" if [ -d "$CT_SUBMIT_DIR" ]; then echo "ct-submit detected, updating..." cd $CT_SUBMIT_DIR git pull go build else echo "No ct-submit detected, cloning..." cd /tmp/ git clone https://github.com/grahamedgecombe/ct-submit.git cd ct-submit go build fi CT_CWD="$DIRNAME/sct/$KEY_PREFIX" echo "Submitting Certificates Transparency..." mkdir -p "$CT_CWD" $CT_SUBMIT_DIR/ct-submit ct.googleapis.com/aviator <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/aviator.sct $CT_SUBMIT_DIR/ct-submit ct.googleapis.com/pilot <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/pilot.sct $CT_SUBMIT_DIR/ct-submit ct.googleapis.com/rocketeer <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/rocketeer.sct $CT_SUBMIT_DIR/ct-submit log.certly.io <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/certly.sct echo -e "\e[01;32mDone: $DOMAIN_CHAINED_CRT CTs have been submitted\e[0m"

然后可以套在 Ansible ：

tasks/main.yml:

- name: sync ct-submit script copy: src=le/le-ct-submit.sh dest=/etc/nginx/le/ mode=755 tags: - le - ct_submit - name: run ct-submit script command: /etc/nginx/le/le-ct-submit.sh /etc/nginx/le/{{ item }}.conf with_items: "{{ ssl_sites[inventory_hostname] }}" notify: - configtest nginx - reload nginx tags: - le - ct_submit

vars/main.yml:

ssl_sites: hostname: - domain1.tld - domain2.tld - domain3.tld

13 replies 2016-03-17 07:36:14 +08:00

v1024

Feb 27, 2016

想玩一下 CT 来的，可惜 cloudflare 的 openssl patch 不支持 ARM 平台

shyling

Feb 27, 2016

可以试试我的这个 0 0 ， https://github.com/lingmm/ct-submit

JJaicmkmy

Feb 27, 2016 via iPhone

@v1024 Cloudflare 的 patch 是用来支持 CHACHA20 的吧， CT 和 OpenSSL 有什么关系？

v1024

Feb 27, 2016

@JJaicmkmy 忘了说，因为是 ARM 平台，所以想用 chacha20 ，但是又想支持 CT ，就尝试了这个 patch 。 LibreSSL 支持 chacha20 但不支持 CT ， OpenSSL 支持 CT 但没有 chacha20 。。

JJaicmkmy

Feb 27, 2016 via iPhone

@v1024 等 OpenSSL 1.1 吧， 1.1 就支持 CHACHA20 了。

LEFT

Feb 27, 2016 via iPhone

@JJaicmkmy 有版本限制

shyling

Feb 27, 2016

@v1024 可以同时支持的吧=。=，我博客就有 chacha20+ct ，用的 openssl 1.0.2d 的 patch

tSQghkfhTtQt9mtd

Feb 27, 2016

@shyling 正准备说试试我朋友的 python 版 ct-submit

shyling

Feb 27, 2016

@liwanglin12 啊哈

v1024

Feb 27, 2016

@shyling 是可以，我说的是不支持 ARM ， ARM 平台打了那个补丁无法成功编译。

shyling

Feb 28, 2016 via iPad

@v1024 难道用的不是 glibc?

lslqtz

Mar 17, 2016

我是手动提交 Certificate Transparency 的

lslqtz

Mar 17, 2016

@JJaicmkmy 我目前在用 BoringSSL 之前用 LibreSSL