Let’s Encrypt 自动提交 Certificate Transparency 的一个思路
sparanoid · 2016-02-27 20:21:00 +08:00 · 3230 次点击这是一个创建于 3193 天前的主题,其中的信息可能已经有所发展或是发生改变。
我试了一个简单的方法,基于 @clanned 的 /t/241819
在 letsencrypt.sh 结尾处增加:
# Note: when acme-tiny fails to generate certs (rate limit for example), the
# following code won't run, you can run it mannally via Ansible:
#
# $ ansible-playbook prepare.yml --limit hostname --tags "ct_submit"
#
# Generate CT
CT_SUBMIT_DIR="/tmp/ct-submit"
if [ -d "$CT_SUBMIT_DIR" ]; then
echo "ct-submit detected, updating..."
cd $CT_SUBMIT_DIR
git pull
go build
else
echo "No ct-submit detected, cloning..."
cd /tmp/
git clone https://github.com/grahamedgecombe/ct-submit.git
cd ct-submit
go build
fi
CT_CWD="$DIRNAME/sct/$KEY_PREFIX"
echo "Submitting Certificates Transparency..."
mkdir -p "$CT_CWD"
$CT_SUBMIT_DIR/ct-submit ct.googleapis.com/aviator <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/aviator.sct
$CT_SUBMIT_DIR/ct-submit ct.googleapis.com/pilot <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/pilot.sct
$CT_SUBMIT_DIR/ct-submit ct.googleapis.com/rocketeer <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/rocketeer.sct
$CT_SUBMIT_DIR/ct-submit log.certly.io <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/certly.sct
echo -e "\e[01;32mDone: $DOMAIN_CHAINED_CRT CTs have been submitted\e[0m"
这样签证完毕会自动提交 CT 信息
另外也可以创建独立的脚本,单独提交 CT 信息,这样可以避免 LE 的 rate limit :
#!/bin/bash
#
# Usage: /etc/nginx/le/le-ct-submit.sh /etc/nginx/le/domain.tld.conf
CONFIG=$1
if [ -f "$CONFIG" ];then
. "$CONFIG"
DIRNAME=$(dirname "$CONFIG")
cd "$DIRNAME"
else
echo "Missing config"
exit 1
fi
KEY_PREFIX="${DOMAIN_KEY%.*}"
DOMAIN_CHAINED_CRT="$KEY_PREFIX.chained.crt"
# Generate CT
CT_SUBMIT_DIR="/tmp/ct-submit"
if [ -d "$CT_SUBMIT_DIR" ]; then
echo "ct-submit detected, updating..."
cd $CT_SUBMIT_DIR
git pull
go build
else
echo "No ct-submit detected, cloning..."
cd /tmp/
git clone https://github.com/grahamedgecombe/ct-submit.git
cd ct-submit
go build
fi
CT_CWD="$DIRNAME/sct/$KEY_PREFIX"
echo "Submitting Certificates Transparency..."
mkdir -p "$CT_CWD"
$CT_SUBMIT_DIR/ct-submit ct.googleapis.com/aviator <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/aviator.sct
$CT_SUBMIT_DIR/ct-submit ct.googleapis.com/pilot <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/pilot.sct
$CT_SUBMIT_DIR/ct-submit ct.googleapis.com/rocketeer <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/rocketeer.sct
$CT_SUBMIT_DIR/ct-submit log.certly.io <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/certly.sct
echo -e "\e[01;32mDone: $DOMAIN_CHAINED_CRT CTs have been submitted\e[0m"
然后可以套在 Ansible :
tasks/main.yml:
- name: sync ct-submit script
copy: src=le/le-ct-submit.sh
dest=/etc/nginx/le/
mode=755
tags:
- le
- ct_submit
- name: run ct-submit script
command: /etc/nginx/le/le-ct-submit.sh /etc/nginx/le/{{ item }}.conf
with_items: "{{ ssl_sites[inventory_hostname] }}"
notify:
- configtest nginx
- reload nginx
tags:
- le
- ct_submit
vars/main.yml:
ssl_sites:
hostname:
- domain1.tld
- domain2.tld
- domain3.tld
 |
1
v1024 2016-02-27 20:54:04 +08:00
想玩一下 CT 来的,可惜 cloudflare 的 openssl patch 不支持 ARM 平台
|
 |
2
shyling 2016-02-27 21:06:10 +08:00
可以试试我的这个 0 0 , https://github.com/lingmm/ct-submit
|
 |
3
JJaicmkmy 2016-02-27 21:14:45 +08:00 via iPhone
@v1024 Cloudflare 的 patch 是用来支持 CHACHA20 的吧, CT 和 OpenSSL 有什么关系?
|
|
4
v1024 2016-02-27 21:29:32 +08:00
@JJaicmkmy 忘了说,因为是 ARM 平台,所以想用 chacha20 ,但是又想支持 CT ,就尝试了这个 patch 。 LibreSSL 支持 chacha20 但不支持 CT , OpenSSL 支持 CT 但没有 chacha20 。。
|
|
7
shyling 2016-02-27 22:23:45 +08:00
@v1024 可以同时支持的吧=。=,我博客就有 chacha20+ct ,用的 openssl 1.0.2d 的 patch
|
 |
8
tSQghkfhTtQt9mtd 2016-02-27 22:43:36 +08:00
@shyling 正准备说试试我朋友的 python 版 ct-submit
 |
|
9
shyling 2016-02-27 23:04:47 +08:00
@liwanglin12 啊哈
|
 |
12
lslqtz 2016-03-17 07:35:43 +08:00
我是手动提交 Certificate Transparency 的
|
Select Language