V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
sparanoid
V2EX  ›  SSL

Let’s Encrypt 自动提交 Certificate Transparency 的一个思路

  •  
  •   sparanoid · 2016-02-27 20:21:00 +08:00 · 3230 次点击
    这是一个创建于 3193 天前的主题,其中的信息可能已经有所发展或是发生改变。

    我试了一个简单的方法,基于 @clanned 的 /t/241819

    letsencrypt.sh 结尾处增加:

    # Note: when acme-tiny fails to generate certs (rate limit for example), the
    # following code won't run, you can run it mannally via Ansible:
    #
    # $ ansible-playbook prepare.yml --limit hostname --tags "ct_submit"
    #
    # Generate CT
    CT_SUBMIT_DIR="/tmp/ct-submit"
    if [ -d "$CT_SUBMIT_DIR" ]; then
      echo "ct-submit detected, updating..."
      cd $CT_SUBMIT_DIR
      git pull
      go build
    else
      echo "No ct-submit detected, cloning..."
      cd /tmp/
      git clone https://github.com/grahamedgecombe/ct-submit.git
      cd ct-submit
      go build
    fi
    
    CT_CWD="$DIRNAME/sct/$KEY_PREFIX"
    echo "Submitting Certificates Transparency..."
    mkdir -p "$CT_CWD"
    $CT_SUBMIT_DIR/ct-submit ct.googleapis.com/aviator   <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/aviator.sct
    $CT_SUBMIT_DIR/ct-submit ct.googleapis.com/pilot     <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/pilot.sct
    $CT_SUBMIT_DIR/ct-submit ct.googleapis.com/rocketeer <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/rocketeer.sct
    $CT_SUBMIT_DIR/ct-submit log.certly.io               <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/certly.sct
    echo -e "\e[01;32mDone: $DOMAIN_CHAINED_CRT CTs have been submitted\e[0m"
    

    这样签证完毕会自动提交 CT 信息

    另外也可以创建独立的脚本,单独提交 CT 信息,这样可以避免 LE 的 rate limit :

    #!/bin/bash
    #
    # Usage: /etc/nginx/le/le-ct-submit.sh /etc/nginx/le/domain.tld.conf
    
    CONFIG=$1
    
    if [ -f "$CONFIG" ];then
        . "$CONFIG"
        DIRNAME=$(dirname "$CONFIG")
        cd "$DIRNAME"
    else
        echo "Missing config"
        exit 1
    fi
    
    KEY_PREFIX="${DOMAIN_KEY%.*}"
    DOMAIN_CHAINED_CRT="$KEY_PREFIX.chained.crt"
    
    # Generate CT
    CT_SUBMIT_DIR="/tmp/ct-submit"
    if [ -d "$CT_SUBMIT_DIR" ]; then
      echo "ct-submit detected, updating..."
      cd $CT_SUBMIT_DIR
      git pull
      go build
    else
      echo "No ct-submit detected, cloning..."
      cd /tmp/
      git clone https://github.com/grahamedgecombe/ct-submit.git
      cd ct-submit
      go build
    fi
    
    CT_CWD="$DIRNAME/sct/$KEY_PREFIX"
    echo "Submitting Certificates Transparency..."
    mkdir -p "$CT_CWD"
    $CT_SUBMIT_DIR/ct-submit ct.googleapis.com/aviator   <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/aviator.sct
    $CT_SUBMIT_DIR/ct-submit ct.googleapis.com/pilot     <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/pilot.sct
    $CT_SUBMIT_DIR/ct-submit ct.googleapis.com/rocketeer <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/rocketeer.sct
    $CT_SUBMIT_DIR/ct-submit log.certly.io               <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/certly.sct
    echo -e "\e[01;32mDone: $DOMAIN_CHAINED_CRT CTs have been submitted\e[0m"
    

    然后可以套在 Ansible :

    tasks/main.yml:

    - name: sync ct-submit script
      copy: src=le/le-ct-submit.sh
            dest=/etc/nginx/le/
            mode=755
      tags:
        - le
        - ct_submit
    
    - name: run ct-submit script
      command: /etc/nginx/le/le-ct-submit.sh /etc/nginx/le/{{ item }}.conf
      with_items: "{{ ssl_sites[inventory_hostname] }}"
      notify:
        - configtest nginx
        - reload nginx
      tags:
        - le
        - ct_submit
    

    vars/main.yml:

    ssl_sites:
      hostname:
        - domain1.tld
        - domain2.tld
        - domain3.tld
    
    13 条回复    2016-03-17 07:36:14 +08:00
    v1024
        1
    v1024  
       2016-02-27 20:54:04 +08:00
    想玩一下 CT 来的,可惜 cloudflare 的 openssl patch 不支持 ARM 平台
    shyling
        2
    shyling  
       2016-02-27 21:06:10 +08:00
    可以试试我的这个 0 0 , https://github.com/lingmm/ct-submit
    JJaicmkmy
        3
    JJaicmkmy  
       2016-02-27 21:14:45 +08:00 via iPhone
    @v1024 Cloudflare 的 patch 是用来支持 CHACHA20 的吧, CT 和 OpenSSL 有什么关系?
    v1024
        4
    v1024  
       2016-02-27 21:29:32 +08:00
    @JJaicmkmy 忘了说,因为是 ARM 平台,所以想用 chacha20 ,但是又想支持 CT ,就尝试了这个 patch 。 LibreSSL 支持 chacha20 但不支持 CT , OpenSSL 支持 CT 但没有 chacha20 。。
    JJaicmkmy
        5
    JJaicmkmy  
       2016-02-27 21:34:45 +08:00 via iPhone
    @v1024 等 OpenSSL 1.1 吧, 1.1 就支持 CHACHA20 了。
    LEFT
        6
    LEFT  
       2016-02-27 21:47:13 +08:00 via iPhone
    @JJaicmkmy 有版本限制
    shyling
        7
    shyling  
       2016-02-27 22:23:45 +08:00
    @v1024 可以同时支持的吧=。=,我博客就有 chacha20+ct ,用的 openssl 1.0.2d 的 patch
    tSQghkfhTtQt9mtd
        8
    tSQghkfhTtQt9mtd  
       2016-02-27 22:43:36 +08:00
    @shyling 正准备说试试我朋友的 python 版 ct-submit
    shyling
        9
    shyling  
       2016-02-27 23:04:47 +08:00
    @liwanglin12 啊哈
    v1024
        10
    v1024  
       2016-02-27 23:08:41 +08:00
    @shyling 是可以,我说的是不支持 ARM , ARM 平台打了那个补丁无法成功编译。
    shyling
        11
    shyling  
       2016-02-28 00:33:13 +08:00 via iPad
    @v1024 难道用的不是 glibc?
    lslqtz
        12
    lslqtz  
       2016-03-17 07:35:43 +08:00
    我是手动提交 Certificate Transparency 的
    lslqtz
        13
    lslqtz  
       2016-03-17 07:36:14 +08:00
    @JJaicmkmy 我目前在用 BoringSSL 之前用 LibreSSL
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   888 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 25ms · UTC 21:40 · PVG 05:40 · LAX 13:40 · JFK 16:40
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.