Let’s Encrypt 自动提交 Certificate Transparency 的一个思路
sparanoid 2016-02-27 20:21:00 +08:00 3551 次点击这是一个创建于 3571 天前的主题,其中的信息可能已经有所发展或是发生改变。
我试了一个简单的方法,基于 @clanned 的 /t/241819
在 letsencrypt.sh 结尾处增加:
# Note: when acme-tiny fails to generate certs (rate limit for example), the # following code won't run, you can run it mannally via Ansible: # # $ ansible-playbook prepare.yml --limit hostname --tags "ct_submit" # # Generate CT CT_SUBMIT_DIR="/tmp/ct-submit" if [ -d "$CT_SUBMIT_DIR" ]; then echo "ct-submit detected, updating..." cd $CT_SUBMIT_DIR git pull go build else echo "No ct-submit detected, cloning..." cd /tmp/ git clone https://github.com/grahamedgecombe/ct-submit.git cd ct-submit go build fi CT_CWD="$DIRNAME/sct/$KEY_PREFIX" echo "Submitting Certificates Transparency..." mkdir -p "$CT_CWD" $CT_SUBMIT_DIR/ct-submit ct.googleapis.com/aviator <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/aviator.sct $CT_SUBMIT_DIR/ct-submit ct.googleapis.com/pilot <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/pilot.sct $CT_SUBMIT_DIR/ct-submit ct.googleapis.com/rocketeer <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/rocketeer.sct $CT_SUBMIT_DIR/ct-submit log.certly.io <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/certly.sct echo -e "\e[01;32mDone: $DOMAIN_CHAINED_CRT CTs have been submitted\e[0m" 这样签证完毕会自动提交 CT 信息
另外也可以创建独立的脚本,单独提交 CT 信息,这样可以避免 LE 的 rate limit :
#!/bin/bash # # Usage: /etc/nginx/le/le-ct-submit.sh /etc/nginx/le/domain.tld.conf CONFIG=$1 if [ -f "$CONFIG" ];then . "$CONFIG" DIRNAME=$(dirname "$CONFIG"/span>) cd "$DIRNAME" else echo "Missing config" exit 1 fi KEY_PREFIX="${DOMAIN_KEY%.*}" DOMAIN_CHAINED_CRT="$KEY_PREFIX.chained.crt" # Generate CT CT_SUBMIT_DIR="/tmp/ct-submit" if [ -d "$CT_SUBMIT_DIR" ]; then echo "ct-submit detected, updating..." cd $CT_SUBMIT_DIR git pull go build else echo "No ct-submit detected, cloning..." cd /tmp/ git clone https://github.com/grahamedgecombe/ct-submit.git cd ct-submit go build fi CT_CWD="$DIRNAME/sct/$KEY_PREFIX" echo "Submitting Certificates Transparency..." mkdir -p "$CT_CWD" $CT_SUBMIT_DIR/ct-submit ct.googleapis.com/aviator <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/aviator.sct $CT_SUBMIT_DIR/ct-submit ct.googleapis.com/pilot <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/pilot.sct $CT_SUBMIT_DIR/ct-submit ct.googleapis.com/rocketeer <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/rocketeer.sct $CT_SUBMIT_DIR/ct-submit log.certly.io <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/certly.sct echo -e "\e[01;32mDone: $DOMAIN_CHAINED_CRT CTs have been submitted\e[0m" 然后可以套在 Ansible :
tasks/main.yml:
- name: sync ct-submit script copy: src=le/le-ct-submit.sh dest=/etc/nginx/le/ mode=755 tags: - le - ct_submit - name: run ct-submit script command: /etc/nginx/le/le-ct-submit.sh /etc/nginx/le/{{ item }}.conf with_items: "{{ ssl_sites[inventory_hostname] }}" notify: - configtest nginx - reload nginx tags: - le - ct_submit vars/main.yml:
ssl_sites: hostname: - domain1.tld - domain2.tld - domain3.tld  | 1 v1024 2016-02-27 20:54:04 +08:00 想玩一下 CT 来的,可惜 cloudflare 的 openssl patch 不支持 ARM 平台 |
 | 2 shyling 2016-02-27 21:06:10 +08:00 可以试试我的这个 0 0 , https://github.com/lingmm/ct-submit |
 | 3 JJaicmkmy 2016-02-27 21:14:45 +08:00 via iPhone @v1024 Cloudflare 的 patch 是用来支持 CHACHA20 的吧, CT 和 OpenSSL 有什么关系? |
| 4 v1024 2016-02-27 21:29:32 +08:00 @JJaicmkmy 忘了说,因为是 ARM 平台,所以想用 chacha20 ,但是又想支持 CT ,就尝试了这个 patch 。 LibreSSL 支持 chacha20 但不支持 CT , OpenSSL 支持 CT 但没有 chacha20 。。 |
| 7 shyling 2016-02-27 22:23:45 +08:00 @v1024 可以同时支持的吧=。=,我博客就有 chacha20+ct ,用的 openssl 1.0.2d 的 patch |
 | 8 tSQghkfhTtQt9mtd 2016-02-27 22:43:36 +08:00 @shyling 正准备说试试我朋友的 python 版 ct-submit  |
| 9 shyling 2016-02-27 23:04:47 +08:00 @liwanglin12 啊哈 |
 | 12 lslqtz 2016-03-17 07:35:43 +08:00 我是手动提交 Certificate Transparency 的 |
Select Language