Let’s Encrypt 自动提交 Certificate Transparency 的一个思路

2016-02-27 20:21:00 +08:00
 sparanoid

我试了一个简单的方法,基于 @clanned 的 /t/241819

letsencrypt.sh 结尾处增加:

# Note: when acme-tiny fails to generate certs (rate limit for example), the
# following code won't run, you can run it mannally via Ansible:
#
# $ ansible-playbook prepare.yml --limit hostname --tags "ct_submit"
#
# Generate CT
CT_SUBMIT_DIR="/tmp/ct-submit"
if [ -d "$CT_SUBMIT_DIR" ]; then
  echo "ct-submit detected, updating..."
  cd $CT_SUBMIT_DIR
  git pull
  go build
else
  echo "No ct-submit detected, cloning..."
  cd /tmp/
  git clone https://github.com/grahamedgecombe/ct-submit.git
  cd ct-submit
  go build
fi

CT_CWD="$DIRNAME/sct/$KEY_PREFIX"
echo "Submitting Certificates Transparency..."
mkdir -p "$CT_CWD"
$CT_SUBMIT_DIR/ct-submit ct.googleapis.com/aviator   <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/aviator.sct
$CT_SUBMIT_DIR/ct-submit ct.googleapis.com/pilot     <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/pilot.sct
$CT_SUBMIT_DIR/ct-submit ct.googleapis.com/rocketeer <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/rocketeer.sct
$CT_SUBMIT_DIR/ct-submit log.certly.io               <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/certly.sct
echo -e "\e[01;32mDone: $DOMAIN_CHAINED_CRT CTs have been submitted\e[0m"

这样签证完毕会自动提交 CT 信息

另外也可以创建独立的脚本,单独提交 CT 信息,这样可以避免 LE 的 rate limit :

#!/bin/bash
#
# Usage: /etc/nginx/le/le-ct-submit.sh /etc/nginx/le/domain.tld.conf

CONFIG=$1

if [ -f "$CONFIG" ];then
    . "$CONFIG"
    DIRNAME=$(dirname "$CONFIG")
    cd "$DIRNAME"
else
    echo "Missing config"
    exit 1
fi

KEY_PREFIX="${DOMAIN_KEY%.*}"
DOMAIN_CHAINED_CRT="$KEY_PREFIX.chained.crt"

# Generate CT
CT_SUBMIT_DIR="/tmp/ct-submit"
if [ -d "$CT_SUBMIT_DIR" ]; then
  echo "ct-submit detected, updating..."
  cd $CT_SUBMIT_DIR
  git pull
  go build
else
  echo "No ct-submit detected, cloning..."
  cd /tmp/
  git clone https://github.com/grahamedgecombe/ct-submit.git
  cd ct-submit
  go build
fi

CT_CWD="$DIRNAME/sct/$KEY_PREFIX"
echo "Submitting Certificates Transparency..."
mkdir -p "$CT_CWD"
$CT_SUBMIT_DIR/ct-submit ct.googleapis.com/aviator   <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/aviator.sct
$CT_SUBMIT_DIR/ct-submit ct.googleapis.com/pilot     <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/pilot.sct
$CT_SUBMIT_DIR/ct-submit ct.googleapis.com/rocketeer <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/rocketeer.sct
$CT_SUBMIT_DIR/ct-submit log.certly.io               <$DIRNAME/$DOMAIN_CHAINED_CRT >$CT_CWD/certly.sct
echo -e "\e[01;32mDone: $DOMAIN_CHAINED_CRT CTs have been submitted\e[0m"

然后可以套在 Ansible :

tasks/main.yml:

- name: sync ct-submit script
  copy: src=le/le-ct-submit.sh
        dest=/etc/nginx/le/
        mode=755
  tags:
    - le
    - ct_submit

- name: run ct-submit script
  command: /etc/nginx/le/le-ct-submit.sh /etc/nginx/le/{{ item }}.conf
  with_items: "{{ ssl_sites[inventory_hostname] }}"
  notify:
    - configtest nginx
    - reload nginx
  tags:
    - le
    - ct_submit

vars/main.yml:

ssl_sites:
  hostname:
    - domain1.tld
    - domain2.tld
    - domain3.tld
3225 次点击
所在节点    SSL
13 条回复
v1024
2016-02-27 20:54:04 +08:00
想玩一下 CT 来的,可惜 cloudflare 的 openssl patch 不支持 ARM 平台
shyling
2016-02-27 21:06:10 +08:00
可以试试我的这个 0 0 , https://github.com/lingmm/ct-submit
JJaicmkmy
2016-02-27 21:14:45 +08:00
@v1024 Cloudflare 的 patch 是用来支持 CHACHA20 的吧, CT 和 OpenSSL 有什么关系?
v1024
2016-02-27 21:29:32 +08:00
@JJaicmkmy 忘了说,因为是 ARM 平台,所以想用 chacha20 ,但是又想支持 CT ,就尝试了这个 patch 。 LibreSSL 支持 chacha20 但不支持 CT , OpenSSL 支持 CT 但没有 chacha20 。。
JJaicmkmy
2016-02-27 21:34:45 +08:00
@v1024 等 OpenSSL 1.1 吧, 1.1 就支持 CHACHA20 了。
LEFT
2016-02-27 21:47:13 +08:00
@JJaicmkmy 有版本限制
shyling
2016-02-27 22:23:45 +08:00
@v1024 可以同时支持的吧=。=,我博客就有 chacha20+ct ,用的 openssl 1.0.2d 的 patch
tSQghkfhTtQt9mtd
2016-02-27 22:43:36 +08:00
@shyling 正准备说试试我朋友的 python 版 ct-submit
shyling
2016-02-27 23:04:47 +08:00
@liwanglin12 啊哈
v1024
2016-02-27 23:08:41 +08:00
@shyling 是可以,我说的是不支持 ARM , ARM 平台打了那个补丁无法成功编译。
shyling
2016-02-28 00:33:13 +08:00
@v1024 难道用的不是 glibc?
lslqtz
2016-03-17 07:35:43 +08:00
我是手动提交 Certificate Transparency 的
lslqtz
2016-03-17 07:36:14 +08:00
@JJaicmkmy 我目前在用 BoringSSL 之前用 LibreSSL

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/259531

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX