certificate-transparency/cheese
2
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
425b485f5f5575504d8bb6e1ec89807d1b1fbe50
cheese/README.md
Pim van Pelt 6b11481739 Add --diff and --write flags to README
2025-08-28 13:12:57 +02:00

91 lines
3.0 KiB
Markdown
Raw Blame History

# Cheese
A Certificate Transparency log configuration and deployment tool for Google's [[TesseraCT](github.com/transparency-dev/tesseract)] implementation. It tries to look and feel a little like the one provided by [[Sunlight](https://github.com/FiloSottile/sunlight)].
## Configuration Generator
The `tesseract/genconf` tool generates CT log configuration files and keys from a YAML specification
in a very similar way to Sunlight.
### Usage
1. **Build the tool:**
```bash
go build -o tesseract-genconf ./tesseract/genconf/
```
2. **Create YAML configuration file:**
```yaml
listen:
- "[::]:8080"
roots: /etc/tesseract/roots.pem
logs:
- shortname: example2025h1
listen: "[::]:16900"
inception: 2025-01-01
submissionprefix: https://example2025h1.log.ct.example.com
monitoringprefix: https://example2025h1.mon.ct.example.com
extraroots: /etc/tesseract/extra-roots.pem
secret: /etc/tesseract/keys/example2025h1.pem
localdirectory: /var/lib/tesseract/example2025h1/data
notafterstart: 2025-01-01T00:00:00Z
notafterlimit: 2025-07-01T00:00:00Z
```
3. **Generate private keys:**
```bash
mkdir -p /etc/tesseract/keys
./tesseract-genconf -c config.yaml --write gen-key
```
4. **Create directories and generate environment files:**
```bash
mkdir -p /var/lib/tesseract/example2025h1/data
./tesseract-genconf -c config.yaml --write gen-env
```
5. **Generate HTML and JSON files:**
```bash
./tesseract-genconf -c config.yaml --write gen-html
```
6. **Generate nginx configuration files:**
```bash
./tesseract-genconf -c config.yaml --write gen-nginx
```
The port from the main `listen:` field will be used in the NGINX server blocks (in our case
`:8080`). You can symlink the generated $monitoringprefix.conf files from `/etc/nginx/sites-enabled/`.
7. **Generate root certificates (optional):**
```bash
# For testing/staging environment, take the ccadb 'testing' roots
./tesseract-genconf gen-roots --source https://rennet2027h2.log.ct.ipng.ch/ --output roots-staging.pem
# For production environment, take the ccadb 'production' roots
./tesseract-genconf gen-roots --source https://gouda2027h2.log.ct.ipng.ch/ --output roots-production.pem
```
### Safe File Operations with `--diff` and `--write`
The `tesseract-genconf` tool includes safety features to prevent accidental file modifications:
- **`--diff`**: Shows colored unified diffs of what would change without writing files
- **`--write`**: Required flag to actually write files to disk
- **`--no-color`**: Disables colored diff output (useful for redirecting to files)
**Recommended workflow:**
```bash
# 1. First, preview changes with --diff
./tesseract-genconf -c config.yaml --diff gen-html
# 2. Review the colored diff output, then apply changes
./tesseract-genconf -c config.yaml --write gen-html
# 3. Or combine both to see diffs and write files
./tesseract-genconf -c config.yaml --diff --write gen-html
```
**Note:** Flags must come before the command name (e.g., `--diff gen-html`, not `gen-html --diff`).
Reference in New Issue View Git Blame Copy Permalink