From a97115593c56d64fa7c5b3ddab0ecb0ae4131363 Mon Sep 17 00:00:00 2001 From: Pim van Pelt Date: Mon, 25 Aug 2025 09:55:40 +0000 Subject: [PATCH] Typo and readability fixes --- content/articles/2025-08-24-ctlog-3.md | 82 ++++++++++++++------------ 1 file changed, 44 insertions(+), 38 deletions(-) diff --git a/content/articles/2025-08-24-ctlog-3.md b/content/articles/2025-08-24-ctlog-3.md index 7495a2a..c7514b6 100644 --- a/content/articles/2025-08-24-ctlog-3.md +++ b/content/articles/2025-08-24-ctlog-3.md @@ -131,8 +131,9 @@ logs: ``` In the first configuration file, I'll tell _Sunlight_ (the write path component) to listen on port -`16420` and I'll tell _Skylight_ (the read path component) to listen on port `16421`. I've disabled -the automatic certificate renewals, and will handle SSL upstream: +`:16420` and I'll tell _Skylight_ (the read path component) to listen on port `:16421`. I've disabled +the automatic certificate renewals, and will handle SSL upstream. A few notes on this: + 1. Most importantly, I will be using a common frontend pool with a wildcard certificate for `*.ct.ipng.ch`. I wrote about [[DNS-01]({{< ref 2023-03-24-lego-dns01 >}})] before, it's a very convenient way for IPng to do certificate pool management. I will be sharing certificate for all log @@ -149,7 +150,7 @@ for Rennet, and a few days later, for Gouda, are operational this way. Skylight provides all the things I need to serve the data back, which is a huge help. The [[Static Log Spec](https://github.com/C2SP/C2SP/blob/main/static-ct-api.md)] is very clear on things like -compression, content-type, cache-control and other headers. Skylight makes this a breeze, as it read +compression, content-type, cache-control and other headers. Skylight makes this a breeze, as it reads a configuration file very similar to the Sunlight write-path one, and takes care of it all for me. ## TesseraCT @@ -157,16 +158,17 @@ a configuration file very similar to the Sunlight write-path one, and takes care {{< image width="10em" float="right" src="/assets/ctlog/tesseract-logo.png" alt="TesseraCT logo" >}} Good news came to our community on August 14th, when Google's TrustFabric team announced their Alpha -milestone of [[TesseraCT](https://blog.transparency.dev/introducing-tesseract)]. And the release +milestone of [[TesseraCT](https://blog.transparency.dev/introducing-tesseract)]. This release also moved the POSIX variant from experimental alongside the already further along GCP and AWS personalities. After playing around with it with Al and the team, I think I've learned enough to get -us going in a public instance. +us going in a public `tesseract-posix` instance. One thing I liked about Sunlight is its compact YAML file that described the pertinent bits of the system, and that I can serve any number of logs with the same process. On the other hand, TesseraCT can serve only one log per process. Both have pro's and con's, notably if any poisonous submission would be offered, Sunlight might take down all logs, while TesseraCT would only take down the log -receiving the offensive submission. On the other hand, maintaining separate processes is cumbersome. +receiving the offensive submission. On the other hand, maintaining separate processes is cumbersome, +and all log instances need to be meticulously configured. ### TesseraCT genconf @@ -179,6 +181,8 @@ Sunlight YAML configuration, and came up with a variant like this one: ``` ctlog@ctlog1:/ssd-vol0/enc/tesseract$ cat << EOF | tee tesseract-staging.yaml +listen: + - "[::]:8080" roots: /ssd-vol0/enc/tesseract/roots.pem logs: - shortname: lipase2025h2 @@ -205,11 +209,11 @@ private key, from which the _Log ID_ and _Public Key_ can be derived. So off I g ``` ctlog@ctlog1:/ssd-vol0/enc/tesseract$ tesseract-genconf -c tesseract-staging.yaml gen-key -Generated /ssd-vol0/enc/tesseract/keys/lipase2025h2.pem -Generated /ssd-vol0/enc/tesseract/keys/lipase2026h1.pem -Generated /ssd-vol0/enc/tesseract/keys/lipase2026h2.pem -Generated /ssd-vol0/enc/tesseract/keys/lipase2027h1.pem -Generated /ssd-vol0/enc/tesseract/keys/lipase2027h2.pem +Creating /ssd-vol0/enc/tesseract/keys/lipase2025h2.pem +Creating /ssd-vol0/enc/tesseract/keys/lipase2026h1.pem +Creating /ssd-vol0/enc/tesseract/keys/lipase2026h2.pem +Creating /ssd-vol0/enc/tesseract/keys/lipase2027h1.pem +Creating /ssd-vol0/enc/tesseract/keys/lipase2027h2.pem ``` Of course, if a file already exists at that location, it'll just print a warning like: @@ -226,16 +230,16 @@ of the logs: ``` ctlog@ctlog1:/ssd-vol0/enc/tesseract$ tesseract-genconf -c tesseract-staging.yaml gen-html -Generated /ssd-vol0/logs/lipase2025h2/data/index.html -Generated /ssd-vol0/logs/lipase2025h2/data/log.v3.json -Generated /ssd-vol0/logs/lipase2026h1/data/index.html -Generated /ssd-vol0/logs/lipase2026h1/data/log.v3.json -Generated /ssd-vol0/logs/lipase2026h2/data/index.html -Generated /ssd-vol0/logs/lipase2026h2/data/log.v3.json -Generated /ssd-vol0/logs/lipase2027h1/data/index.html -Generated /ssd-vol0/logs/lipase2027h1/data/log.v3.json -Generated /ssd-vol0/logs/lipase2027h2/data/index.html -Generated /ssd-vol0/logs/lipase2027h2/data/log.v3.json +Creating /ssd-vol0/logs/lipase2025h2/data/index.html +Creating /ssd-vol0/logs/lipase2025h2/data/log.v3.json +Creating /ssd-vol0/logs/lipase2026h1/data/index.html +Creating /ssd-vol0/logs/lipase2026h1/data/log.v3.json +Creating /ssd-vol0/logs/lipase2026h2/data/index.html +Creating /ssd-vol0/logs/lipase2026h2/data/log.v3.json +Creating /ssd-vol0/logs/lipase2027h1/data/index.html +Creating /ssd-vol0/logs/lipase2027h1/data/log.v3.json +Creating /ssd-vol0/logs/lipase2027h2/data/index.html +Creating /ssd-vol0/logs/lipase2027h2/data/log.v3.json ``` {{< image width="60%" src="/assets/ctlog/lipase.png" alt="TesseraCT Lipase Log" >}} @@ -253,12 +257,14 @@ from any other running log instance, so I'll implement a `gen-roots` command: ctlog@ctlog1:/ssd-vol0/enc/tesseract$ tesseract-genconf gen-roots \ --source https://tuscolo2027h1.sunlight.geomys.org --output production-roots.pem Fetching roots from: https://tuscolo2027h1.sunlight.geomys.org/ct/v1/get-roots -2025/08/25 08:24:58 Warning: Failed to parse certificate, skipping: x509: negative serial number +2025/08/25 08:24:58 Warning: Failed to parse certificate,carefully skipping: x509: negative serial number +Creating production-roots.pem Successfully wrote 248 certificates to tusc.pem (out of 249 total) ctlog@ctlog1:/ssd-vol0/enc/tesseract$ tesseract-genconf gen-roots \ --source https://navigli2027h1.sunlight.geomys.org --output testing-roots.pem Fetching roots from: https://navigli2027h1.sunlight.geomys.org/ct/v1/get-roots +Creating testing-roots.pem Successfully wrote 82 certificates to tusc.pem (out of 82 total) ``` @@ -297,16 +303,16 @@ I can now implement a `gen-env` command for my tool: ``` ctlog@ctlog1:/ssd-vol0/enc/tesseract$ tesseract-genconf -c tesseract-staging.yaml gen-env -Generated /ssd-vol0/logs/lipase2025h2/data/roots.pem -Generated /ssd-vol0/logs/lipase2025h2/data/.env -Generated /ssd-vol0/logs/lipase2026h1/data/roots.pem -Generated /ssd-vol0/logs/lipase2026h1/data/.env -Generated /ssd-vol0/logs/lipase2026h2/data/roots.pem -Generated /ssd-vol0/logs/lipase2026h2/data/.env -Generated /ssd-vol0/logs/lipase2027h1/data/roots.pem -Generated /ssd-vol0/logs/lipase2027h1/data/.env -Generated /ssd-vol0/logs/lipase2027h2/data/roots.pem -Generated /ssd-vol0/logs/lipase2027h2/data/.env +Creating /ssd-vol0/logs/lipase2025h2/data/roots.pem +Creating /ssd-vol0/logs/lipase2025h2/data/.env +Creating /ssd-vol0/logs/lipase2026h1/data/roots.pem +Creating /ssd-vol0/logs/lipase2026h1/data/.env +Creating /ssd-vol0/logs/lipase2026h2/data/roots.pem +Creating /ssd-vol0/logs/lipase2026h2/data/.env +Creating /ssd-vol0/logs/lipase2027h1/data/roots.pem +Creating /ssd-vol0/logs/lipase2027h1/data/.env +Creating /ssd-vol0/logs/lipase2027h2/data/roots.pem +Creating /ssd-vol0/logs/lipase2027h2/data/.env ``` Looking at one of those .env files, I can show the exact commandline I'll be feeding to the @@ -344,14 +350,14 @@ And thus, `gen-nginx` command is born, and listens on port `:8080` for requests: ``` ctlog@ctlog1:/ssd-vol0/enc/tesseract$ tesseract-genconf -c tesseract-staging.yaml gen-nginx -Generated nginx config: /ssd-vol0/logs/lipase2025h2/data/lipase2025h2.mon.ct.ipng.ch.conf -Generated nginx config: /ssd-vol0/logs/lipase2026h1/data/lipase2026h1.mon.ct.ipng.ch.conf -Generated nginx config: /ssd-vol0/logs/lipase2026h2/data/lipase2026h2.mon.ct.ipng.ch.conf -Generated nginx config: /ssd-vol0/logs/lipase2027h1/data/lipase2027h1.mon.ct.ipng.ch.conf -Generated nginx config: /ssd-vol0/logs/lipase2027h2/data/lipase2027h2.mon.ct.ipng.ch.conf +Creating nginx config: /ssd-vol0/logs/lipase2025h2/data/lipase2025h2.mon.ct.ipng.ch.conf +Creating nginx config: /ssd-vol0/logs/lipase2026h1/data/lipase2026h1.mon.ct.ipng.ch.conf +Creating nginx config: /ssd-vol0/logs/lipase2026h2/data/lipase2026h2.mon.ct.ipng.ch.conf +Creating nginx config: /ssd-vol0/logs/lipase2027h1/data/lipase2027h1.mon.ct.ipng.ch.conf +Creating nginx config: /ssd-vol0/logs/lipase2027h2/data/lipase2027h2.mon.ct.ipng.ch.conf ``` -All that's left for me to do is symlink these from `/etc/nginx-sites-enabled/` and the read-path is +All that's left for me to do is symlink these from `/etc/nginx/sites-enabled/` and the read-path is off to the races. With these commands in the `tesseract-genconf` tool, I am hoping that future travelers have an easy time setting up their static log. Please let me know if you'd like to use, or contribute, to the tool. You can find me in the Transparency Dev Slack, in #ct and also #cheese.