Typo and readability fixes
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
Pim van Pelt
@@ -131,8 +131,9 @@ logs:
|
|||||||
```
|
```
|
||||||
|
|
||||||
In the first configuration file, I'll tell _Sunlight_ (the write path component) to listen on port
|
In the first configuration file, I'll tell _Sunlight_ (the write path component) to listen on port
|
||||||
`16420` and I'll tell _Skylight_ (the read path component) to listen on port `16421`. I've disabled
|
`:16420` and I'll tell _Skylight_ (the read path component) to listen on port `:16421`. I've disabled
|
||||||
the automatic certificate renewals, and will handle SSL upstream:
|
the automatic certificate renewals, and will handle SSL upstream. A few notes on this:
|
||||||
|
|
||||||
1. Most importantly, I will be using a common frontend pool with a wildcard certificate for
|
1. Most importantly, I will be using a common frontend pool with a wildcard certificate for
|
||||||
`*.ct.ipng.ch`. I wrote about [[DNS-01]({{< ref 2023-03-24-lego-dns01 >}})] before, it's a very
|
`*.ct.ipng.ch`. I wrote about [[DNS-01]({{< ref 2023-03-24-lego-dns01 >}})] before, it's a very
|
||||||
convenient way for IPng to do certificate pool management. I will be sharing certificate for all log
|
convenient way for IPng to do certificate pool management. I will be sharing certificate for all log
|
||||||
@@ -149,7 +150,7 @@ for Rennet, and a few days later, for Gouda, are operational this way.
|
|||||||
|
|
||||||
Skylight provides all the things I need to serve the data back, which is a huge help. The [[Static
|
Skylight provides all the things I need to serve the data back, which is a huge help. The [[Static
|
||||||
Log Spec](https://github.com/C2SP/C2SP/blob/main/static-ct-api.md)] is very clear on things like
|
Log Spec](https://github.com/C2SP/C2SP/blob/main/static-ct-api.md)] is very clear on things like
|
||||||
compression, content-type, cache-control and other headers. Skylight makes this a breeze, as it read
|
compression, content-type, cache-control and other headers. Skylight makes this a breeze, as it reads
|
||||||
a configuration file very similar to the Sunlight write-path one, and takes care of it all for me.
|
a configuration file very similar to the Sunlight write-path one, and takes care of it all for me.
|
||||||
|
|
||||||
## TesseraCT
|
## TesseraCT
|
||||||
@@ -157,16 +158,17 @@ a configuration file very similar to the Sunlight write-path one, and takes care
|
|||||||
{{< image width="10em" float="right" src="/assets/ctlog/tesseract-logo.png" alt="TesseraCT logo" >}}
|
{{< image width="10em" float="right" src="/assets/ctlog/tesseract-logo.png" alt="TesseraCT logo" >}}
|
||||||
|
|
||||||
Good news came to our community on August 14th, when Google's TrustFabric team announced their Alpha
|
Good news came to our community on August 14th, when Google's TrustFabric team announced their Alpha
|
||||||
milestone of [[TesseraCT](https://blog.transparency.dev/introducing-tesseract)]. And the release
|
milestone of [[TesseraCT](https://blog.transparency.dev/introducing-tesseract)]. This release
|
||||||
also moved the POSIX variant from experimental alongside the already further along GCP and AWS
|
also moved the POSIX variant from experimental alongside the already further along GCP and AWS
|
||||||
personalities. After playing around with it with Al and the team, I think I've learned enough to get
|
personalities. After playing around with it with Al and the team, I think I've learned enough to get
|
||||||
us going in a public instance.
|
us going in a public `tesseract-posix` instance.
|
||||||
|
|
||||||
One thing I liked about Sunlight is its compact YAML file that described the pertinent bits of the
|
One thing I liked about Sunlight is its compact YAML file that described the pertinent bits of the
|
||||||
system, and that I can serve any number of logs with the same process. On the other hand, TesseraCT
|
system, and that I can serve any number of logs with the same process. On the other hand, TesseraCT
|
||||||
can serve only one log per process. Both have pro's and con's, notably if any poisonous submission
|
can serve only one log per process. Both have pro's and con's, notably if any poisonous submission
|
||||||
would be offered, Sunlight might take down all logs, while TesseraCT would only take down the log
|
would be offered, Sunlight might take down all logs, while TesseraCT would only take down the log
|
||||||
receiving the offensive submission. On the other hand, maintaining separate processes is cumbersome.
|
receiving the offensive submission. On the other hand, maintaining separate processes is cumbersome,
|
||||||
|
and all log instances need to be meticulously configured.
|
||||||
|
|
||||||
|
|
||||||
### TesseraCT genconf
|
### TesseraCT genconf
|
||||||
@@ -179,6 +181,8 @@ Sunlight YAML configuration, and came up with a variant like this one:
|
|||||||
|
|
||||||
```
|
```
|
||||||
ctlog@ctlog1:/ssd-vol0/enc/tesseract$ cat << EOF | tee tesseract-staging.yaml
|
ctlog@ctlog1:/ssd-vol0/enc/tesseract$ cat << EOF | tee tesseract-staging.yaml
|
||||||
|
listen:
|
||||||
|
- "[::]:8080"
|
||||||
roots: /ssd-vol0/enc/tesseract/roots.pem
|
roots: /ssd-vol0/enc/tesseract/roots.pem
|
||||||
logs:
|
logs:
|
||||||
- shortname: lipase2025h2
|
- shortname: lipase2025h2
|
||||||
@@ -205,11 +209,11 @@ private key, from which the _Log ID_ and _Public Key_ can be derived. So off I g
|
|||||||
|
|
||||||
```
|
```
|
||||||
ctlog@ctlog1:/ssd-vol0/enc/tesseract$ tesseract-genconf -c tesseract-staging.yaml gen-key
|
ctlog@ctlog1:/ssd-vol0/enc/tesseract$ tesseract-genconf -c tesseract-staging.yaml gen-key
|
||||||
Generated /ssd-vol0/enc/tesseract/keys/lipase2025h2.pem
|
Creating /ssd-vol0/enc/tesseract/keys/lipase2025h2.pem
|
||||||
Generated /ssd-vol0/enc/tesseract/keys/lipase2026h1.pem
|
Creating /ssd-vol0/enc/tesseract/keys/lipase2026h1.pem
|
||||||
Generated /ssd-vol0/enc/tesseract/keys/lipase2026h2.pem
|
Creating /ssd-vol0/enc/tesseract/keys/lipase2026h2.pem
|
||||||
Generated /ssd-vol0/enc/tesseract/keys/lipase2027h1.pem
|
Creating /ssd-vol0/enc/tesseract/keys/lipase2027h1.pem
|
||||||
Generated /ssd-vol0/enc/tesseract/keys/lipase2027h2.pem
|
Creating /ssd-vol0/enc/tesseract/keys/lipase2027h2.pem
|
||||||
```
|
```
|
||||||
|
|
||||||
Of course, if a file already exists at that location, it'll just print a warning like:
|
Of course, if a file already exists at that location, it'll just print a warning like:
|
||||||
@@ -226,16 +230,16 @@ of the logs:
|
|||||||
|
|
||||||
```
|
```
|
||||||
ctlog@ctlog1:/ssd-vol0/enc/tesseract$ tesseract-genconf -c tesseract-staging.yaml gen-html
|
ctlog@ctlog1:/ssd-vol0/enc/tesseract$ tesseract-genconf -c tesseract-staging.yaml gen-html
|
||||||
Generated /ssd-vol0/logs/lipase2025h2/data/index.html
|
Creating /ssd-vol0/logs/lipase2025h2/data/index.html
|
||||||
Generated /ssd-vol0/logs/lipase2025h2/data/log.v3.json
|
Creating /ssd-vol0/logs/lipase2025h2/data/log.v3.json
|
||||||
Generated /ssd-vol0/logs/lipase2026h1/data/index.html
|
Creating /ssd-vol0/logs/lipase2026h1/data/index.html
|
||||||
Generated /ssd-vol0/logs/lipase2026h1/data/log.v3.json
|
Creating /ssd-vol0/logs/lipase2026h1/data/log.v3.json
|
||||||
Generated /ssd-vol0/logs/lipase2026h2/data/index.html
|
Creating /ssd-vol0/logs/lipase2026h2/data/index.html
|
||||||
Generated /ssd-vol0/logs/lipase2026h2/data/log.v3.json
|
Creating /ssd-vol0/logs/lipase2026h2/data/log.v3.json
|
||||||
Generated /ssd-vol0/logs/lipase2027h1/data/index.html
|
Creating /ssd-vol0/logs/lipase2027h1/data/index.html
|
||||||
Generated /ssd-vol0/logs/lipase2027h1/data/log.v3.json
|
Creating /ssd-vol0/logs/lipase2027h1/data/log.v3.json
|
||||||
Generated /ssd-vol0/logs/lipase2027h2/data/index.html
|
Creating /ssd-vol0/logs/lipase2027h2/data/index.html
|
||||||
Generated /ssd-vol0/logs/lipase2027h2/data/log.v3.json
|
Creating /ssd-vol0/logs/lipase2027h2/data/log.v3.json
|
||||||
```
|
```
|
||||||
|
|
||||||
{{< image width="60%" src="/assets/ctlog/lipase.png" alt="TesseraCT Lipase Log" >}}
|
{{< image width="60%" src="/assets/ctlog/lipase.png" alt="TesseraCT Lipase Log" >}}
|
||||||
@@ -253,12 +257,14 @@ from any other running log instance, so I'll implement a `gen-roots` command:
|
|||||||
ctlog@ctlog1:/ssd-vol0/enc/tesseract$ tesseract-genconf gen-roots \
|
ctlog@ctlog1:/ssd-vol0/enc/tesseract$ tesseract-genconf gen-roots \
|
||||||
--source https://tuscolo2027h1.sunlight.geomys.org --output production-roots.pem
|
--source https://tuscolo2027h1.sunlight.geomys.org --output production-roots.pem
|
||||||
Fetching roots from: https://tuscolo2027h1.sunlight.geomys.org/ct/v1/get-roots
|
Fetching roots from: https://tuscolo2027h1.sunlight.geomys.org/ct/v1/get-roots
|
||||||
2025/08/25 08:24:58 Warning: Failed to parse certificate, skipping: x509: negative serial number
|
2025/08/25 08:24:58 Warning: Failed to parse certificate,carefully skipping: x509: negative serial number
|
||||||
|
Creating production-roots.pem
|
||||||
Successfully wrote 248 certificates to tusc.pem (out of 249 total)
|
Successfully wrote 248 certificates to tusc.pem (out of 249 total)
|
||||||
|
|
||||||
ctlog@ctlog1:/ssd-vol0/enc/tesseract$ tesseract-genconf gen-roots \
|
ctlog@ctlog1:/ssd-vol0/enc/tesseract$ tesseract-genconf gen-roots \
|
||||||
--source https://navigli2027h1.sunlight.geomys.org --output testing-roots.pem
|
--source https://navigli2027h1.sunlight.geomys.org --output testing-roots.pem
|
||||||
Fetching roots from: https://navigli2027h1.sunlight.geomys.org/ct/v1/get-roots
|
Fetching roots from: https://navigli2027h1.sunlight.geomys.org/ct/v1/get-roots
|
||||||
|
Creating testing-roots.pem
|
||||||
Successfully wrote 82 certificates to tusc.pem (out of 82 total)
|
Successfully wrote 82 certificates to tusc.pem (out of 82 total)
|
||||||
```
|
```
|
||||||
|
|
||||||
@@ -297,16 +303,16 @@ I can now implement a `gen-env` command for my tool:
|
|||||||
|
|
||||||
```
|
```
|
||||||
ctlog@ctlog1:/ssd-vol0/enc/tesseract$ tesseract-genconf -c tesseract-staging.yaml gen-env
|
ctlog@ctlog1:/ssd-vol0/enc/tesseract$ tesseract-genconf -c tesseract-staging.yaml gen-env
|
||||||
Generated /ssd-vol0/logs/lipase2025h2/data/roots.pem
|
Creating /ssd-vol0/logs/lipase2025h2/data/roots.pem
|
||||||
Generated /ssd-vol0/logs/lipase2025h2/data/.env
|
Creating /ssd-vol0/logs/lipase2025h2/data/.env
|
||||||
Generated /ssd-vol0/logs/lipase2026h1/data/roots.pem
|
Creating /ssd-vol0/logs/lipase2026h1/data/roots.pem
|
||||||
Generated /ssd-vol0/logs/lipase2026h1/data/.env
|
Creating /ssd-vol0/logs/lipase2026h1/data/.env
|
||||||
Generated /ssd-vol0/logs/lipase2026h2/data/roots.pem
|
Creating /ssd-vol0/logs/lipase2026h2/data/roots.pem
|
||||||
Generated /ssd-vol0/logs/lipase2026h2/data/.env
|
Creating /ssd-vol0/logs/lipase2026h2/data/.env
|
||||||
Generated /ssd-vol0/logs/lipase2027h1/data/roots.pem
|
Creating /ssd-vol0/logs/lipase2027h1/data/roots.pem
|
||||||
Generated /ssd-vol0/logs/lipase2027h1/data/.env
|
Creating /ssd-vol0/logs/lipase2027h1/data/.env
|
||||||
Generated /ssd-vol0/logs/lipase2027h2/data/roots.pem
|
Creating /ssd-vol0/logs/lipase2027h2/data/roots.pem
|
||||||
Generated /ssd-vol0/logs/lipase2027h2/data/.env
|
Creating /ssd-vol0/logs/lipase2027h2/data/.env
|
||||||
```
|
```
|
||||||
|
|
||||||
Looking at one of those .env files, I can show the exact commandline I'll be feeding to the
|
Looking at one of those .env files, I can show the exact commandline I'll be feeding to the
|
||||||
@@ -344,14 +350,14 @@ And thus, `gen-nginx` command is born, and listens on port `:8080` for requests:
|
|||||||
|
|
||||||
```
|
```
|
||||||
ctlog@ctlog1:/ssd-vol0/enc/tesseract$ tesseract-genconf -c tesseract-staging.yaml gen-nginx
|
ctlog@ctlog1:/ssd-vol0/enc/tesseract$ tesseract-genconf -c tesseract-staging.yaml gen-nginx
|
||||||
Generated nginx config: /ssd-vol0/logs/lipase2025h2/data/lipase2025h2.mon.ct.ipng.ch.conf
|
Creating nginx config: /ssd-vol0/logs/lipase2025h2/data/lipase2025h2.mon.ct.ipng.ch.conf
|
||||||
Generated nginx config: /ssd-vol0/logs/lipase2026h1/data/lipase2026h1.mon.ct.ipng.ch.conf
|
Creating nginx config: /ssd-vol0/logs/lipase2026h1/data/lipase2026h1.mon.ct.ipng.ch.conf
|
||||||
Generated nginx config: /ssd-vol0/logs/lipase2026h2/data/lipase2026h2.mon.ct.ipng.ch.conf
|
Creating nginx config: /ssd-vol0/logs/lipase2026h2/data/lipase2026h2.mon.ct.ipng.ch.conf
|
||||||
Generated nginx config: /ssd-vol0/logs/lipase2027h1/data/lipase2027h1.mon.ct.ipng.ch.conf
|
Creating nginx config: /ssd-vol0/logs/lipase2027h1/data/lipase2027h1.mon.ct.ipng.ch.conf
|
||||||
Generated nginx config: /ssd-vol0/logs/lipase2027h2/data/lipase2027h2.mon.ct.ipng.ch.conf
|
Creating nginx config: /ssd-vol0/logs/lipase2027h2/data/lipase2027h2.mon.ct.ipng.ch.conf
|
||||||
```
|
```
|
||||||
|
|
||||||
All that's left for me to do is symlink these from `/etc/nginx-sites-enabled/` and the read-path is
|
All that's left for me to do is symlink these from `/etc/nginx/sites-enabled/` and the read-path is
|
||||||
off to the races. With these commands in the `tesseract-genconf` tool, I am hoping that future
|
off to the races. With these commands in the `tesseract-genconf` tool, I am hoping that future
|
||||||
travelers have an easy time setting up their static log. Please let me know if you'd like to use, or
|
travelers have an easy time setting up their static log. Please let me know if you'd like to use, or
|
||||||
contribute, to the tool. You can find me in the Transparency Dev Slack, in #ct and also #cheese.
|
contribute, to the tool. You can find me in the Transparency Dev Slack, in #ct and also #cheese.
|
||||||
|
|||||||
Reference in New Issue
Block a user