Skip to content

Commit

Permalink
let's encrypt v2 embedded ct,rm about cert's ct
Browse files Browse the repository at this point in the history
  • Loading branch information
henry.chen committed May 7, 2018
1 parent 911aa96 commit 375d437
Show file tree
Hide file tree
Showing 6 changed files with 16 additions and 20 deletions.
28 changes: 12 additions & 16 deletions Makefile
View file
Expand Up @@ -26,7 +26,7 @@ dist:
gencert:makedir
@if [ ! -n "$(sans)" ]; then \
printf "Need one argument [sans=params]\n"; \
printf "example: sans=\"-d domain -d domain\"\n"; \
printf "example: sans=\"-d domain -d *.domain\"\n"; \
exit 1; \
fi; \
if [ ! -n "$(cn)" ]; then \
Expand All @@ -39,22 +39,18 @@ gencert:makedir
fi

@echo "generate rsa cert..."
@$(acme.sh) --force --issue --dns dns_ali $(sans) --log \
--renew-hook "ct-submit ctlog-gen2.api.venafi.com < $(config)/ssl/domain.rsa.pem > $(config)/scts/rsa/venafi.sct \
&& ct-submit ctlog.wosign.com < $(config)/ssl/domain.rsa.pem > $(config)/scts/rsa/wosign.sct"
@$(acme.sh) --install-cert -d $(cn) \
--key-file $(config)/ssl/domain.rsa.key \
--fullchain-file $(config)/ssl/domain.rsa.pem \
--reloadcmd "service nginx force-reload"
@$(acme.sh) --force --issue --dns dns_ali $(sans) \
--renew-hook "$(acme.sh) --install-cert -d $(cn) \
--key-file $(config)/ssl/domain.rsa.key \
--fullchain-file $(config)/ssl/domain.rsa.pem \
--reloadcmd \"service nginx force-reload\""

@echo "generate ecc cert..."
@$(acme.sh) --force --issue --dns dns_ali $(sans) -k ec-256 --log \
--renew-hook "ct-submit ctlog-gen2.api.venafi.com < $(config)/ssl/domain.ecc.pem > $(config)/scts/ecc/venafi.sct \
&& ct-submit ctlog.wosign.com < $(config)/ssl/domain.ecc.pem > $(config)/scts/ecc/wosign.sct"
@$(acme.sh) --install-cert -d $(cn) --ecc \
--key-file $(config)/ssl/domain.ecc.key \
--fullchain-file $(config)/ssl/domain.ecc.pem \
--reloadcmd "service nginx force-reload"
@$(acme.sh) --force --issue --dns dns_ali $(sans) -k ec-256 \
--renew-hook "$(acme.sh) --install-cert -d $(cn) --ecc \
--key-file $(config)/ssl/domain.ecc.key \
--fullchain-file $(config)/ssl/domain.ecc.pem \
--reloadcmd \"service nginx force-reload\""

dhparams:
@openssl dhparam -out $(config)/ssl/dhparams.pem 2048
Expand All @@ -63,7 +59,7 @@ ssticket:
@openssl rand 48 > $(config)/ssl/session_ticket.key

makedir:
@mkdir -p $(config)/ssl $(config)/scts/rsa $(config)/scts/ecc
@mkdir -p $(config)/ssl

clean:

8 changes: 4 additions & 4 deletions conf/nginx/domain/eiblog.conf
View file
Expand Up @@ -9,9 +9,11 @@ server {
# ip 黑名单
include /data/eiblog/conf/nginx/ip.blacklist;

# 现在一般证书是内置的。letsencrypt 暂未
# letsencrypt v2已内置
# https://imququ.com/post/certificate-transparency.html#toc-2
ssl_ct on;
#ssl_ct on;
#ssl_ct_static_scts /data/eiblog/conf/scts/rsa/;
#ssl_ct_static_scts /data/eiblog/conf/scts/ecc/;

# 中间证书 + 根证书
# https://imququ.com/post/why-can-not-turn-on-ocsp-stapling.html
Expand All @@ -20,10 +22,8 @@ server {
# 站点证书 + 中间证书,私钥
ssl_certificate /data/eiblog/conf/ssl/domain.rsa.pem;
ssl_certificate_key /data/eiblog/conf/ssl/domain.rsa.key;
ssl_ct_static_scts /data/eiblog/conf/scts/rsa/;
# ssl_certificate /data/eiblog/conf/ssl/domain.ecc.pem;
# ssl_certificate_key /data/eiblog/conf/ssl/domain.ecc.key;
# ssl_ct_static_scts /data/eiblog/conf/scts/ecc/;

# openssl dhparam -out dhparams.pem 2048
# https://weakdh.org/sysadmin.html
Expand Down
Binary file removed conf/scts/ecc/aviator.sct
View file
Binary file not shown.
Binary file removed conf/scts/ecc/digicert.sct
View file
Binary file not shown.
Binary file removed conf/scts/rsa/aviator.sct
View file
Binary file not shown.
Binary file removed conf/scts/rsa/digicert.sct
View file
Binary file not shown.

0 comments on commit 375d437

Please sign in to comment.