From 375d43761b0b52f8bea506e28677aa2ea6a204e5 Mon Sep 17 00:00:00 2001
From: "henry.chen" <henry.chen@trustaisa.com>
Date: Mon, 7 May 2018 16:51:54 +0800
Subject: [PATCH] let's encrypt v2 embedded ct,rm about cert's ct

---
 Makefile                      |  28 ++++++++++++----------------
 conf/nginx/domain/eiblog.conf |   8 ++++----
 conf/scts/ecc/aviator.sct     | Bin 117 -> 0 bytes
 conf/scts/ecc/digicert.sct    | Bin 118 -> 0 bytes
 conf/scts/rsa/aviator.sct     | Bin 117 -> 0 bytes
 conf/scts/rsa/digicert.sct    | Bin 118 -> 0 bytes
 6 files changed, 16 insertions(+), 20 deletions(-)
 delete mode 100644 conf/scts/ecc/aviator.sct
 delete mode 100644 conf/scts/ecc/digicert.sct
 delete mode 100644 conf/scts/rsa/aviator.sct
 delete mode 100644 conf/scts/rsa/digicert.sct

diff --git a/Makefile b/Makefile
index 057042e..99e5687 100644
--- a/Makefile
+++ b/Makefile
@@ -26,7 +26,7 @@ dist:
 gencert:makedir
 	@if [ ! -n "$(sans)" ]; then \
 		printf "Need one argument [sans=params]\n"; \
-		printf "example: sans=\"-d domain -d domain\"\n"; \
+		printf "example: sans=\"-d domain -d *.domain\"\n"; \
 		exit 1; \
 	fi; \
 	if [ ! -n "$(cn)" ]; then \
@@ -39,22 +39,18 @@ gencert:makedir
 	fi
 
 	@echo "generate rsa cert..."
-	@$(acme.sh) --force --issue --dns dns_ali $(sans) --log \
-		--renew-hook "ct-submit ctlog-gen2.api.venafi.com < $(config)/ssl/domain.rsa.pem > $(config)/scts/rsa/venafi.sct \
-		&& ct-submit ctlog.wosign.com < $(config)/ssl/domain.rsa.pem > $(config)/scts/rsa/wosign.sct"
-	@$(acme.sh) --install-cert -d $(cn) \
-		--key-file       $(config)/ssl/domain.rsa.key \
-		--fullchain-file $(config)/ssl/domain.rsa.pem \
-		--reloadcmd      "service nginx force-reload"
+	@$(acme.sh) --force --issue --dns dns_ali $(sans) \
+		--renew-hook "$(acme.sh) --install-cert -d $(cn) \
+			--key-file       $(config)/ssl/domain.rsa.key \
+			--fullchain-file $(config)/ssl/domain.rsa.pem \
+			--reloadcmd      \"service nginx force-reload\""
 
 	@echo "generate ecc cert..."
-	@$(acme.sh) --force --issue --dns dns_ali $(sans) -k ec-256 --log \
-		--renew-hook "ct-submit ctlog-gen2.api.venafi.com < $(config)/ssl/domain.ecc.pem > $(config)/scts/ecc/venafi.sct \
-		&& ct-submit ctlog.wosign.com < $(config)/ssl/domain.ecc.pem > $(config)/scts/ecc/wosign.sct"
-	@$(acme.sh) --install-cert -d $(cn) --ecc \
-		--key-file       $(config)/ssl/domain.ecc.key \
-		--fullchain-file $(config)/ssl/domain.ecc.pem \
-		--reloadcmd      "service nginx force-reload"
+	@$(acme.sh) --force --issue --dns dns_ali $(sans) -k ec-256 \
+		--renew-hook "$(acme.sh) --install-cert -d $(cn) --ecc \
+			--key-file       $(config)/ssl/domain.ecc.key \
+			--fullchain-file $(config)/ssl/domain.ecc.pem \
+			--reloadcmd      \"service nginx force-reload\""
 
 dhparams:
 	@openssl dhparam -out $(config)/ssl/dhparams.pem 2048
@@ -63,7 +59,7 @@ ssticket:
 	@openssl rand 48 > $(config)/ssl/session_ticket.key
 
 makedir:
-	@mkdir -p $(config)/ssl $(config)/scts/rsa $(config)/scts/ecc
+	@mkdir -p $(config)/ssl
 
 clean:
 
diff --git a/conf/nginx/domain/eiblog.conf b/conf/nginx/domain/eiblog.conf
index 178ca41..efb1d0d 100644
--- a/conf/nginx/domain/eiblog.conf
+++ b/conf/nginx/domain/eiblog.conf
@@ -9,9 +9,11 @@ server {
     # ip 黑名单
     include                      /data/eiblog/conf/nginx/ip.blacklist;
 
-    # 现在一般证书是内置的。letsencrypt 暂未
+    # letsencrypt v2已内置
     # https://imququ.com/post/certificate-transparency.html#toc-2
-    ssl_ct                       on;
+    #ssl_ct                       on;
+    #ssl_ct_static_scts           /data/eiblog/conf/scts/rsa/;
+    #ssl_ct_static_scts           /data/eiblog/conf/scts/ecc/;
 
     # 中间证书 + 根证书
     # https://imququ.com/post/why-can-not-turn-on-ocsp-stapling.html
@@ -20,10 +22,8 @@ server {
     # 站点证书 + 中间证书，私钥
     ssl_certificate              /data/eiblog/conf/ssl/domain.rsa.pem;
     ssl_certificate_key          /data/eiblog/conf/ssl/domain.rsa.key;
-    ssl_ct_static_scts           /data/eiblog/conf/scts/rsa/;
     # ssl_certificate              /data/eiblog/conf/ssl/domain.ecc.pem;
     # ssl_certificate_key          /data/eiblog/conf/ssl/domain.ecc.key;
-    # ssl_ct_static_scts           /data/eiblog/conf/scts/ecc/;
 
     # openssl dhparam -out dhparams.pem 2048
     # https://weakdh.org/sysadmin.html
diff --git a/conf/scts/ecc/aviator.sct b/conf/scts/ecc/aviator.sct
deleted file mode 100644
index e67443907bfa8ddf2fae906414175057ee5720e1..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 117
zcmV-*0E+(rX!e-+A7p~QI*jhQC>>1vaZz1olhj1f3TLdlPfz>A00043xvJFr000C7
z07fuG0w8)We!JSqfUoBEyWI>=Hq$ybN?I##f3mbnaw}tWVzB}s58x<{$nPyftbG2+
XoeDX(b5ZsF^&jQZlhX!T**;NSQ(QK`

diff --git a/conf/scts/ecc/digicert.sct b/conf/scts/ecc/digicert.sct
deleted file mode 100644
index f3cd6af926da3df8b2b1e5413da577f7fa9a456a..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 118
zcmV-+0EzzqRul%BFW18C)AixKM6y1|Ms~TpnGsyT@06HT)``&F00043xvOSC000C7
z07o!I0wDm<o}nc*YPpAUphI6jH=rAbO%ocjpz#{6+AMH+k!aKcATqybDSy=9SZx_M
Y9X}l+LKT$+q19A66!1Sd3~w8MVfO?u2LJ#7

diff --git a/conf/scts/rsa/aviator.sct b/conf/scts/rsa/aviator.sct
deleted file mode 100644
index e67443907bfa8ddf2fae906414175057ee5720e1..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 117
zcmV-*0E+(rX!e-+A7p~QI*jhQC>>1vaZz1olhj1f3TLdlPfz>A00043xvJFr000C7
z07fuG0w8)We!JSqfUoBEyWI>=Hq$ybN?I##f3mbnaw}tWVzB}s58x<{$nPyftbG2+
XoeDX(b5ZsF^&jQZlhX!T**;NSQ(QK`

diff --git a/conf/scts/rsa/digicert.sct b/conf/scts/rsa/digicert.sct
deleted file mode 100644
index f3cd6af926da3df8b2b1e5413da577f7fa9a456a..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 118
zcmV-+0EzzqRul%BFW18C)AixKM6y1|Ms~TpnGsyT@06HT)``&F00043xvOSC000C7
z07o!I0wDm<o}nc*YPpAUphI6jH=rAbO%ocjpz#{6+AMH+k!aKcATqybDSy=9SZx_M
Y9X}l+LKT$+q19A66!1Sd3~w8MVfO?u2LJ#7