New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ctclone Fails with Incomplete CT Log Responses #1044
Comments
Thanks for the well written bug report and the attempted fix in #1045. This sounds like it should be an easy fix, but I think that appearance is deceptive. I wasn't aware of any logs trying to coerce alignment as specific indices, and the design of the cloner doesn't lend itself well to readjusting to these hints; the current design does a very greedy strategy in the I think the I'm open to receiving PRs for this. If none are forthcoming I'll try to make time for this but it's unlikely to happen in the next couple of weeks, at least. |
I agree, got actually caught up in that "deception" and still have not fixed an issue. Another option could be to run at first just one request, check it for the alignment and spin workers accordingly received result. What do you think would be the preferred way to approach the issue? |
I like your proposal to have special-casing only on startup. Once a full chunk has been fetched, then it can enter full parallel mode as it currently does, and die on incomplete chunks. The reason I like this is:
I think this approach is worth investigating. It seems strictly better than the current behaviour. Is this something you'd be able to contribute, @tired-engineer ? |
Hey, @mhutchinson, Thanks for getting back to that issue and for the feedback. I will give it a try this week, hopefully will be able to contribute. |
Sent the first implementation for review, a bit later than expected. I think it covers more or less everything we've discussed on this thread. |
… Logs (#1055) Adapt ctclone to handle the 'coerced get-entries' feature by: 1. trying to retrieve just one request 2. checking the number of returned results 3. either continue with the rest workers, or stop fetching, store the incomplete tile, and exiting, delegating to the orchestration system to start the process again. Fixes #1044 --------- Co-authored-by: Martin Hutchinson <mhutchinson@gmail.com>
Issue Description
The ctclone tool encounters failures when Certificate Transparency (CT) logs return fewer entries than requested. This issue becomes problematic during periodic ctclone operations or at the ends of the logs. At certain points, the position in the cloned log may align in such a way that the CT log returns less than the expected number of entries.
Specific Example
An instance of this issue can be observed with Sectigo's Sabre 2025h2. When a "negotiated" page size of 256 is used, the log returns only 165 entries for a specific range. This response unexpectedly brings the position to 52992 (207 * 256), causing ctclone to fail with the following error:
Additional Context
Further details about this behavior in CT logs can be found in the discussion on Let's Encrypt's forum regarding the 'coerced get-entries' feature.
Important Note
The proposed solution covers only the cases where the actual log's page size is a multiple of the requested batch size. It is assumed that the negotiated batch size requested by ctclone aligns with this multiple. If the actual page size does not conform to this pattern, additional adjustments may be required.
Edited: formatting.
The text was updated successfully, but these errors were encountered: