-
Notifications
You must be signed in to change notification settings - Fork 127
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate support for storing SCT in a file #3
Comments
Nginx with a custom plugin: |
That's two. Still, at some point LE will start stapling SCTs to OCSP responses (which can be stapled themselves): letsencrypt/boulder#592 |
Yep, it's a low priority IMHO. Last time I checked some CA considered distributing SCT via TLS extensions to be the "correct approach" though. See: https://forum.startcom.org/viewtopic.php?p=21381&sid=3ca262ae78a1e69f299c08ff9990e015#p21381 |
I've been using a live-updated hook to achieve this together with ct-submit. Here's the hook: https://gist.github.com/grahamedgecombe/a9d662911c45445001ee93378d011ac9 It's not a perfect solution: the live symlink has already been swapped by the time live-updated is called. If one of the log servers you submit to is down, you could end up using the certificate without having the desired number of SCTs. It only supports the SCT file format used by Apache and the nginx-ct module. HAProxy uses a different format and isn't supported. It'd also be nice if it used a human-readable file name for the |
Neat. I've added a mention to the user guide's third-party resources section. |
What webservers can consume this, besides HAProxy?
The text was updated successfully, but these errors were encountered: