This repository contains Docker images and docker-compose configurations to run Google's certificate-transparency servers.
The provided certificate-transparency documentation is written assuming the user is using Google's GCP cloud. This repository aims to provide generic docker instructions that will run on any cloud environment.
Pre-built docker images can be downloaded here: https://hub.docker.com/r/lanrat/ct/
Since building the images require a LOT of build-time dependencies, I make use of a multi-stage build to Compile certificate-transparency in the lanrat/ct-build
image and then copy the binary executables into the lanrat/ct
image.
Inside the docker directory in this repository is a Makefile
which can build all the required images.
First run make docker-build
to build the lanrat/ct-build
image. Since this image will setup a ct build environment and compile everything from source it may take a while. Once it finishes run make docker
to build lanrat/ct
which is a much slimmer image containing the binaries generated from the build image. This is the docker image you are likely looking for if you came here.
Pools of certificate-transparency servers use etcd to talk to each other. For convenience I've also included a working etcd docker image in the etcd directory. Run make docker-etcd
to build lanrat/ct-etcd
to build this image.
For every etcd server you will need to run the prepare_etcd.sh
script that comes with the lanrat/ct
image. The provided Makefile provides the make etcd-populate
target which may need some modifications with your server names/ports but should do the trick.
The following examples setup a certificate-transparency server (or mirror) in various configurations using docker-compose
.
THESE EXAMPLES SHOULD NOT BE USED IN A PRODUCTION ENVIROMENT! They are only provided as an example to help you get you up and running in a test environment.
Each of these examples consists of a single example docker-compose.yml
file with just enough basic setting to get a minimal server running.
The server/
directory contains an example of a single certificate-transparency server with a single etcd node.
The server_standalone/
directory contains an example of a single certificate-transparency server in standalone mode with no etcd.
This uses a build-in fake etcd that should not be sued in production, but does work for testing.
The server_pool/
directory contains an example of a pool of certificate-transparency servers and a single etcd node.
The mirror/
directory contains an example of a single certificate-transparency mirror with a single etcd node.
You specify the mirror to clone with the --target_public_key=
and --target_log_uri=
flags.
The mirror_standalone/
directory contains an example of a single certificate-transparency mirror in standalone mode with no etcd.
This uses a build-in fake etcd that should not be sued in production, but does work for testing.
The mirror_pool/
directory contains an example of a pool of certificate-transparency mirrors and a single etcd node.
A few scripts are provided to help test/bootstrap the servers. The are not requires but I found them useful.
Generates public/private keys for a new server
Makes a request to the CT server at /ct/v1/get-sth
which returns some statistics about the server.
Downloads a site's HTTPS SSL Certificate to a local pem file. This is useful foe downloading certificate to later submit to a CT server with upload-ct-cert.sh
This script submits a local pem file to a ct server. After submitting, it may take a while (seconds to minutes depending on server configuration) for the certificate to appear in the log.