let's encrypt v2 embedded ct,rm about cert's ct

Makefile

@@ -26,7 +26,7 @@ dist:
 gencert:makedir
 	@if [ ! -n "$(sans)" ]; then \
 		printf "Need one argument [sans=params]\n"; \
-		printf "example: sans=\"-d domain -d domain\"\n"; \
+		printf "example: sans=\"-d domain -d *.domain\"\n"; \
 		exit 1; \
 	fi; \
 	if [ ! -n "$(cn)" ]; then \
@@ -39,22 +39,18 @@ gencert:makedir
 	fi
 
 	@echo "generate rsa cert..."
-	@$(acme.sh) --force --issue --dns dns_ali $(sans) --log \
+	@$(acme.sh) --force --issue --dns dns_ali $(sans) \
-		--renew-hook "ct-submit ctlog-gen2.api.venafi.com < $(config)/ssl/domain.rsa.pem > $(config)/scts/rsa/venafi.sct \
+		--renew-hook "$(acme.sh) --install-cert -d $(cn) \
-		&& ct-submit ctlog.wosign.com < $(config)/ssl/domain.rsa.pem > $(config)/scts/rsa/wosign.sct"
+			--key-file       $(config)/ssl/domain.rsa.key \
-	@$(acme.sh) --install-cert -d $(cn) \
+			--fullchain-file $(config)/ssl/domain.rsa.pem \
-		--key-file       $(config)/ssl/domain.rsa.key \
+			--reloadcmd      \"service nginx force-reload\""
-		--fullchain-file $(config)/ssl/domain.rsa.pem \
-		--reloadcmd      "service nginx force-reload"
 
 	@echo "generate ecc cert..."
-	@$(acme.sh) --force --issue --dns dns_ali $(sans) -k ec-256 --log \
+	@$(acme.sh) --force --issue --dns dns_ali $(sans) -k ec-256 \
-		--renew-hook "ct-submit ctlog-gen2.api.venafi.com < $(config)/ssl/domain.ecc.pem > $(config)/scts/ecc/venafi.sct \
+		--renew-hook "$(acme.sh) --install-cert -d $(cn) --ecc \
-		&& ct-submit ctlog.wosign.com < $(config)/ssl/domain.ecc.pem > $(config)/scts/ecc/wosign.sct"
+			--key-file       $(config)/ssl/domain.ecc.key \
-	@$(acme.sh) --install-cert -d $(cn) --ecc \
+			--fullchain-file $(config)/ssl/domain.ecc.pem \
-		--key-file       $(config)/ssl/domain.ecc.key \
+			--reloadcmd      \"service nginx force-reload\""
-		--fullchain-file $(config)/ssl/domain.ecc.pem \
-		--reloadcmd      "service nginx force-reload"
 
 dhparams:
 	@openssl dhparam -out $(config)/ssl/dhparams.pem 2048
@@ -63,7 +59,7 @@ ssticket:
 	@openssl rand 48 > $(config)/ssl/session_ticket.key
 
 makedir:
-	@mkdir -p $(config)/ssl $(config)/scts/rsa $(config)/scts/ecc
+	@mkdir -p $(config)/ssl
 
 clean:
 

conf/nginx/domain/eiblog.conf

@@ -9,9 +9,11 @@ server {
     # ip 黑名单
     include                      /data/eiblog/conf/nginx/ip.blacklist;
 
-    # 现在一般证书是内置的。letsencrypt 暂未
+    # letsencrypt v2已内置
     # https://imququ.com/post/certificate-transparency.html#toc-2
-    ssl_ct                       on;
+    #ssl_ct                       on;
+    #ssl_ct_static_scts           /data/eiblog/conf/scts/rsa/;
+    #ssl_ct_static_scts           /data/eiblog/conf/scts/ecc/;
 
     # 中间证书 + 根证书
     # https://imququ.com/post/why-can-not-turn-on-ocsp-stapling.html
@@ -20,10 +22,8 @@ server {
     # 站点证书 + 中间证书，私钥
     ssl_certificate              /data/eiblog/conf/ssl/domain.rsa.pem;
     ssl_certificate_key          /data/eiblog/conf/ssl/domain.rsa.key;
-    ssl_ct_static_scts           /data/eiblog/conf/scts/rsa/;
     # ssl_certificate              /data/eiblog/conf/ssl/domain.ecc.pem;
     # ssl_certificate_key          /data/eiblog/conf/ssl/domain.ecc.key;
-    # ssl_ct_static_scts           /data/eiblog/conf/scts/ecc/;
 
     # openssl dhparam -out dhparams.pem 2048
     # https://weakdh.org/sysadmin.html