let's encrypt v2 embedded ct,rm about cert's ct

2026-02-04 13:52:26 +08:00 · 2018-05-07 16:51:54 +08:00
parent 911aa963c7
commit 375d43761b
6 changed files with 16 additions and 20 deletions
--- a/28
+++ b/28
@@ -26,7 +26,7 @@ dist:
 gencert:makedir
 	@if [ ! -n "$(sans)" ]; then \
 		printf "Need one argument [sans=params]\n"; \
-		printf "example: sans=\"-d domain -d domain\"\n"; \
+		printf "example: sans=\"-d domain -d *.domain\"\n"; \
 		exit 1; \
 	fi; \
 	if [ ! -n "$(cn)" ]; then \
@@ -39,22 +39,18 @@ gencert:makedir
 	fi

 	@echo "generate rsa cert..."
-	@$(acme.sh) --force --issue --dns dns_ali $(sans) --log \
-		--renew-hook "ct-submit ctlog-gen2.api.venafi.com < $(config)/ssl/domain.rsa.pem > $(config)/scts/rsa/venafi.sct \
-		&& ct-submit ctlog.wosign.com < $(config)/ssl/domain.rsa.pem > $(config)/scts/rsa/wosign.sct"
-	@$(acme.sh) --install-cert -d $(cn) \
-		--key-file       $(config)/ssl/domain.rsa.key \
-		--fullchain-file $(config)/ssl/domain.rsa.pem \
-		--reloadcmd      "service nginx force-reload"
+	@$(acme.sh) --force --issue --dns dns_ali $(sans) \
+		--renew-hook "$(acme.sh) --install-cert -d $(cn) \
+			--key-file       $(config)/ssl/domain.rsa.key \
+			--fullchain-file $(config)/ssl/domain.rsa.pem \
+			--reloadcmd      \"service nginx force-reload\""

 	@echo "generate ecc cert..."
-	@$(acme.sh) --force --issue --dns dns_ali $(sans) -k ec-256 --log \
-		--renew-hook "ct-submit ctlog-gen2.api.venafi.com < $(config)/ssl/domain.ecc.pem > $(config)/scts/ecc/venafi.sct \
-		&& ct-submit ctlog.wosign.com < $(config)/ssl/domain.ecc.pem > $(config)/scts/ecc/wosign.sct"
-	@$(acme.sh) --install-cert -d $(cn) --ecc \
-		--key-file       $(config)/ssl/domain.ecc.key \
-		--fullchain-file $(config)/ssl/domain.ecc.pem \
-		--reloadcmd      "service nginx force-reload"
+	@$(acme.sh) --force --issue --dns dns_ali $(sans) -k ec-256 \
+		--renew-hook "$(acme.sh) --install-cert -d $(cn) --ecc \
+			--key-file       $(config)/ssl/domain.ecc.key \
+			--fullchain-file $(config)/ssl/domain.ecc.pem \
+			--reloadcmd      \"service nginx force-reload\""

 dhparams:
 	@openssl dhparam -out $(config)/ssl/dhparams.pem 2048
@@ -63,7 +59,7 @@ ssticket:
 	@openssl rand 48 > $(config)/ssl/session_ticket.key

 makedir:
-	@mkdir -p $(config)/ssl $(config)/scts/rsa $(config)/scts/ecc
+	@mkdir -p $(config)/ssl

 clean:

--- a/conf/nginx/domain/eiblog.conf
+++ b/conf/nginx/domain/eiblog.conf
@@ -9,9 +9,11 @@ server {
    # ip 黑名单
    include                      /data/eiblog/conf/nginx/ip.blacklist;

-    # 现在一般证书是内置的。letsencrypt 暂未
+    # letsencrypt v2已内置
    # https://imququ.com/post/certificate-transparency.html#toc-2
-    ssl_ct                       on;
+    #ssl_ct                       on;
+    #ssl_ct_static_scts           /data/eiblog/conf/scts/rsa/;
+    #ssl_ct_static_scts           /data/eiblog/conf/scts/ecc/;

    # 中间证书 + 根证书
    # https://imququ.com/post/why-can-not-turn-on-ocsp-stapling.html
@@ -20,10 +22,8 @@ server {
    # 站点证书 + 中间证书，私钥
    ssl_certificate              /data/eiblog/conf/ssl/domain.rsa.pem;
    ssl_certificate_key          /data/eiblog/conf/ssl/domain.rsa.key;
-    ssl_ct_static_scts           /data/eiblog/conf/scts/rsa/;
    # ssl_certificate              /data/eiblog/conf/ssl/domain.ecc.pem;
    # ssl_certificate_key          /data/eiblog/conf/ssl/domain.ecc.key;
-    # ssl_ct_static_scts           /data/eiblog/conf/scts/ecc/;

    # openssl dhparam -out dhparams.pem 2048
    # https://weakdh.org/sysadmin.html
--- a/conf/scts/ecc/aviator.sct
+++ b/conf/scts/ecc/aviator.sct
--- a/conf/scts/ecc/digicert.sct
+++ b/conf/scts/ecc/digicert.sct
--- a/conf/scts/rsa/aviator.sct
+++ b/conf/scts/rsa/aviator.sct
--- a/conf/scts/rsa/digicert.sct
+++ b/conf/scts/rsa/digicert.sct