CT Log Inclusion check: get-entry-and-proof unexpectedly returns "Not found"

[Felix Linker]

Hi everyone,

I encountered an oddity with an inclusion of a certificate of mine in a CT log. Namely, I would like to check the inclusion of this certificate (https://crt.sh/?id=12905498367) in the Yeti 2024 log. It should be included in that log because there is an SCT from that log.

If I query for the certificate's hash at the log (hash computed using my code), the log returns a leaf index: https://yeti2024.ct.digicert.com/log/ct/v1/get-proof-by-hash?hash=MGjihrSBitsZpxw3LNGIdA7SMKEWdDSp7i0r8WoO1zw=&tree_size=879757777

However, when I use that leaf index to query for the certificate (and its proof) the response is "Not Found": https://yeti2024.ct.digicert.com/log/ct/v1/get-entry-and-proof?leaf_index=878032114&tree_size=879757777

I presume, the log is still auditable because it returns a proof of inclusion by the certificate's hash. However, I would expect the latter query to not fail. Am I missing something? These queries succeed for the other SCT of the certificate.

Thanks, and best,

Felix

[Andrew Ayer]

Hi Felix,

The get-entry-and-proof endpoint is effectively optional. RFC 6962 says
"this API is probably only useful for debugging", which led some log
operators to omit support for it, and no browser operator has mandated
support for it (yet). You should be able to obtain this log entry
using the get-entries endpoint instead.

(By the way, the best mailing list for issues about browser-recognized CT
logs is https://groups.google.com/a/chromium.org/g/ct-policy)

Regards,
Andrew

[Felix Linker]

Thanks for the pointer, Andrew!

Best,

Felix