Getting an SCT from internal CA and CT Log

[Fengchen Gong]

Hello, 

I'm following this post. I have deployed my own CT Log (server, signer and database) using docker as instructed in trillian. 

I used the first part of the demo script in the certificate-transparency-go repo to start up a CT personality and I am able to access the log via http://localhost:6965/athos/ct/v1/get-sth and get the STH. 

I want to use the ctclient to upload certificate to the Log. 

But when I try:

ctclient -log_uri http://localhost:6965/athos -cert_chain fullchain.pem upload 

It returns:

got HTTP status "404 Not Found"

exit status 1

I think my Log cannot respond to post request but can't figure out why. Are there any missing steps when I set up the Log?

[Phitchy Hk]

Thank you very much!

ในวันที่ พฤ. 6 พ.ค. 2021 15:12 Fengchen Gong <go...@stanford.edu> เขียนว่า:

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/c958806f-0480-4133-a3d4-9126e30547ddn%40googlegroups.com.

[Al Cutter]

Hi,

What you're doing seems ok, and indeed when I try locally I'm unable to reproduce your issue:

terminal 1 - Trillian

$ git log -1

commit 8627c3e93b46fa3c6e156e8f3bbd660bc26faaf4 (HEAD -> master, upstream/master, upstream/HEAD)

Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Date:   Thu Apr 29 10:11:03 2021 +0100

...

$  docker-compose -f examples/deployment/docker-compose.yml up

...

terminal 2 - ctfe

$ git log -1

commit ee49d28fa9a9afef5416b094fd508bc4db7afa2b (HEAD -> master, upstream/master, upstream/HEAD, mods)

Author: Pierre Phaneuf <>

Date:   Thu Apr 29 16:34:43 2021 +0100

...

$ cd trillian/integration

$ go build github.com/google/certificate-transparency-go/trillian/ctfe/ct_server

$ sed -i'.bak' "1,/@TREE_ID@/s/@TREE_ID@/${tree_id}/; 1,/@TESTDATA@/s/@TESTDATA@/..\/testdata/" demo-script.cfg

$ ./ct_server --log_config=demo-script.cfg --log_rpc_server=localhost:8090 --http_endpoint=localhost:6965 --logtostderr

I0506 12:28:20.368023 1339547 main.go:109] **** CT HTTP Server Starting ****

I0506 12:28:20.368114 1339547 main.go:162] Using regular DNS resolver

I0506 12:28:20.368124 1339547 main.go:169] Dialling backend: name:"default" backend_spec:"localhost:8090"

I0506 12:28:20.370095 1339547 main.go:294] Enabling quota for requesting IP

I0506 12:28:20.370117 1339547 main.go:304] Enabling quota for intermediate certificates

I0506 12:28:20.379970 1339547 instance.go:85] Start internal get-sth operations on athos (2254821766111564332)

terminal3 - ctclient

$ git log -1

commit ee49d28fa9a9afef5416b094fd508bc4db7afa2b (HEAD -> master, upstream/master, upstream/HEAD, mods)

Author: Pierre Phaneuf <>

Date:   Thu Apr 29 16:34:43 2021 +0100

...

$ go run ./client/ctclient --log_uri http://localhost:6965/athos sth

2021-05-06 12:18:40.274 +0100 BST (timestamp 1620299920274): Got STH for V1 log (size=1) at http://localhost:6965/athos, hash d9bbf4c6f0fb3d466363f8a733987bd1314d916eb80e34a5fe1f15b75ca6773e

Signature: Hash=SHA256 Sign=ECDSA Value=304402202b97ad50099924b2d6e701ef92ca0dc39d4c3fb90d111eb846c26a7e759be7bf02204b78e8c8c29f6dd896821e5aad753caa61db6ebc81281fa877c81b660e4a9d43

$ go run ./client/ctclient --log_uri http://localhost:6965/athos --cert_chain ./trillian/testdata/leaf06.chain upload

Uploaded chain of 2 certs to V1 log at http://localhost:6965/athos, timestamp: 1620299920240 (2021-05-06 12:18:40.24 +0100 BST)

LogID: 96bbe2369088ff02c62f95537cadb96fc70e75b3f4600eed1a841a9398d24fda

LeafHash: d9bbf4c6f0fb3d466363f8a733987bd1314d916eb80e34a5fe1f15b75ca6773e

Signature: Signature: Hash=SHA256 Sign=ECDSA Value=304502210083398807ed91cd2c44d40a4a44f273dec48051f2a1f2544eeec438823a951dfc02200153f0098ecd905becf5147baec5a605d11a8599fa9f10d4b1f6007769085ad5

[Fengchen Gong]

Followed what you did and it worked. Thank you very much!

[Al Cutter]

Ah, great - I'm glad, you're welcome!

Cheers,

Al.

[Fengchen Gong]

Hi, 

I want to ask about embedding SCT into certificate. From what I saw, ct can handle that. I wonder if the ctclient can also handle that? Or if use the ct to interact with log, can I use the same deployment? Thanks!