Opened 8 months ago

Last modified 8 months ago

#33602 new task

monitor certificate transparency log

Reported by: anarcat Owned by:
Priority: Low Milestone:
Component: Internal Services/Services Admin Team Version:
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by anarcat)

we should use something like SSLMate.com or certspotter to monitor certificates issued in our place.

https://github.com/SSLMate/certspotter

this could be ran on nevii, nagios or pauli. it's unclear what we should do with the output, there will be possibly be lots of false positive, as the certificates will appear in our logs every time one of our cert is (legitimitely) renewed.

it's a debian package since buster. i ran a test locally, and it's basically:

sed 's/ /\n/g;/^#/d;/^ *$/d' letsencryt-domains/domains  | sort | certspotter -watchlist -

the key trick however, is to *not* warn *when* a new cert is renewed. therefore we would need to be somewhat clever and recognize our own certificates in there and filter those out.

Child Tickets

Change History (1)

comment:1 Changed 8 months ago by anarcat

Description: modified (diff)
Note: See TracTickets for help on using tickets.