Certificate Transparency: crt.sh ok, but still not working?


OT: Hello and regards to all users, my newbie post… /OT

There are some older threads about this issue, most of them are closed without final solution, so starting this thread:

Because of actual security issues I did change ssl certificate from StartCom to Let’s Encrypt…
It is running on a shared webhosting server (hosted by HostEurope.de).

With StartCom ‘Certificate Transparancy’ did work (=YES), with Let’s Encrypt ‘Certificate Transparancy’ don’t work (=NO).
Tested with https://www.ssllabs.com

Chrome says too, that the server didn’t provide CT information with Let’s Encrypt.

When I look for my certificate at https://crt.sh , I can find it.

It must depend on Let’s Encrypt certificate because StartCom certificate is working
=> Server settings are unchanged.

Certificate creation had been done in Ubuntu-14.04 by:

So how to get CT working with Let’s Encrypt too? Special option while creating the certificate necessary?

Thx + regards!


There are three ways for CT to work: embedded into the certificate (Let’s Encrypts duty), embedded into the OCSP (Let’s Encrypts duty) ór with the TLS handshake, which is the duty of the webserver. For Apache you’d need the beta version of the software, something a hosting provider wouldn’t do I recon…

As of this moment Let’s Encrypt doesn’t provide CT through either the cert nor OSCP. But they are working on it.

Is CT very important for you?


Yes, and in my opinion for some others too, because Google/Chrome has announced some penalties if CT isn’t provided in near future.

Certificate can be found by Google too:


If you want to track progress on the first method mentioned by @Osiris, you can subscribe to this GitHub issue:

Once this has been implemented and deployed, you’ll benefit from this starting with your next renewal, no other changes necessary.

Browsers currently do not mandate or enforce Certificate Transparency in general, with only a small number of exceptions for CAs with a bad track record (Let’s Encrypt not being one of those :wink:), so I would personally not invest too much time in trying to get SCT delivery via TLS extension to work. By the time Google (and others) decide to enforce CT for all CAs (which I’m sure would be announced with significant lead time), I have no doubt that embedded SCT receipts will have landed.

Bringing up LE to match StartSSL's offerings

hi cryptor

To clarify a bit further google cannot dictate mandatory CT as it is a google initiative (for example SPDY, Go Language, QUIC and VP8 are other initiatives). Industry can choose to adopt and support these standards however . Have a look at the google CT faq https://www.certificate-transparency.org/faq. There is no mention of penalties and CT is still at a fairly young stage.

CT is a double edged sword. Its good to make sure no one has certificate for your servers but it negates some of the other efforts (such as DNS bruteforcing). Some customer may request their CAs not to publish sensitive sites (e.g. internal portals) and CAs should have this freedom.

An interesting field however and emerging technology that both CAs, Web Servers and Clients need to get on top of so worrying about it too much may not be the best use of time (in my opinion)


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.