Certificate Transparency Logs

Can someone help me understand the Certificate Transparency Logs?

Especially how I can see which IP address the certs were issued to....

We are being rate limited, but do not understand WHY there are so many issued certs for our subdomains.

You can't get the IP address which requested the certificate from CT logs. In the past, Let's Encrypt had the plan to, for transparancy, publish the IP addresses for every certificate, but this plan has either been pulled or shelfed. In any case, you can't get the IP address.

2 Likes

Ok, thanks. I understood the same and never needing to review the certificate transparency logs - never knew that it wasn't.

1 Like

Update:

In a comment here I found the link to the certificate transparency logs which took me to a Google hosted log.

In another comment I found the link to Let's Debug, so used that tool to see what it had to say, which led me to the REAL certificate transparency logs which make sense and also show me clearly what the problem is.

The certificate is being renewed every hour.

1 Like

Note that the plan for publishing IP addresses by Let's Encrypt is something entirely different than CT logs.

Probably a misconfiguration in your client. If you need help with that, we can (probably) help :slight_smile:

3 Likes

Yep, I'll be back once I know more about the client, the site, and the software they are using. :wink: TY

1 Like

Let's Debug is probably pointing you to the interface at https://crt.sh/, which is better than Google's search interface (and, reportedly unlike Google's, is still being updated!). However, neither of these is "the real certificate transparency logs". The real certificate transparency logs are an enormous set of databases which are not on the web and don't have any kind of official web interface.

The crt.sh tool is created and hosted by Sectigo (a certificate authority), and is the best tool of its kind that exists or has ever existed, but is still not in any way official!

6 Likes