How is it possible ? future logging

Logs are sharded based on when the certificates expire, not when they were issued.

That way e.g. browsers can distrust the 2020 log shards in early 2021 because you know they no longer have any valid certificates.


Aaah, so that’s the “Window” mentioned on the CT logs page. I thought it was the window the shard was “open for business” in general :stuck_out_tongue: Good to know!


Folks might have noticed already but the certificates the OP is concerned about aren’t issued by Boulder/ACME. They’re the product of ct-woodpecker's own internal PKI and don’t chain to a trusted root. These certificates are part of the end-to-end monitoring of the CT log by Let’s Encrypt staff and not the result of anyone issuing custom certificates with the normal ACME infrastructure.

One of ct-woodpecker's jobs is to periodically log certificates to monitored CT logs to record success/failure, latency, etc. After submission it can monitor the log for proof of inclusion of certificates it has previously logged. To do so with a minimum amount of overhead/fuss it issues test certificates that chain to its internal root CA. It doesn’t act as an ACME client, or respond to domain validation. This internal PKI also facilitates the manipulation of the certificate lifetime so that all of the active shards of the log can be tested with submissions.

Importantly not just anyone can spin up their own ct-woodpecker instance (or similar home-spun root CA) and submit test certificates to the Let’s Encrypt CT logs. The Let’s Encrypt SRE team has specifically configured their CT log shards with their own ct-woodpecker instance’s root CA as an allowed root, letting the monitor submit test certificates even though they aren’t issued by a trusted CA participating in the web PKI.

None of the baseline requirements apply to these test certificates, it’s conceptually similar to the staging environment in that sense.

Hope that helps add some more background!


lets consider the case when SCT is added to the [quote=“cpu, post:23, topic:122323”]
not the result of anyone issuing custom certificates with the normal ACME infrastructure.

Thanks I just wanted to hear this for confirmation because it got logged as an exception to my CTL analyser


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.