Not being accepted by all CTL servers

Issuance Policy
1

I tried to submit a certificate to log servers as shown below but they are being rejected

sending request to https://ctserver.cnnic.cn

unable to submit certificate to log, error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
sending request to https://ct1.digicert-ct.com/log
unable to submit certificate to log, HTTP error 400 BAD REQUEST: A trusted root was not found.
sending request to https://ct2.digicert-ct.com/log
unable to submit certificate to log, HTTP error 400 BAD REQUEST: Rate limit exceeded.
sending request to https://ct.googleapis.com/icarus
version: 0
log ID: KTxRllTIOWW6qlD8WAfUt2+/WHopctykwwz05UVH9Hg=
timestamp: 1569687365039 (2019-09-28 21:46:05)
extensions:
signature: BAMARzBFAiEA1POVJhkP2mh2IbsIUITv+zmsEdX7g0a5gKpLmwnqBrQCIGkjhOihq/x5J9ATmb9fFh3ExcbRhDXp8B0oyyAfBnnV
SCT (118 bytes): ACk8UZZUyDlluqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABbXioZa8AAAQDAEcwRQIhANTzlSYZD9podiG7CFCE7/s5rBHV+4NGuYCqS5sJ6ga0AiBpI4Tooav8eSfQE5m/XxYdxMXG0YQ16fAdKMsgHwZ51Q==
sending request to https://mammoth.ct.comodo.com
version: 0
log ID: b1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RM=
timestamp: 1569687366668 (2019-09-28 21:46:06)
extensions:
signature: BAMARzBFAiEAnqWEVxu5+0eNQITrKeonGgnQfDoPOZPRCfIZccb6uSYCIC9R6qvz14qUKb0F7i06s4EmNTso2xEDNfH8K43Uq1zg
SCT (118 bytes): AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABbXiobAwAAAQDAEcwRQIhAJ6lhFcbuftHjUCE6ynqJxoJ0Hw6DzmT0QnyGXHG+rkmAiAvUeqr89eKlCm9Be4tOrOBJjU7KNsRAzXx/CuN1Ktc4A==
sending request to https://ct.googleapis.com/pilot
version: 0
log ID: pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=
timestamp: 1568884083701 (2019-09-19 14:38:03)
extensions:
signature: BAMASDBGAiEAkK0RMM64A/ZIE0cYJ4H6HakuY6kWuPzgWmv8dB3+fP4CIQCNSu7/o1mZyTrygz/wYXZDFOrvVFGqoxNMJvhKNktflw==
SCT (119 bytes): AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABbUjHS/UAAAQDAEgwRgIhAJCtETDOuAP2SBNHGCeB+h2pLmOpFrj84Fpr/HQd/nz+AiEAjUru/6NZmck68oM/8GF2QxTq71RRqqMTTCb4SjZLX5c=
sending request to https://ct.googleapis.com/rocketeer
version: 0
log ID: 7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/cs=
timestamp: 1568884608563 (2019-09-19 14:46:48)
extensions:
signature: BAMARjBEAiAUn2XKCKztWzHps2+eZTylv39K4pKsgpScJHI/9hTOewIgQHh/XoLMfgEh26qaQCWLGGFvuo7Zt0CsLie1+YdaZf8=
SCT (117 bytes): AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAABbUjPTjMAAAQDAEYwRAIgFJ9lygis7Vsx6bNvnmU8pb9/SuKSrIKUnCRyP/YUznsCIEB4f16CzH4BIduqmkAlixhhb7qO2bdArC4ntfmHWmX/
sending request to https://sabre.ct.comodo.com
version: 0
log ID: VYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6OqHQcT0ww=
timestamp: 1569687370242 (2019-09-28 21:46:10)
extensions:
signature: BAMASDBGAiEA/XwHzYOUc8ElNa7InjWLlHHYpumialRm8MpIkvg2NZUCIQDljnxs49Q/GmDwpbuSuADhfiVhCrsMx1+SiVRS6o7SsA==
SCT (119 bytes): AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABbXioegIAAAQDAEgwRgIhAP18B82DlHPBJTWuyJ41i5Rx2KbpompUZvDKSJL4NjWVAiEA5Y58bOPUPxpg8KW7krgA4X4lYQq7DMdfkolUUuqO0rA=
sending request to https://sirius.ws.symantec.com
unable to submit certificate to log, error [Errno 8] nodename nor servname provided, or not known
sending request to https://ct.googleapis.com/skydiver
unable to submit certificate to log, HTTP error 400 Bad Request: Bad Request
failed to verify add-chain contents: chain failed to verify: x509: certificate signed by unknown authority

sending request to https://ct.ws.symantec.com
unable to submit certificate to log, error [Errno 8] nodename nor servname provided, or not known
sending request to https://vega.ws.symantec.com
unable to submit certificate to log, error [Errno 8] nodename nor servname provided, or not known

can i get a proper link of explaination if discussed earlier ?

I sent the complete chain

2

Hi @arjunnkn,

Public CT servers are only willing to log certificates that are issued by publicly-trusted CAs. There are two reasons for this: first, the purpose of CT is to help protect browser users by preventing or detecting misissuance of certificates that the browsers would have accepted, and second, if CT servers logged arbitrary certificates, people could easily spam them by creating and submitting hundreds of millions of certificates from a personal CA.

Who is the issuer of the certificate that you’re trying to log? Is it a publicly-trusted CA?

1 Like
3

hi @schoen ,

yes its publicly accepted CA . "Lets Encrypt "

4

Could you post the certificate and chain here on the forum?

5

-----BEGIN CERTIFICATE-----
MIIFUjCCBDqgAwIBAgISAxOA/4XJsuGZXL08kc3hxSF3MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA5MTgwMzM1NDFaFw0x
OTEyMTcwMzM1NDFaMBgxFjAUBgNVBAMMDSouZGF0YS5nb3YuaW4wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZsaA56S+aZ2m+mBIyNElBn7ztgtpSaVZM
CV9RiffUERSXxVtahR/DhBxPK/zn1GJ5GCAc1p/fuiTbdsOhKkzHYDS3GPSK+FGT
A7ZvOu2TEveEpweCJfB5pzchRw6SSo84hbPY61mL/rQwuiclLwNaKx7mbzwF3/4h
CXFMEb8y/1PYApRO34MIRsr6Xrvf29gO39klKPI4yQXvVBJs3XyfDpbUsqiHizkb
wleBUJQFdCxFrSSl9yAJjyydPnqGboyfqUv9QeAOY2oWq4iU3SZ5EVH7cMhO5g1U
2XvCDNITa2OT/EqaHHhKqfNWOh1jVeA68kBw4JxeGAWoNo2UgbubAgMBAAGjggJi
MIICXjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFQ6CRzZi9cJ9t6vae3g0qOMI8at
MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMw
YTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9y
ZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wGAYDVR0RBBEwD4INKi5kYXRhLmdvdi5pbjBMBgNVHSAERTBDMAgGBmeBDAEC
ATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNl
bmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AOJpS64m6OlACeiG
G7Y7g9Q+5/50iPukjyiTAZ3d8dv+AAABbUKnk8QAAAQDAEcwRQIgfn4tEJTAREoB
raBUauNad4xF6H8JuvZtgROcJL6WZS8CIQCSGtwQgJwTI5wvId4LuoOxXU7IXlvJ
SbpI6er+S8WMYgB2ACk8UZZUyDlluqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAAB
bUKnk8EAAAQDAEcwRQIhAJj+JyIFIDNCPG3KoU39P1nhTGaVKUPGOUrE+CbirAHS
AiAi7uIYfynI/WerLiE3JOJknJI5Lo37fTOHs9I8OIUOgTANBgkqhkiG9w0BAQsF
AAOCAQEAEJOC830umIr1ov9KXiI/T5jrUvlRJVWtcFkIrHtO+dYCI9a4bvX5KVXj
Z/gdWn3DAUL16LFOS7wqnaZsyq0SKAc/ZdUT+8vtCPfZJPOzX7mBDfshEX5j9h8N
ALbPNiWpIX7sYK2LMILQxk0lnGj36rxnogbTfHCE2iPQDUbe3IGY/Ll/Pj1LVxaE
BTHR8HhX5fHzp0TF2GebAVRI7znuQygxmgU28Ow/7X+wddW3ZXE+pgL7mAP2KhnY
bEyriTKVxLzJMFc+hTqWnVMqAByaXFFnhbKJQiOgwfFQvMGZ5SAyy/MU6vYPTDfd
32h08rO3Il8iS+7SU6th9TJ4PsggRg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1
WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX
NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf
89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl
Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc
Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz
uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB
AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU
BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB
FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo
SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF
BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG
AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD
VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB
ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx
A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM
UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2
DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1
eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu
OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw
p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY
2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0
ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR
PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b
rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

6

Also, I didn’t notice at first in your post that some of the logs did give you a SCT, which does make the failure of other logs to do so much more confusing. Sorry for missing that.

7

yes , i was also confused by your reply , considering it self signed or untrusted one , one CTL replied limit reach tha is also fine but some CTL are behaving abnormally so need your help

8

I have two guesses right now:

  • maybe some logs haven’t added the ISRG root as a trusted root certificate yet, and are still relying on the path from the DST root (which is what Let’s Encrypt itself recommends to clients in the chain that it sends when a certificate is issued)?

  • maybe some logs don’t want you to submit the chain including the root, but only the chain including the intermediate?

9

@schoen thx , i can test both your suggestions now and reply back

10

sending request to https://ctserver.cnnic.cn
unable to submit certificate to log, error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
sending request to https://ct1.digicert-ct.com/log
unable to submit certificate to log, HTTP error 400 BAD REQUEST: A trusted root was not found.
sending request to https://ct2.digicert-ct.com/log
unable to submit certificate to log, HTTP error 400 BAD REQUEST: Rate limit exceeded.
sending request to https://ct.googleapis.com/icarus
version: 0
log ID: KTxRllTIOWW6qlD8WAfUt2+/WHopctykwwz05UVH9Hg=
timestamp: 1569687365039 (2019-09-28 21:46:05)
extensions:
signature: BAMARzBFAiAotI/8aeQxLY7iaQtdQuGOdx+MvfLSoAkUgGVvIQsUMAIhAOjCEIC+4Di87OUXe11+fvvQGF/BsFAniH0jdKMsXPR7
SCT (118 bytes): ACk8UZZUyDlluqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABbXioZa8AAAQDAEcwRQIgKLSP/GnkMS2O4mkLXULhjncfjL3y0qAJFIBlbyELFDACIQDowhCAvuA4vOzlF3tdfn770BhfwbBQJ4h9I3SjLFz0ew==
sending request to https://mammoth.ct.comodo.com
version: 0
log ID: b1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RM=
timestamp: 1569687366668 (2019-09-28 21:46:06)
extensions:
signature: BAMARzBFAiEAnqWEVxu5+0eNQITrKeonGgnQfDoPOZPRCfIZccb6uSYCIC9R6qvz14qUKb0F7i06s4EmNTso2xEDNfH8K43Uq1zg
SCT (118 bytes): AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABbXiobAwAAAQDAEcwRQIhAJ6lhFcbuftHjUCE6ynqJxoJ0Hw6DzmT0QnyGXHG+rkmAiAvUeqr89eKlCm9Be4tOrOBJjU7KNsRAzXx/CuN1Ktc4A==
sending request to https://ct.googleapis.com/pilot
version: 0
log ID: pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=
timestamp: 1568884083701 (2019-09-19 14:38:03)
extensions:
signature: BAMARzBFAiAN3ayBazMIXt8YpjXyqgStZx7GjN9kJHXafrrYJQNx0AIhALELGxhP++sDKHw1e6deriR7B6PpLE/uWnGeHHGYQnAX
SCT (118 bytes): AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABbUjHS/UAAAQDAEcwRQIgDd2sgWszCF7fGKY18qoErWcexozfZCR12n662CUDcdACIQCxCxsYT/vrAyh8NXunXq4kewej6SxP7lpxnhxxmEJwFw==
sending request to https://ct.googleapis.com/rocketeer
version: 0
log ID: 7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/cs=
timestamp: 1568884608563 (2019-09-19 14:46:48)
extensions:
signature: BAMARzBFAiEA7rlUA3H6ou2CHoO2Tj54vc3pl7gkBu0o2yuCwxJd/YACIDsorovQ1ZSukB+dideSfNe5r87lPggGS586F0z/ebGj
SCT (118 bytes): AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAABbUjPTjMAAAQDAEcwRQIhAO65VANx+qLtgh6Dtk4+eL3N6Ze4JAbtKNsrgsMSXf2AAiA7KK6L0NWUrpAfnYnXknzXua/O5T4IBkufOhdM/3mxow==
sending request to https://sabre.ct.comodo.com
version: 0
log ID: VYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6OqHQcT0ww=
timestamp: 1569687370242 (2019-09-28 21:46:10)
extensions:
signature: BAMASDBGAiEA/XwHzYOUc8ElNa7InjWLlHHYpumialRm8MpIkvg2NZUCIQDljnxs49Q/GmDwpbuSuADhfiVhCrsMx1+SiVRS6o7SsA==
SCT (119 bytes): AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABbXioegIAAAQDAEgwRgIhAP18B82DlHPBJTWuyJ41i5Rx2KbpompUZvDKSJL4NjWVAiEA5Y58bOPUPxpg8KW7krgA4X4lYQq7DMdfkolUUuqO0rA=
sending request to https://sirius.ws.symantec.com
unable to submit certificate to log, error [Errno 8] nodename nor servname provided, or not known
sending request to https://ct.googleapis.com/skydiver
unable to submit certificate to log, HTTP error 400 Bad Request: Bad Request
failed to verify add-chain contents: chain failed to verify: x509: certificate signed by unknown authority

sending request to https://ct.ws.symantec.com
unable to submit certificate to log, error [Errno 8] nodename nor servname provided, or not known
sending request to https://vega.ws.symantec.com
unable to submit certificate to log, error [Errno 8] nodename nor servname provided, or not known

we can rule out the second one

11

This one is pretty straight forward: ctserver.cnnic.cn sends an invalid certificate itself: it's expired. Therefore, I assume your client won't even connect to the CTL.

12

@Osiris yes i also noticed it now thx , i ll check rest as all failing one are not expired

1 Like
13

The CNNIC log was disqualified in 2018. I assume it’s no longer in operation.

The old Symantec logs have been retired.

Skydiver doesn’t accept certificates from Let’s Encrypt; it’s paired with Icarus, which accepts certificates only from Let’s Encrypt. (And IdenTrust.)

I dunno what’s up with the old DigiCert logs. I’d suggest skipping them and using DigiCert’s modern logs, Nessie and Yeti, instead. They want to phase out ct1 and, I think, ct2 anyway. And if you’re running into rate limits, the newer logs might have higher ones.

https://crt.sh/monitored-logs

3 Likes
14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.