Status of Google's CT logs?

plinss · April 7, 2020, 6:05pm

All of Google’s CT logs are currently giving me 404s, and have been for a few weeks. I’m not finding any information about them being taken offline.

Anyone know what’s going on?

_az · April 7, 2020, 9:07pm

Ah, I do not think they’re really 404. They still respond to well-formed CT requests:

$ curl -s https://ct.googleapis.com/logs/argon2020/ct/v1/get-sth | jq
{
  "tree_size": 487017723,
  "timestamp": 1586293804298,
  "sha256_root_hash": "J0ZsHdYM+VIf0lQzkLT5mU+yoIGigPcPW1ACIOlAhEw=",
  "tree_head_signature": "BAMARjBEAiBPxpHJhTg44hh37x7v8pjxgPJ+HQ5VTm0Vgd/905vhpwIgej5/EVi5SUOz23i/d4+wzZU2FLfhb4mCM9Zww3alP+4="
}

plinss · April 7, 2020, 9:29pm

You are correct, the 404s are a red herring when I was just poking at them trying to see their status, sorry about that.

The real issue that I’ve been having is that I’ve been unable to download SCTs from Google’s Icarus log. My client has been able to make the same calls successfully for a long time, but lately I’ve been getting: “failed to verify add-chain contents: chain failed to verify: x509: certificate signed by unknown authority”.

Trying to find information about the CT logs is proving difficult. Wondering if Icarus is no longer accepting LE certs or if something else changed.

_az · April 7, 2020, 9:57pm

Hmm. That’s weird. I also use certificate-transparency-go for a project, and it’s been running since November 2017 without being touched and hasn’t reported any errors for that log:

ledger=# select * from logs where url like '%icarus%';
            url            | active | scanned_until
---------------------------+--------+---------------
ct.googleapis.com/icarus/ | t      |     762235414

Are you getting an error from scanner.Scan()? Or otherwise what operation?

The only thing I can find about Icarus is https://groups.google.com/a/chromium.org/forum/#!searchin/ct-policy/icarus/ct-policy/iOg8Jqc0XxU/cFm75-JzBQAJ , which is restricting which roots can be submitted to Icarus, since March 17 26 (delayed) 2020. But that shouldn’t affect downloading log entries, right?

plinss · April 7, 2020, 10:33pm

That does look like the issue, thanks for finding that. My client fetches SCTs by (re)submitting certs (since it doesn’t know if the certs have been submitted before, and part of the goal is to ensure that the cert is submitted to the log). Wish Google would post this information somewhere more obvious…

system · May 7, 2020, 10:33pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
2018.11.30 Production Google CT Log Submission Failures Incidents	0	1847	December 18, 2018
Is this normal with LE on Chrome? Help	5	1225	September 9, 2018
Certificate Transparency Logs Problem Server	16	5989	May 12, 2016
Certificate Transparency Logs - Chrome 49 on XP no longer likes us? Server	9	2219	June 6, 2018
Accessing the usable ct logs site like https://oak.ct.letsencrypt.org/2024h1, but i can not get any information Help	7	80	February 16, 2025

Status of Google's CT logs?

Related topics