Status of Google's CT logs?

All of Google’s CT logs are currently giving me 404s, and have been for a few weeks. I’m not finding any information about them being taken offline.

Anyone know what’s going on?


Ah, I do not think they’re really 404. They still respond to well-formed CT requests:

$ curl -s | jq
  "tree_size": 487017723,
  "timestamp": 1586293804298,
  "sha256_root_hash": "J0ZsHdYM+VIf0lQzkLT5mU+yoIGigPcPW1ACIOlAhEw=",
  "tree_head_signature": "BAMARjBEAiBPxpHJhTg44hh37x7v8pjxgPJ+HQ5VTm0Vgd/905vhpwIgej5/EVi5SUOz23i/d4+wzZU2FLfhb4mCM9Zww3alP+4="

You are correct, the 404s are a red herring when I was just poking at them trying to see their status, sorry about that.

The real issue that I’ve been having is that I’ve been unable to download SCTs from Google’s Icarus log. My client has been able to make the same calls successfully for a long time, but lately I’ve been getting: “failed to verify add-chain contents: chain failed to verify: x509: certificate signed by unknown authority”.

Trying to find information about the CT logs is proving difficult. Wondering if Icarus is no longer accepting LE certs or if something else changed.

1 Like

Hmm. That’s weird. I also use certificate-transparency-go for a project, and it’s been running since November 2017 without being touched and hasn’t reported any errors for that log:

ledger=# select * from logs where url like '%icarus%';
            url            | active | scanned_until
---------------------------+--------+--------------- | t      |     762235414

Are you getting an error from scanner.Scan()? Or otherwise what operation?

The only thing I can find about Icarus is!searchin/ct-policy/icarus/ct-policy/iOg8Jqc0XxU/cFm75-JzBQAJ , which is restricting which roots can be submitted to Icarus, since March 17 26 (delayed) 2020. But that shouldn’t affect downloading log entries, right?

1 Like

That does look like the issue, thanks for finding that. My client fetches SCTs by (re)submitting certs (since it doesn’t know if the certs have been submitted before, and part of the goal is to ensure that the cert is submitted to the log). Wish Google would post this information somewhere more obvious…

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.