Closed konklone closed 7 years ago
-all_time
is working as intended; it's just badly named and documented. -all_time
only affects scans of new logs. I'll add an option to do what you expected, but I need to figure out what these two options should be called (suggestions welcome).
In the meantime, you can force a rescan of all logs by removing all the files in your ~/.certspotter/sths
directory (or wherever your state_dir
is) and then running certspotter
with -all_time
.
In the interest of documentation for people who find this issue, what is the current behavior? It appears that -all_time trusts existing logs to go back until the beginning?
(Also, what does it do without that flag?)
I came across the same question when I tried certspotter the first time.
What i figured out is the following (please correct me if I'm wrong).
When certspotter is started without the -all_time, it reads the latest CT entries from the logs. When it is done it stores the last entry retrieved in the directory structure under ~/.certspotter/. When started the first time, it seems ad certspotter will just store the last position.
As it seems, when certspotter is started the very first time, there is no information for the last log position (for that domain and CT log). In this state, the -all_time is causing certspotter to check the complete CT log. If a last position is already there, the-all_time seems to have no effect.
When the file containing the last position is deleted, the -all_time behaves as expected.
Again, this is my observation.
In Cert Spotter 0.3, -all_time
will work as expected and always scan the entirety of logs. For details, see the commit message for 31f2316aa2cdb56fc355f181f55da3e938fd9f55.
I can't get the
certspotter
client to do an-all_time
scan. It ends immediately, only checking for newer certs: