CT Log Deployment (Manual) is COMPLETELY OUTDATED

[yacoubhanna]

I was trying to follow the steps at CT Log Deployment in order to run the log_server and the log_signer and they can not be found in their directories. I found them in trillian/cmd. Also, I tried to run CT Personality and the ctclient can not be found anywhere.

I even ran the Docker Containerized and had the same problem

Could you please update it?

[AlCutter]

Hi @yacoubhanna,

Thanks for the report.

I'd be interested to hear how you get on with the tweaks I've made in #1061. I'm able to get trillian_log_server, trillian_log_signer, ct_server, and ctclient working on a fresh checkout locally following the docs. I've added some explicit example commands for starting these so you can see what I'm doing here, at least.

[yacoubhanna]

Hello @AlCutter.

Thank you so much for the update. However, when I get to the ctclient step to run it. It doesn't work. more specifically I was not able to run this command.

% go install github.com/google/certificate-transparency-go/client/ctclient
% ctclient --log_uri http://localhost:6966/aramis --pub_key pubkey.pem sth
2018-10-12 11:28:08.544 +0100 BST (timestamp 1539340088544): Got STH for V1 log (size=11718) at http://localhost:6966/aramis, hash 6fb36fcca60d61aa85e04ff0c34a87782f12d08568118602eec0208d85c3a40d
Signature: Hash=SHA256 Sign=ECDSA
Value=3045022100df855f0fd097a45070e2eb244c7cb63effda942f2d30308e3b84a72e1d16118b0220038e55f142501402cf03790b3997081f82ffe47f2d3f3b667e1c484aecf40a33

Can you please tell me the exact step that you did in order to run the ct_server and the ctclient.

Thank you for your time.

[roger2hk]

Hello @AlCutter.

Thank you so much for the update. However, when I get to the ctclient step to run it. It doesn't work. more specifically I was not able to run this command.

% go install github.com/google/certificate-transparency-go/client/ctclient
% ctclient --log_uri http://localhost:6966/aramis --pub_key pubkey.pem sth
2018-10-12 11:28:08.544 +0100 BST (timestamp 1539340088544): Got STH for V1 log (size=11718) at http://localhost:6966/aramis, hash 6fb36fcca60d61aa85e04ff0c34a87782f12d08568118602eec0208d85c3a40d
Signature: Hash=SHA256 Sign=ECDSA
Value=3045022100df855f0fd097a45070e2eb244c7cb63effda942f2d30308e3b84a72e1d16118b0220038e55f142501402cf03790b3997081f82ffe47f2d3f3b667e1c484aecf40a33

Can you please tell me the exact step that you did in order to run the ct_server and the ctclient.

Thank you for your time.

@yacoubhanna We have updated the manual deployment doc in #1061. Please try if the following command works for you. https://github.com/google/certificate-transparency-go/blob/87b3d6d1cb5c0f7ffa2b7b311022c5c395d4683c/trillian/docs/ManualDeployment.md?plain=1#L357

[AlCutter]

Hi @yacoubhanna, just to add to Roger's reply - if you still can't get it to work with the updated command Roger copied into his comment above, it would greatly help us to help you if you could include the output of the failed commands too.

Cheers, Al.

[yacoubhanna]

Hello @roger2hk & @AlCutter,

I ran the command that @roger2hk gave me and I got that error:

F0503 11:29:04.659090  520037 root.go:87] Get "http://localhost:6966/aramis/ct/v1/get-sth?": dial tcp 127.0.0.1:6966: connect: connection refused
exit status 1

I followed all the steps that are on the Manual Deployment

I started the log server and that was the output

I0503 11:25:52.924696  519031 main.go:97] **** Log Server Starting ****
I0503 11:25:52.925264  519031 quota_provider.go:46] Using MySQL QuotaManager
I0503 11:25:52.925428  519031 main.go:180] RPC server starting on :8080
I0503 11:25:52.925467  519031 main.go:141] HTTP server starting on :8081
I0503 11:25:52.925556  519031 main.go:188] Deleted tree GC started

Then started the log signer and the output was

W0503 11:26:03.508612  519302 main.go:139] **** Acting as master for all logs ****
I0503 11:26:03.508620  519302 quota_provider.go:46] Using MySQL QuotaManager
I0503 11:26:03.508736  519302 main.go:180] RPC server starting on :8090
I0503 11:26:03.508735  519302 operation_manager.go:328] Log operation manager starting
I0503 11:26:03.508801  519302 main.go:141] HTTP server starting on :8091
I0503 11:26:03.509210  519302 operation_manager.go:243] create master election goroutine for 4114221413504323809
I0503 11:26:03.509222  519302 operation_manager.go:243] create master election goroutine for 6807418909888796259
I0503 11:26:03.509231  519302 operation_manager.go:285] Acting as master for 0 / 2 active logs: master for:
I0503 11:26:03.550584  519302 runner.go:130] 4114221413504323809: Now, I am the master
I0503 11:26:03.610168  519302 operation_manager.go:285] Acting as master for 1 / 2 active logs: master for: <log-4114221413504323809>
I0503 11:26:04.108311  519302 runner.go:130] 6807418909888796259: Now, I am the master
I0503 11:26:04.110865  519302 operation_manager.go:285] Acting as master for 2 / 2 active logs: master for: <log-4114221413504323809> <log-6807418909888796259>
I0503 11:26:18.598706  519302 operation_manager.go:243] create master election goroutine for 23676163302372089
I0503 11:26:18.645703  519302 runner.go:130] 23676163302372089: Now, I am the master
I0503 11:26:18.699936  519302 operation_manager.go:285] Acting as master for 3 / 3 active logs: master for: <log-23676163302372089> <log-4114221413504323809> <log-6807418909888796259>
I0503 11:27:21.198700  519302 runner.go:148] 6807418909888796259: queue up resignation of mastership
I0503 11:27:21.261936  519302 runner.go:172] 6807418909888796259: deliberately resigning mastership
I0503 11:27:21.261947  519302 runner.go:130] 6807418909888796259: Now, I am the master

Then createtree and I got that output

W0503 11:26:18.561268  519562 rpcflags.go:36] Using an insecure gRPC connection to Trillian
I0503 11:26:18.561384  519562 admin.go:50] CreateTree...
I0503 11:26:18.572410  519562 admin.go:95] Initialising Log 23676163302372089...
I0503 11:26:18.576596  519562 admin.go:106] Initialised Log (23676163302372089) with new SignedTreeHead:
log_root:"\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00 \xe3\xb0\xc4B\x98\xfc\x1c\x14\x9a\xfb\xf4șo\xb9$'\xaeA\xe4d\x9b\x93L\xa4\x95\x99\x1bxR\xb8U\x17[\xab\x9dx\xa3Ց\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
23676163302372089

Then created the keys using these commands

% openssl ecparam -name prime256v1 > privkey.pem # generate parameters file
% openssl ecparam -in privkey.pem -genkey -noout >> privkey.pem # generate and append private key
% openssl ec -in privkey.pem -pubout -out pubkey.pem # generate corresponding public key

However, when I get to run the next step which is

% go install github.com/google/certificate-transparency-go/client/ctclient
% ctclient --log_uri http://localhost:6966/aramis --pub_key pubkey.pem sth

I got that error

ctclient: command not found

Just to mention if you go to ctclient there is no file called ctclient. It was there in the previous versions, but it was taken out while updating.

That was line 266 in the ManualDeployment.md file -------------------------------------------------------------------------------------------------------------------------------------------------------------------------When I ran @roger2hk command I got this Line 357

F0503 11:29:04.659090  520037 root.go:87] Get "http://localhost:6966/aramis/ct/v1/get-sth?": dial tcp 127.0.0.1:6966: connect: connection refused
exit status 1

It does make sense why I am getting this error since I didn't initiate anything on the 6966 port, and in the manual setup, they didn't mention anything about that 6966 port.

Thank you so much for your help.

[roger2hk]

@yacoubhanna For the ctclient: command not found error, the installed binary is located at $HOME/go/bin. The following command adds the Go binary directory to the PATH environment variable, and then you should be able to execute the ctclient command.

export PATH="$HOME/go/bin:$PATH"

[yacoubhanna]

Thank you @roger2hk. After I ran

export PATH="$HOME/go/bin:$PATH"

I ran this command

ctclient --log_uri http://localhost:6966/aramis getroots

and I didn't get the same error as before, but I got that

flag provided but not defined: -log_uri

Usage of ctclient:

  -add_dir_header

        If true, adds the file directory to the header of the log messages

  -alsologtostderr

        log to standard error as well as files (no effect when -logtostderr=true)

  -log_backtrace_at value

        when logging hits line file:N, emit a stack trace

  -log_dir string

        If non-empty, write log files in this directory (no effect when -logtostderr=true)

  -log_file string

        If non-empty, use this log file (no effect when -logtostderr=true)

  -log_file_max_size uint

        Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)

  -logtostderr

        log to standard error instead of files (default true)

  -one_output

        If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)

  -skip_headers

        If true, avoid header prefixes in the log messages

  -skip_log_headers

        If true, avoid headers when opening log files (no effect when -logtostderr=true)

  -stderrthreshold value

        logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2)

  -v value

        number for the log level verbosity

  -vmodule value

        comma-separated list of pattern=N settings for file-filtered logging

I ran this command:

ctclient -log_uri http://localhost:6966/aramis --pub_key pubkey.pem sth

and got this

Error: unknown command "http://localhost:6966/aramis" for "ctclient"

Run 'ctclient --help' for usage.

F0503 22:49:29.573562   67537 root.go:75] unknown command "http://localhost:6966/aramis" for "ctclient"

ctclient --help

A command line client for Certificate Transparency logs

Usage:

  ctclient [command]

Available Commands:

  bisect                Find a log entry by timestamp

  completion            Generate the autocompletion script for the specified shell

  get-consistency-proof Fetch and verify a consistency proof between two tree states

  get-entries           Fetch a range of entries in the log

  get-inclusion-proof   Fetch and verify the inclusion proof for an entry

  get-roots             Fetch the root certificates accepted by the log

  get-sth               Fetch the latest STH of the log

  help                  Help about any command

  upload                Submit a certificate (pre-)chain to the log

Flags:

  -h, --help                help for ctclient

      --log_list string     Location of master log list (URL or filename) (default "https://www.gstatic.com/ct/log_list/v3/all_logs_list.json")

      --log_name string     Name of log to retrieve information from --log_list for

      --log_uri string      CT log base URI (default "https://ct.googleapis.com/rocketeer")

      --pub_key string      Name of file containing log's public key

      --skip_https_verify   Skip verification of HTTPS transport connection

[roger2hk]

@yacoubhanna Unfortunately the doc is outdated.

Here is the correct command for get-roots.

go run github.com/google/certificate-transparency-go/client/ctclient@master get-roots --log_uri http://localhost:6966/aramis

https://github.com/google/certificate-transparency-go/blob/47efeb2accbf1a93f41f01e096407287652577b0/client/ctclient/cmd/get_roots.go#L26

https://github.com/google/certificate-transparency-go/blob/47efeb2accbf1a93f41f01e096407287652577b0/client/ctclient/cmd/root.go#L39

Here is the correct command for get-sth.

go run github.com/google/certificate-transparency-go/client/ctclient@master get-sth --log_uri http://localhost:6966/aramis --pub_key pubkey.pem

https://github.com/google/certificate-transparency-go/blob/47efeb2accbf1a93f41f01e096407287652577b0/client/ctclient/cmd/get_sth.go#L27

https://github.com/google/certificate-transparency-go/blob/47efeb2accbf1a93f41f01e096407287652577b0/client/ctclient/cmd/root.go#L39

[yacoubhanna]

Hello @roger2hk

I ran go run github.com/google/certificate-transparency-go/client/ctclient@master get-sth --log_uri http://localhost:6966/aramis --pub_key pubkey.pem and got the same error for both

F0504 18:47:56.942094  254977 root.go:87] Get "http://localhost:6966/aramis/ct/v1/get-sth?": dial tcp 127.0.0.1:6966: connect: connection refused
exit status 1

go run github.com/google/certificate-transparency-go/client/ctclient@master get-roots --log_uri http://localhost:6966/aramis

F0504 18:48:38.116251  255196 root.go:87] Get "http://localhost:6966/aramis/ct/v1/get-roots?": dial tcp 127.0.0.1:6966: connect: connection refused
exit status 1

Thank you for your help

[roger2hk]

@yacoubhanna The connection refused was caused by the missing CTFE server. The manual deployment doc doesn't mention any command to start the CTFE server but there is a link to the integration demo script.

If you aim to try how Trillian and CTFE work, you can follow the Docker version deployment. The commands there are verified a few weeks ago.

https://github.com/google/certificate-transparency-go/tree/47efeb2accbf1a93f41f01e096407287652577b0/trillian/examples/deployment/docker/ctfe

It will take some time rewrite the whole CT log deployment (manual) doc.

[samettonyali]

Hi @roger2hk , I followed the steps given in the document page you linked, but it still seems to have some problems such as not having fake-ca.cert file in /trillian/testdata directory. Instead, I have these:

log-rpc-server-pkcs11.privkey.pem log-rpc-server.privkey.pem Makefile map-rpc-server.pubkey.pem README.md log-rpc-server-pkcs11.pubkey.pem log-rpc-server.pubkey.pem map-rpc-server.privkey.pem pkcs11-conf.json

I have never skipped a step, but I am not sure whether I missed something or not.

On the other hand, after I started certificate transparency container in terminal 1 I got this message for the trillian log server:

ctfe-trillian-log-server-1 | E0509 20:13:08.208604 1 tree_gc.go:90] DeletedTreeGC.Run: error listing trees: Error 1146 (42S02): Table 'test.Trees' doesn't exist

Is that something expected? I am asking this because in the succeeding steps we are supposed to kill the first docker container running in terminal 1 and restart it by another but similar command.

Regards, Samet.

[samettonyali]

Hi @roger2hk , I followed the steps given in the document page you linked, but it still seems to have some problems such as not having fake-ca.cert file in /trillian/testdata directory. Instead, I have these:

log-rpc-server-pkcs11.privkey.pem log-rpc-server.privkey.pem Makefile map-rpc-server.pubkey.pem README.md log-rpc-server-pkcs11.pubkey.pem log-rpc-server.pubkey.pem map-rpc-server.privkey.pem pkcs11-conf.json

I have never skipped a step, but I am not sure whether I missed something or not.

On the other hand, after I started certificate transparency container in terminal 1 I got this message for the trillian log server:

ctfe-trillian-log-server-1 | E0509 20:13:08.208604 1 tree_gc.go:90] DeletedTreeGC.Run: error listing trees: Error 1146 (42S02): Table 'test.Trees' doesn't exist

Is that something expected? I am asking this because in the succeeding steps we are supposed to kill the first docker container running in terminal 1 and restart it by another but similar command.

Regards, Samet.

I have figured it out. It is my bad, but I was under the impression that "/trillian/testdata/fake-ca.cert" file must be in "/git/trillian" directory because the last time we changed the directory is when we get in "/git/trillian" directory. That's why the program couldn't find the certificate and freaked out.

Best, Samet.

[roger2hk]

@samettonyali It is expected to see the table doesn't exist error before importing the SQL to create tables.

docker exec -i ctfe-db mysql -pzaphod -Dtest < ./storage/mysql/schema/storage.sql