Cookie Settings
Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Other cookies are those that are being identified and have not been classified into any category as yet.

No cookies to display.

a3ba71a0 certificate transparency log

Time and Encryption are Inter-related: Certificate Transparency


Recently a team mate ran into an issue. His browser would not let him proceed to a site he had just setup, with a valid certificate. We use Let’s Encrypt (and our sites are all in the HSTS preload so they must be TLS). Nonetheless, he was presented an error “The server presented a certificate that was not publicly disclosed using the Certificate Transparency policy. This is a requirement for some certificates, to ensure that they are trustworthy and protect against attackers.” What could be wrong?

Well in this case I asked him what time it was. He gave me an answer about 1 minutes in the past. Huh. Is your systemd-timesyncd running? No, its dead. Aha! Your NTP time is off by about 2 minutes. This certificate, from your perspective, will only become valid in the future.

We can check this using the Certificate Transparency logs. My favourite way to search them is crt.sh. This gives you a list of all Certificates issued, when, by who.

Its a good spot to check if someone is trying to spearphish your domain. Check for common mispellings.

So check your clocks. Its not enough to be close, you need to be exact. Else you might be p0wnd.