[ipxe-devel] HTTPS with own CA certificate
Michael Brown
mbrown at fensystems.co.uk
Thu Mar 7 17:04:28 UTC 2013
On Thursday 07 Mar 2013 15:38:19 Sven Dreyer wrote:
> Wireshark reveals that the TLS connection is established, but after
> "SSL Client Hello" and "TLSv1 Server Hello, Certificate, Server Hello
> Done", iPXE seems to send a HTTP GET to
> http://ca.ipxe.org/auto/<hex>.der/<ServerCertIssuerAsBase64>
> which produces a 404 error. So this might be the reason for "no such
> file or directory".
This is what happens when the certificate chain as provided by the server is
incomplete (i.e. the chain does not contain all certificates up to _and
including_ the CA root certificate). iPXE attempts to complete the chain by
downloading the remainder from http://ca.ipxe.org/.
Since you are using a private root CA, this obviously won't work. You have
two options:
- provide the CA root certificate as part of the certificate chain published by
the web server. (Other TLS clients do not require this since they store the
CA root certificate locally; iPXE stores only the CA root certificate fingerprint
since the certificate itself is generally too large.)
- use the "crosscert" setting (http://ipxe.org/cfg/crosscert) to provide iPXE
with a location from which to download your CA root certificate.
Michael
More information about the ipxe-devel
mailing list