[ipxe-devel] HTTPS with own CA certificate
Sven Dreyer
sven at dreyer-net.de
Thu Mar 7 15:38:19 UTC 2013
Hi guys,
I try to embed my own root CA certificate in iPXE. But everytime iPXE
contacts my Apache server, it throws an "no such file or directory
(2d0c613b)" error.
I checked out the latest release from git (3a8d).
Then I changed
#undef DOWNLOAD_PROTO_HTTPS
to
#define DOWNLOAD_PROTO_HTTPS
in src/config/general.h
Then I compiled iPXE from my home directory using
make TRUST=../../root.crt -C ipxe/src/ bin/ipxe.iso
I also tried an absolute path for the CA certificate file:
make TRUST=/home/sven/root.crt -C ipxe/src/ bin/ipxe.iso
the root.crt file contains a single CA certificate, base64-encoded PEM,
as produced by OpenSSL.
Wireshark reveals that the TLS connection is established, but after
"SSL Client Hello" and "TLSv1 Server Hello, Certificate, Server Hello
Done", iPXE seems to send a HTTP GET to
http://ca.ipxe.org/auto/<hex>.der/<ServerCertIssuerAsBase64>
which produces a 404 error. So this might be the reason for "no such
file or directory".
I hoped that iPXE would accept my server's certificate, since it has
embedded the corresponding root CA certificate. Of course the server's
hostname equals the CN of the server certificate.
Access via wget works without certificate warnings, because I copied my
CA certificate is in /etc/ssl/certs (including the symlink to its
fingerprint).
I am pretty sure the certificates are okay since I imported the root CA
certificate to various Linux, Windows, Android and iOS devices and can
access the same webserver without any certificate error message.
The root.crt file seems to be read by the make process, when I rename
the file the make process complains about being unable to read the file.
Is there anything I could do for debugging? Or am I completely wrong?
Any hints appreciated.
Thanks and best regards,
Sven
More information about the ipxe-devel
mailing list