[ipxe-devel] iPXE tries to translate a IPv4 address via DNS if I use the https protocol to chainload the boot process

[Michael Brown]

On 04/11/13 04:45, Jens Röwekamp wrote:
> When I switch from http to https with a self-signed certificate and the
> EMBED parameter to to include my personal root.ca I get a "Connection
> timed out (http://ipxe.og/4c116035)" error.
>
> I checked the above given URL and found out that the error somehow is
> related to DNS. So I build a new ipxe.kpxe with the EMDED and
> DEBUG=dns:3,https:3 parameters. The additional information I get is "DNS
> 0xd30d4 sending query ID 1" till "DNS 0xd30d4 sending query ID 5" (see
> attached PXE-Client-https-error.png).
>
> After that I thought about addressing the chainloading host via a valid
> local DNS name. So I set up bind and changed the EMBED script. Now the
> IP address got exactly translated, but still there is the a "Connection
> timed out (http://ipxe.org/4c0a6035)" error (see attached
> PXE-Client-https-error-2.png), which is somehow related to the tcp.c
> file on line 633.

My guess is that your certificate chain is incomplete (i.e. the web 
server is presenting a certificate chain which does not include the root 
certificate), and that iPXE is attempting to download the remainder of 
the certificate chain from the ${crosscert} server (which defaults to 
http://ca.ipxe.org).

For space reasons, iPXE embeds only the fingerprint of the trusted root 
certificate, rather than the whole certificate.  It therefore needs to 
be able to obtain the root certificate itself at runtime.  This root 
certificate can be provided by the web server as part of the certificate 
chain, but this is a non-standard configuration since web servers 
usually assume that clients are already in possession of the complete 
root certificate.

The easiest fix is probably to include your root certificate within the 
certificate chain presented by the web server.

Michael