[ipxe-devel] https booting
Gerd Hoffmann
kraxel at redhat.com
Mon Aug 3 08:04:37 UTC 2020
Hi,
> > After looking at https://ipxe.org/cfg/crosscert I'm not convinced this
> > is a good idea though. This would likely put quite some load to
> > ca.ipxe.org. Also that machine becomes a single point of failure for
> > worldwide ipxe https boot, and looking through the mailing list I've
> > seen we already had (at least) two outages this year.
>
> The crosscert fetches are static files (with iPXE including a query string
> only for debugging purposes), and it should be fairly straightforward for me
> to switch to hosting them in AWS S3 or equivalent. The ca.ipxe.org domain
> is not used for anything else so could be pointed at a new hosting
> infrastructure with no disruption or code changes.
It's also simple to create a mirror, for example to serve machines
without direct internet connection.
> I would worry more about the OCSP service for the cross-signed certificates,
> since OCSP does not just serve static responses. This service is currently
> implemented using openca-ocspd running on a VM in AWS. I'm very open to
> suggestions on more scalable ways to host this.
How much of the crosscert creation process is (or can can be) automated?
Is it an option to update the certificates much more frequently? Say
generate them every three days, be valid for 7 days (instead of 90)?
Then just don't run a OCSP service?
take care,
Gerd
More information about the ipxe-devel
mailing list