[ipxe-devel] Fwd: Issues with OCSP from ocsp.ipxe.org

[Mike Mason]

Hello,

We've noticed higher than normal issues chain loading domains using https.
Rebuilding ipxe with *make DEBUG=tls,x509,validator bin/undionly.kpxe* gives
the following error.
[image: image.png]

*VALIDATOR 0x30f04 "netboot.xyz <http://netboot.xyz>" checking "iPXE
cross-signiing CA" via http://ocsp.ipxe.org/ocsp/root/MEI.
<http://ocsp.ipxe.org/ocsp/root/MEI.>..VALIDATOR 0x30f04 "netboot.xyz
<http://netboot.xyz>" transfer failed: No such file or directory
(http://ipxe.org/2d0c613b <http://ipxe.org/2d0c613b>)*

Here I am passing *https://boot.netboot.xyz/ipxe/netboot.xyz.lkrn
<https://boot.netboot.xyz/ipxe/netboot.xyz.lkrn>* as the filename in
iscdhcpd, however this has failed with any site I've tested using https
with the same error.

My environment is VMWare Workstation with 2 vms. PXE host and client
PXE Host is running Centos 7 with iscdhcpd and tftpd

iPXE version is latest github master 18dc73d
<https://github.com/ipxe/ipxe/commit/18dc73d27edb55ebe9cb13c58d59af3da3bd374b>
and
I have src/config/local/general.h with
#define DOWNLOAD_PROTO_HTTPS  /* Secure Hypertext Transfer Protocol */
#define NSLOOKUP_CMD          /* DNS resolving command */
#define NTP_CMD               /* NTP commands */

Disabling OCSP_CHECK resolves this error, but we would prefer not to do
that.

It seems to me like the ocsp service might be having issues, but wanted to
see if similar reports have come in and if someone had any ideas of how I
could go about solving this?

Appreciate the help!
- Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20200103/7eacbc4d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 40215 bytes
Desc: not available
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20200103/7eacbc4d/attachment.png>