[ipxe-devel] HTTPS & iPXE
Michael Brown
mcb30 at ipxe.org
Sun Jan 12 14:14:36 UTC 2020
On 11/01/2020 15:28, Ibrahim Tachijian wrote:
> And all fail because of certificate issues.
> The documentation on https://ipxe.org/crypto mentions that,
>
> In the default configuration, iPXE trusts only a single root
> certificate: the "iPXE root CA" certificate
> <https://ipxe.org/_media/certs/ca.crt>. This root certificate is
> used to cross-sign the standard Mozilla list of public CA
> certificates
> <http://mxr.mozilla.org/comm-central/source/mozilla/security/nss/lib/ckfw/builtins/certdata.txt>.
>
> Do I need to download the iPXE root ca and compile it in? If so how?
No; the iPXE root CA fingerprint is compiled in by default:
https://github.com/ipxe/ipxe/blob/master/src/crypto/rootcert.c#L51
The issues you are experiencing are most likely because the iPXE OCSP
service is still down following a hardware death. Replacement is
currently stalled pending the existence of a suitable ocspd package for
Fedora; the version in the Fedora repos is more than ten years out of date.
Michael
More information about the ipxe-devel
mailing list