[ipxe-devel] HTTPS & iPXE
Ibrahim Tachijian
barhom at gmail.com
Tue Jan 14 19:54:15 UTC 2020
>
> The issues you are experiencing are most likely because the iPXE OCSP
> service is still down following a hardware death. Replacement is
> currently stalled pending the existence of a suitable ocspd package for
> Fedora; the version in the Fedora repos is more than ten years out of date.
How does this work exactly?
I mean, if my https certificate is based on letsencrypt, then am I still
dependant on some service (ocsp?) from ipxe to function ?
Can I work around this and still "trust what Mozilla trusts" ?
On Sun, Jan 12, 2020, 15:14 Michael Brown <mcb30 at ipxe.org> wrote:
> On 11/01/2020 15:28, Ibrahim Tachijian wrote:
> > And all fail because of certificate issues.
> > The documentation on https://ipxe.org/crypto mentions that,
> >
> > In the default configuration, iPXE trusts only a single root
> > certificate: the "iPXE root CA" certificate
> > <https://ipxe.org/_media/certs/ca.crt>. This root certificate is
> > used to cross-sign the standard Mozilla list of public CA
> > certificates
> > <
> http://mxr.mozilla.org/comm-central/source/mozilla/security/nss/lib/ckfw/builtins/certdata.txt
> >.
> >
> > Do I need to download the iPXE root ca and compile it in? If so how?
>
> No; the iPXE root CA fingerprint is compiled in by default:
>
> https://github.com/ipxe/ipxe/blob/master/src/crypto/rootcert.c#L51
>
> The issues you are experiencing are most likely because the iPXE OCSP
> service is still down following a hardware death. Replacement is
> currently stalled pending the existence of a suitable ocspd package for
> Fedora; the version in the Fedora repos is more than ten years out of date.
>
> Michael
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20200114/2e8127ff/attachment.htm>
More information about the ipxe-devel
mailing list