[ipxe-devel] HTTPS & iPXE
Michael Brown
mcb30 at ipxe.org
Tue Jan 14 22:17:40 UTC 2020
On 14/01/2020 19:54, Ibrahim Tachijian wrote:
> The issues you are experiencing are most likely because the iPXE OCSP
> service is still down following a hardware death. Replacement is
> currently stalled pending the existence of a suitable ocspd package for
> Fedora; the version in the Fedora repos is more than ten years out
> of date.
>
> How does this work exactly?
> I mean, if my https certificate is based on letsencrypt, then am I still
> dependant on some service (ocsp?) from ipxe to function ?
>
> Can I work around this and still "trust what Mozilla trusts" ?
The root problem is that the Mozilla root certificate list is far too
large (150kB) to embed within the iPXE binary.
The way that iPXE works around this is to instead embed the 32-byte
SHA-256 fingerprint of a single "iPXE root CA" certificate (which is the
certificate that can be downloaded from https://ca.ipxe.org/ca.crt).
This "iPXE root CA" certificate is used to cross-sign every root
certificate trusted by Mozilla, and a mechanism exists to allow iPXE to
automatically download these cross-signed certificates as needed. There
is a reasonable explanation of this at
https://ipxe.org/cfg/crosscert
This cross-signed certificate chain includes OCSP checks; this is the
part that is currently failing.
Michael
More information about the ipxe-devel
mailing list