[ipxe-devel] HTTPS & iPXE
Michael Brown
mcb30 at ipxe.org
Wed Jan 15 01:11:59 UTC 2020
On 14/01/2020 22:17, Michael Brown wrote:
> This "iPXE root CA" certificate is used to cross-sign every root
> certificate trusted by Mozilla, and a mechanism exists to allow iPXE to
> automatically download these cross-signed certificates as needed. There
> is a reasonable explanation of this at
>
> https://ipxe.org/cfg/crosscert
>
> This cross-signed certificate chain includes OCSP checks; this is the
> part that is currently failing.
The OCSP server should now be functional again. I have given up hope of
finding time to properly package the OpenCA ocspd for Fedora, and I gave
up hope almost immediately upon reading the documentation for the
alternative Dogtag PKI OCSP server.
The solution now in place uses the extremely out-of-date OpenCA ocspd
present in Fedora, running a separate daemon for each CA, with a quick
and dirty WSGI script used to dispatch requests to the appropriate backend.
Please let us know if your OCSP problems are now fixed.
Thanks,
Michael
More information about the ipxe-devel
mailing list