[ipxe-devel] Sectigo/UserTrust certificates not supported

Adam Baxter voltagex at voltagex.org
Sun Jun 7 07:30:30 UTC 2020


Hi all,
I'm trying to boot a kernel image from https://ewr.edge.kernel.org/fedora-buffet/fedora/linux/releases/32/Server/x86_64/os/images/pxeboot/vmlinuz via packet.net's iPXE. I can replicate the issue I'm getting with a local build of iPXE from Git.

X509 chain 0xf3fe4 added X509 0xf5da4 "*.edge.kernel.org"
X509 chain 0xf3fe4 added X509 0xfb614 "Sectigo RSA Domain Validation Secure Server CA"
X509 chain 0xf3fe4 added X509 0xfbce4 "USERTrust RSA Certification Authority"
.X509 0xf5da4 "*.edge.kernel.org" is valid (at time 1591514259)
X509 0xf5da4 "*.edge.kernel.org" is not a root certificate
X509 0xf5da4 "*.edge.kernel.org" has no issuer
X509 0xfb614 "Sectigo RSA Domain Validation Secure Server CA" is valid (at time 1591514259)
X509 0xfb614 "Sectigo RSA Domain Validation Secure Server CA" is not a root certificate
X509 0xfb614 "Sectigo RSA Domain Validation Secure Server CA" has no issuer
X509 0xfbce4 "USERTrust RSA Certification Authority" is valid (at time 1591514259)
X509 0xfbce4 "USERTrust RSA Certification Authority" is not a root certificate
X509 0xfbce4 "USERTrust RSA Certification Authority" has no issuer

curl on the box that I built my debug copy of iPXE verifies it OK - I thought they both used the same set of certificates?

* Server certificate:
*  subject: CN=*.edge.kernel.org
*  start date: Mar 16 00:00:00 2020 GMT
*  expire date: Mar 16 23:59:59 2021 GMT
*  subjectAltName: host "ewr.edge.kernel.org" matched cert's "*.edge.kernel.org"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.

My next step will be trying to chain from packet.net's iPXE to my own with these specific certificates in them.

Thanks,
Adam


More information about the ipxe-devel mailing list