[ipxe-devel] Sectigo/UserTrust certificates not supported
Geert Stappers
stappers at stappers.nl
Sun Jun 7 07:37:05 UTC 2020
On Sun, Jun 07, 2020 at 05:30:30PM +1000, Adam Baxter wrote:
> Hi all,
> I'm trying to boot a kernel image from https://ewr.edge.kernel.org/fedora-buffet/fedora/linux/releases/32/Server/x86_64/os/images/pxeboot/vmlinuz via packet.net's iPXE. I can replicate the issue I'm getting with a local build of iPXE from Git.
>
> X509 chain 0xf3fe4 added X509 0xf5da4 "*.edge.kernel.org"
> X509 chain 0xf3fe4 added X509 0xfb614 "Sectigo RSA Domain Validation Secure Server CA"
> X509 chain 0xf3fe4 added X509 0xfbce4 "USERTrust RSA Certification Authority"
> .X509 0xf5da4 "*.edge.kernel.org" is valid (at time 1591514259)
> X509 0xf5da4 "*.edge.kernel.org" is not a root certificate
> X509 0xf5da4 "*.edge.kernel.org" has no issuer
> X509 0xfb614 "Sectigo RSA Domain Validation Secure Server CA" is valid (at time 1591514259)
> X509 0xfb614 "Sectigo RSA Domain Validation Secure Server CA" is not a root certificate
> X509 0xfb614 "Sectigo RSA Domain Validation Secure Server CA" has no issuer
> X509 0xfbce4 "USERTrust RSA Certification Authority" is valid (at time 1591514259)
> X509 0xfbce4 "USERTrust RSA Certification Authority" is not a root certificate
> X509 0xfbce4 "USERTrust RSA Certification Authority" has no issuer
>
> curl on the box that I built my debug copy of iPXE verifies it OK - I thought they both used the same set of certificates?
>
> * Server certificate:
> * subject: CN=*.edge.kernel.org
> * start date: Mar 16 00:00:00 2020 GMT
> * expire date: Mar 16 23:59:59 2021 GMT
> * subjectAltName: host "ewr.edge.kernel.org" matched cert's "*.edge.kernel.org"
> * issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
> * SSL certificate verify ok.
>
> My next step will be trying to chain from packet.net's iPXE to my own with these specific certificates in them.
LOL
Regards
Geert Stappers
--
Silence is hard to parse
More information about the ipxe-devel
mailing list