[ipxe-devel] Sectigo/UserTrust certificates not supported

[Geert Stappers]

On Sun, Jun 07, 2020 at 05:30:30PM +1000, Adam Baxter wrote:
> Hi all,
> I'm trying to boot a kernel image from https://ewr.edge.kernel.org/fedora-buffet/fedora/linux/releases/32/Server/x86_64/os/images/pxeboot/vmlinuz via packet.net's iPXE. I can replicate the issue I'm getting with a local build of iPXE from Git.
> 
> X509 chain 0xf3fe4 added X509 0xf5da4 "*.edge.kernel.org"
> X509 chain 0xf3fe4 added X509 0xfb614 "Sectigo RSA Domain Validation Secure Server CA"
> X509 chain 0xf3fe4 added X509 0xfbce4 "USERTrust RSA Certification Authority"
> .X509 0xf5da4 "*.edge.kernel.org" is valid (at time 1591514259)
> X509 0xf5da4 "*.edge.kernel.org" is not a root certificate
> X509 0xf5da4 "*.edge.kernel.org" has no issuer
> X509 0xfb614 "Sectigo RSA Domain Validation Secure Server CA" is valid (at time 1591514259)
> X509 0xfb614 "Sectigo RSA Domain Validation Secure Server CA" is not a root certificate
> X509 0xfb614 "Sectigo RSA Domain Validation Secure Server CA" has no issuer
> X509 0xfbce4 "USERTrust RSA Certification Authority" is valid (at time 1591514259)
> X509 0xfbce4 "USERTrust RSA Certification Authority" is not a root certificate
> X509 0xfbce4 "USERTrust RSA Certification Authority" has no issuer
> 
> curl on the box that I built my debug copy of iPXE verifies it OK - I thought they both used the same set of certificates?
> 
> * Server certificate:
> *  subject: CN=*.edge.kernel.org
> *  start date: Mar 16 00:00:00 2020 GMT
> *  expire date: Mar 16 23:59:59 2021 GMT
> *  subjectAltName: host "ewr.edge.kernel.org" matched cert's "*.edge.kernel.org"
> *  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
> *  SSL certificate verify ok.
> 
> My next step will be trying to chain from packet.net's iPXE to my own with these specific certificates in them.

LOL


Regards
Geert Stappers
-- 
Silence is hard to parse