[ipxe-devel] ipxe.org OSCP server issues?
stappers at stappers.nl
Mon Aug 21 17:57:31 UTC 2023
On Mon, Nov 26, 2018 at 03:26:20PM +0000, Michael Brown wrote:
> On 15/11/2018 21:21, Stephen Soltesz wrote:
> > Are there any known issues with the ipxe.org <http://ipxe.org> OSCP
> > servers?
> > Yesterday I was able to boot a test server but today I'm getting an
> > error message for http://ipxe.org/err/432fe3
> On 16/11/2018 18:32, Damien Radtke wrote:
> > I was attempting to boot a new server via Vultr using an iPXE
> > script, and was given an error message directing me to
> > http://ipxe.org/err/432fe3. I also tried to connect to IRC to ask about
> > it, but either my chat client or the server didn't seem to be working
> > properly. Is the OCSP server down, and if so is there a timeframe for
> > when it will be back up?
> I missed the start of November OCSP reissuing, sorry. This should now be
> working again.
> ipxe-devel mailing list
To me it seems some simular actions is needed.
20:34 -!- Guest72 [~Guest72 at redacted] has joined #ipxe
20:38 < Guest72> Hi there, I faced unknown behavior when I tried to load
linux kernel image via ipxe (error https://ipxe.org/432fe398 which is
related to OCSP). I'm using https. I compiled ipxe binary with option
DEBUG=ocsp, but nothing useful was in debug output. I'm wondering if
ipxe ocsp server alive ?
20:40 < Guest72> It worked perfect today, but 1-2 hours ago it just
stopped working and I got error.
21:22 < stappers> That brings back memories of expired certificates
21:24 < Guest72> which certificate exactly ? This error showed while
trying to download kernel image with initrd
21:26 < Guest72> should I debug rather with full tls debugging ?
21:27 < stappers> OCSP
21:28 < stappers> in response to 'which certificate'
21:42 < Guest72> When I run it with DEBUG=ocsp, it shows me
this (I put snippets from debug): Starting Ubuntu installer
https://[some-amazon-s3-bucket]/vmlinuz ..... [OCSP iPXE
cross-signing CA] OCSP 0x494fb568 "iPXE cross-singning CA"
successfully validated using "iPXE root CA OCSP responder" OCSP
0x494fb568 ..... "4b12a4f9c.......91af",
21:42 < Guest72> followed by error 0x432fe398
21:42 < Guest72> And that's all
21:43 < Guest72> I don't think that amazon's certificate has expired,
since I can access it via browser
21:54 < stappers> Is the OCSP server is working?
(as adviced by https://ipxe.org/err/432fe3)
22:45 < Guest72> How to check it ? I guess I use OCSP which
provided by iPXE
22:45 < Guest72> mcb30 can you advice something, please ?
Day changed to 17 aug 2023
00:02 < Guest72> Update: I moved my vmlinuz and initrd files to another
https server and it worked! I guess some problem with Amazon s3
00:05 < stappers> Acknowledge
01:28 -!- Guest72 [~Guest72 at redacted] has quit [Quit: Client closed]
01:48 -!- Guest72 [~Guest72 at redacted] has joined #ipxe
02:09 -!- Guest72 [~Guest72 at redacted] has quit [Quit: Client closed]
03:15 -!- Guest72 [~Guest72 at redacted] has joined #ipxe
03:20 -!- Guest72 [~Guest72 at redacted] has quit [Quit: Client closed]
Day changed to 18 aug 2023
11:53 -!- Guest61 [~Guest61 at redated1] has joined #ipxe
12:05 < Guest61> Hi guys, i'm t-shooting TLS issue noticed
yesterday, during the chain OCSP check is required for root
certificate "DigiCert Global Root G2" which is make via URI
http://ocsp.ipxe.org/ocsp/cross/... and results in response status 3
and eventually certificate validation failed
12:07 < Guest61> undefining OCSP_CHECK seems to help but doubt it's a
12:13 < Guest61> i wonder if http://ocsp.ipxe.org is the right ocsp
responder for said certificate
12:15 < Guest61> and what does response status 3 mean? unknown
12:59 -!- Guest61 [~Guest61 at redacted1] has quit [Quit: Client closed]
13:02 -!- Guest61 [~Guest61 at redacted1] has joined #ipxe
16:41 -!- Guest61 [~Guest61 at redacted1] has quit [Quit: Client closed]
Day changed to 19 aug 2023
00:55 -!- Guest98 [~Guest35 at redacted2] has joined #ipxe
00:58 < Guest98> hi all, im getting an 0x432fe398 error message
(https://ipxe.org/432fe398) when trying to chain load and ipxe boot
file hosted on our server
00:58 < Guest98> the error page mentions the iPXE OCSP server may be
having problems. is that at all true?
01:24 -!- Guest98 [~Guest35 at redacted2] has quit [Quit: Client closed]
Day changed to 20 aug 2023
Day changed to 21 aug 2023
15:01 -!- p6r [~p6r at redacted3] has joined #ipxe
15:01 < p6r> hi
15:01 < p6r> just double checking that there s no curent issues with
15:03 < p6r> wget http://ca.ipxe.org/cross-ca.crt && wget
https://ca.ipxe.org/ca.crt && openssl x509 -in cross-ca.crt -ocsp_uri
-noout && openssl ocsp -issuer ca.crt -cert cross-ca.crt -text -url
15:04 < p6r> Response Verify Failure : Unable to get local issuer
certificate , self signed certificate in certificate chain
15:04 < p6r> But i have no real idea of how ocsp works
16:30 -!- p6r [~p6r at redacted3] has quit [Quit: Leaving]
18:07 < stappers> warthog9: Do you have access to "OSCP server"? [y/n]
18:27 -!- U8n [~U8 at redacted4] has joined #ipxe
18:31 < U8n> Hi everyone
18:31 < U8n> can you guys help me to identify which side is the problem
we are facing?
18:31 < U8n> I am trying to use iPXE to install EKS Anywhere on Bare
Metal(so technically not a bare-metal, but EC2 instances with iPXE
AMI on boot). Everything worked for my PoC project till last Tuesday
18:31 < U8n> http://10.1.0.22/phone-home... ok
18:31 < U8n> https://anywhere-assets.eks.amazonaws.com/releases/bundles/30/artifacts/hook/6d43b8b3REDACTEDa9aa98248d7a2/vmlinuz-x86_64...X509 chain 0xf44a4 added X509 0xf5804 "anywhere-assets.eks.amazonaws.com"
18:31 < U8n> X509 chain 0xf44a4 added X509 0xf6804 "Amazon RSA 2048 M01"
18:31 < U8n> X509 chain 0xf44a4 added X509 0xf9434 "Amazon Root CA 1"
18:31 < U8n> X509 chain 0xf44a4 added X509 0xf9994 "Starfield Services Root Certificate Authority - G2"
18:31 < U8n> X509 chain 0xf44a4 found no usable certificates
18:31 < U8n> X509 chain 0xf2854 added X509 0xf8094 "4b12a4f9c47d8e56aebcc69d035e849a1fb30146"
18:31 < U8n> X509 chain 0xf2854 added X509 0xf8564 "iPXE cross-signing CA"
18:31 < U8n> X509 chain 0xf2854 added X509 0xf8984 "iPXE root CA"
18:31 < U8n> X509 chain 0xf44a4 added X509 0xf8094 "4b12a4f9c47d8e56aebcc69d035e849a1fb30146"
18:31 < U8n> X509 chain 0xf44a4 added X509 0xf8564 "iPXE cross-signing CA"
18:31 < U8n> X509 chain 0xf44a4 added X509 0xf8984 "iPXE root CA"
18:31 < U8n> X509 0xf8984 "iPXE root CA" is a root certificate
18:31 < U8n> X509 0xf8564 "iPXE cross-signing CA" requires an OCSP check
18:31 < U8n> . [OCSP iPXE cross-signing CA]X509 0xf7a44 "iPXE root CA
OCSP responder" successfully validated using issuer 0xf8984 "iPXE
18:32 < U8n> sorry, not very used to IRC chats. They don't have any
formatting features as far as I know.
18:43 < stappers> FWIW: Color came through (at least to me)
18:44 * stappers scrolls back ...
18:55 < stappers> Day changed to 17 aug 2023
18:56 < stappers> 00:02 < Guest72> Update: I moved my vmlinuz and initrd
files to another https server and it worked! I guess some problem
with Amazon s3 bucket :-\
18:56 < stappers> 00:05 < stappers> Acknowledge
19:00 < stappers> U8n: Do note that Guest72 used the words "I guess
some problems" and do read my "Acknowledge" as just on acknowledge
on the update.
19:01 < U8n> stappers so you are saying it is aws s3 bucked or you
answered to someone else?
19:08 < stappers> U8n: Guest72 left after update '2023-08-17 00:02 UTC+2'.
19:08 < U8n> stappers I see, thanks
19:09 < stappers> :-)
Silence is hard to parse
More information about the ipxe-devel