[ipxe-devel] ipxe.org OSCP server issues?

Geert Stappers stappers at stappers.nl
Mon Aug 21 17:57:31 UTC 2023 

On Mon, Nov 26, 2018 at 03:26:20PM +0000, Michael Brown wrote:
> On 15/11/2018 21:21, Stephen Soltesz wrote:
> > Are there any known issues with the ipxe.org <http://ipxe.org> OSCP
> > servers?
> > 
> > Yesterday I was able to boot a test server but today I'm getting an
> > error message for http://ipxe.org/err/432fe3
> 
> On 16/11/2018 18:32, Damien Radtke wrote:
> > I was attempting to boot a new server via Vultr using an iPXE
> > script, and was given an error message directing me to
> > http://ipxe.org/err/432fe3. I also tried to connect to IRC to ask about
> > it, but either my chat client or the server didn't seem to be working
> > properly. Is the OCSP server down, and if so is there a timeframe for
> > when it will be back up?
> 
> I missed the start of November OCSP reissuing, sorry.  This should now be
> working again.
> 
> Michael
> _______________________________________________
> ipxe-devel mailing list

To me it seems some simular actions is needed.


20:34 -!- Guest72 [~Guest72 at redacted] has joined #ipxe
20:38 < Guest72> Hi there, I faced unknown behavior when I tried to load
   linux kernel image via ipxe (error https://ipxe.org/432fe398 which is
   related to OCSP). I'm using https. I compiled ipxe binary with option
   DEBUG=ocsp, but nothing useful was in debug output. I'm wondering if
   ipxe ocsp server alive ?
20:40 < Guest72> It worked perfect today, but 1-2 hours ago it just
   stopped working and I got error.
21:22 < stappers> That brings back memories of expired certificates
21:24 < Guest72> which certificate exactly ? This error showed while
   trying to download kernel image with initrd
21:26 < Guest72> should I debug rather with full tls debugging ?
21:27 < stappers> OCSP
21:28 < stappers> in response to 'which certificate'
21:42 < Guest72> When I run it with DEBUG=ocsp, it shows me
   this (I put snippets from debug): Starting Ubuntu installer
   https://[some-amazon-s3-bucket]/vmlinuz ..... [OCSP iPXE
   cross-signing CA] OCSP 0x494fb568 "iPXE cross-singning CA"
   successfully validated using "iPXE root CA OCSP responder" OCSP
   0x494fb568 ..... "4b12a4f9c.......91af",
21:42 < Guest72> followed by error 0x432fe398
21:42 < Guest72> And that's all
21:43 < Guest72> I don't think that amazon's certificate has expired,
   since I can access it via browser
21:54 < stappers> Is the OCSP server is working?
       (as adviced by https://ipxe.org/err/432fe3)
22:45 < Guest72> How to check it ? I guess I use OCSP which
   provided by iPXE
22:45 < Guest72> mcb30 can you advice something, please ?
Day changed to 17 aug 2023
00:02 < Guest72> Update: I moved my vmlinuz and initrd files to another
   https server and it worked! I guess some problem with Amazon s3
   bucket :-\
00:05 < stappers> Acknowledge
01:28 -!- Guest72 [~Guest72 at redacted] has quit [Quit: Client closed]
01:48 -!- Guest72 [~Guest72 at redacted] has joined #ipxe
02:09 -!- Guest72 [~Guest72 at redacted] has quit [Quit: Client closed]
03:15 -!- Guest72 [~Guest72 at redacted] has joined #ipxe
03:20 -!- Guest72 [~Guest72 at redacted] has quit [Quit: Client closed]
Day changed to 18 aug 2023
11:53 -!- Guest61 [~Guest61 at redated1] has joined #ipxe
12:05 < Guest61> Hi guys, i'm t-shooting TLS issue noticed
   yesterday, during the chain OCSP check is required for root
   certificate "DigiCert Global Root G2" which is make via URI
   http://ocsp.ipxe.org/ocsp/cross/... and results in response status 3
   and eventually certificate validation failed
12:07 < Guest61> undefining OCSP_CHECK seems to help but doubt it's a
   proper way
12:13 < Guest61> i wonder if http://ocsp.ipxe.org is the right ocsp
   responder for said certificate
12:15 < Guest61> and what does response status 3 mean? unknown
   certificate maybe?
12:59 -!- Guest61 [~Guest61 at redacted1] has quit [Quit: Client closed]
13:02 -!- Guest61 [~Guest61 at redacted1] has joined #ipxe
16:41 -!- Guest61 [~Guest61 at redacted1] has quit [Quit: Client closed]
Day changed to 19 aug 2023
00:55 -!- Guest98 [~Guest35 at redacted2] has joined #ipxe
00:58 < Guest98> hi all, im getting an 0x432fe398 error message
   (https://ipxe.org/432fe398) when trying to chain load and ipxe boot
   file hosted on our server
00:58 < Guest98> the error page mentions the iPXE OCSP server may be
   having problems. is that at all true?
01:24 -!- Guest98 [~Guest35 at redacted2] has quit [Quit: Client closed]
Day changed to 20 aug 2023
Day changed to 21 aug 2023
15:01 -!- p6r [~p6r at redacted3] has joined #ipxe
15:01 < p6r> hi
15:01 < p6r> just double checking that there s no curent issues with
   ocsp ...
15:03 < p6r>  wget http://ca.ipxe.org/cross-ca.crt && wget
   https://ca.ipxe.org/ca.crt && openssl x509 -in cross-ca.crt -ocsp_uri
   -noout && openssl ocsp -issuer ca.crt -cert cross-ca.crt -text -url
   http://ocsp.ipxe.org/ocsp/root/
15:04 < p6r> Response Verify Failure : Unable to get local issuer
   certificate  , self signed certificate in certificate chain
15:04 < p6r> But i have no real idea of how ocsp works
16:30 -!- p6r [~p6r at redacted3] has quit [Quit: Leaving]
18:07 < stappers> warthog9: Do you have access to "OSCP server"?  [y/n]
18:27 -!- U8n [~U8 at redacted4] has joined #ipxe
18:31 < U8n> Hi everyone
18:31 < U8n> can you guys help me to identify which side is the problem
we are facing?
18:31 < U8n> I am trying to use iPXE to install EKS Anywhere on Bare
   Metal(so technically not a bare-metal, but EC2 instances with iPXE
   AMI on boot). Everything worked for my PoC project till last Tuesday
   or Wednesday
18:31 < U8n> http://10.1.0.22/phone-home... ok
18:31 < U8n> https://anywhere-assets.eks.amazonaws.com/releases/bundles/30/artifacts/hook/6d43b8b3REDACTEDa9aa98248d7a2/vmlinuz-x86_64...X509 chain 0xf44a4 added X509 0xf5804 "anywhere-assets.eks.amazonaws.com"
18:31 < U8n> X509 chain 0xf44a4 added X509 0xf6804 "Amazon RSA 2048 M01"
18:31 < U8n> X509 chain 0xf44a4 added X509 0xf9434 "Amazon Root CA 1"
18:31 < U8n> X509 chain 0xf44a4 added X509 0xf9994 "Starfield Services Root Certificate Authority - G2"
18:31 < U8n> X509 chain 0xf44a4 found no usable certificates
18:31 < U8n> X509 chain 0xf2854 added X509 0xf8094 "4b12a4f9c47d8e56aebcc69d035e849a1fb30146"
18:31 < U8n> X509 chain 0xf2854 added X509 0xf8564 "iPXE cross-signing CA"
18:31 < U8n> X509 chain 0xf2854 added X509 0xf8984 "iPXE root CA"
18:31 < U8n> X509 chain 0xf44a4 added X509 0xf8094 "4b12a4f9c47d8e56aebcc69d035e849a1fb30146"
18:31 < U8n> X509 chain 0xf44a4 added X509 0xf8564 "iPXE cross-signing CA"
18:31 < U8n> X509 chain 0xf44a4 added X509 0xf8984 "iPXE root CA"
18:31 < U8n> X509 0xf8984 "iPXE root CA" is a root certificate
18:31 < U8n> X509 0xf8564 "iPXE cross-signing CA" requires an OCSP check
18:31 < U8n> . [OCSP iPXE cross-signing CA]X509 0xf7a44 "iPXE root CA
   OCSP responder" successfully validated using issuer 0xf8984 "iPXE
   root CA"
18:32 < U8n> sorry, not very used to IRC chats. They don't have any
   formatting features as far as I know.
18:43 < stappers> FWIW: Color came through  (at least to me)
18:44  * stappers scrolls back ...
18:55 < stappers> Day changed to 17 aug 2023
18:56 < stappers> 00:02 < Guest72> Update: I moved my vmlinuz and initrd
   files to another https server and it worked! I guess some  problem
   with Amazon s3 bucket :-\
18:56 < stappers> 00:05 < stappers> Acknowledge
19:00 < stappers> U8n: Do note that Guest72 used the words "I guess
   some problems"  and do read my "Acknowledge" as just on acknowledge
   on the update.
19:01 < U8n> stappers so you are saying it is aws s3 bucked or you
   answered to someone else?
19:08 < stappers> U8n: Guest72 left after update '2023-08-17 00:02 UTC+2'.
19:08 < U8n> stappers I see, thanks
19:09 < stappers>   :-)


Groeten
Geert Stappers
-- 
Silence is hard to parse

More information about the ipxe-devel mailing list