[ipxe-devel] ipxe.org OSCP server check
Geert Stappers
stappers at stappers.nl
Sun Sep 3 10:11:10 UTC 2023
Hi,
How to do a check on the iPXE OSCP server?
Information I have is:
IRC> Day changed to 21 aug 2023
IRC> 15:01 -!- p6r [~p6r at redacted3] has joined #ipxe
IRC> 15:01 < p6r> hi
IRC> 15:01 < p6r> just double checking that there s no curent issues with
IRC> ocsp ...
IRC> 15:03 < p6r> wget http://ca.ipxe.org/cross-ca.crt && wget
IRC> https://ca.ipxe.org/ca.crt && openssl x509 -in cross-ca.crt -ocsp_uri
IRC> -noout && openssl ocsp -issuer ca.crt -cert cross-ca.crt -text -url
IRC> http://ocsp.ipxe.org/ocsp/root/
IRC> 15:04 < p6r> Response Verify Failure : Unable to get local issuer
IRC> certificate , self signed certificate in certificate chain
IRC> 15:04 < p6r> But i have no real idea of how ocsp works
IRC> 16:30 -!- p6r [~p6r at redacted3] has quit [Quit: Leaving]
And email https://lists.ipxe.org/pipermail/ipxe-devel/2023-August/007618.html
which can be read as "It should work now".
When I do
wget http://ca.ipxe.org/cross-ca.crt && \
wget https://ca.ipxe.org/ca.crt && \
openssl x509 -in cross-ca.crt -ocsp_uri -noout && \
openssl ocsp -issuer ca.crt -cert cross-ca.crt -text -url http://ocsp.ipxe.org/ocsp/root/
I get output that ends with
<screenshot>
Response Verify Failure
3072317184:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:../crypto/ocsp/ocsp_vfy.c:92:Verify error:unable to get local issuer certificate
3072317184:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:../crypto/ocsp/ocsp_vfy.c:92:Verify error:self signed certificate in certificate chain
cross-ca.crt: good
This Update: Sep 1 11:01:57 2023 GMT
Next Update: Sep 3 09:50:03 2023 GMT
</screenshot>
How to deal with those verify errors?
Or: What would be a better approach to check iPXE OSCP server?
Groeten
Geert Stappers
--
Silence is hard to parse
More information about the ipxe-devel
mailing list