[ipxe-devel] ipxe.org OSCP server check

Geert Stappers stappers at stappers.nl
Sun Sep 3 10:11:10 UTC 2023


How to do a check on the iPXE OSCP server?

Information I have is:

IRC> Day changed to 21 aug 2023
IRC> 15:01 -!- p6r [~p6r at redacted3] has joined #ipxe
IRC> 15:01 < p6r> hi
IRC> 15:01 < p6r> just double checking that there s no curent issues with
IRC>    ocsp ...
IRC> 15:03 < p6r>  wget http://ca.ipxe.org/cross-ca.crt && wget
IRC>    https://ca.ipxe.org/ca.crt && openssl x509 -in cross-ca.crt -ocsp_uri
IRC>    -noout && openssl ocsp -issuer ca.crt -cert cross-ca.crt -text -url
IRC>    http://ocsp.ipxe.org/ocsp/root/
IRC> 15:04 < p6r> Response Verify Failure : Unable to get local issuer
IRC>    certificate  , self signed certificate in certificate chain
IRC> 15:04 < p6r> But i have no real idea of how ocsp works
IRC> 16:30 -!- p6r [~p6r at redacted3] has quit [Quit: Leaving]
And email https://lists.ipxe.org/pipermail/ipxe-devel/2023-August/007618.html
which can be read as "It should work now".

When I do
  wget http://ca.ipxe.org/cross-ca.crt && \
  wget https://ca.ipxe.org/ca.crt && \
  openssl x509 -in cross-ca.crt -ocsp_uri -noout && \
  openssl ocsp -issuer ca.crt -cert cross-ca.crt -text -url http://ocsp.ipxe.org/ocsp/root/

I get output that ends with

Response Verify Failure
3072317184:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:../crypto/ocsp/ocsp_vfy.c:92:Verify error:unable to get local issuer certificate
3072317184:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:../crypto/ocsp/ocsp_vfy.c:92:Verify error:self signed certificate in certificate chain
cross-ca.crt: good
	This Update: Sep  1 11:01:57 2023 GMT
	Next Update: Sep  3 09:50:03 2023 GMT

How to deal with those verify errors?

Or:  What would be a better approach to check iPXE OSCP server?

Geert Stappers

Silence is hard to parse

More information about the ipxe-devel mailing list