[ipxe-devel] ipxe.org OSCP server check
Michael Brown
mcb30 at ipxe.org
Mon Sep 4 11:20:44 UTC 2023
On 03/09/2023 11:11, Geert Stappers via ipxe-devel wrote:
> When I do
> wget http://ca.ipxe.org/cross-ca.crt && \
> wget https://ca.ipxe.org/ca.crt && \
> openssl x509 -in cross-ca.crt -ocsp_uri -noout && \
> openssl ocsp -issuer ca.crt -cert cross-ca.crt -text -url http://ocsp.ipxe.org/ocsp/root/
>
>
> I get output that ends with
>
> <screenshot>
> Response Verify Failure
> 3072317184:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:../crypto/ocsp/ocsp_vfy.c:92:Verify error:unable to get local issuer certificate
> 3072317184:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:../crypto/ocsp/ocsp_vfy.c:92:Verify error:self signed certificate in certificate chain
> cross-ca.crt: good
> This Update: Sep 1 11:01:57 2023 GMT
> Next Update: Sep 3 09:50:03 2023 GMT
> </screenshot>
>
> How to deal with those verify errors?
When using the openssl tools, you need to specify the iPXE root CA as
the root of trust in order to match iPXE's verification results. For
the ocsp subcommand, the relevant option is "-CAfile". For example:
$ wget -q https://ca.ipxe.org/ca.crt
$ wget -q https://ca.ipxe.org/cross-ca.crt
$ wget -q https://ca.ipxe.org/cross/cross-gts-root-r4.crt
$ openssl ocsp -CAfile ca.crt -issuer ca.crt \
-cert cross-ca.crt \
-url http://ocsp.ipxe.org/ocsp/root/
Response verify OK
cross-ca.crt: good
This Update: Sep 1 11:01:57 2023 GMT
Next Update: Sep 4 11:22:25 2023 GMT
$ openssl ocsp -CAfile ca.crt -issuer cross-ca.crt \
-cert cross-gts-root-r4.crt \
-url http://ocsp.ipxe.org/ocsp/cross/
Response verify OK
cross-digicert-assured-id-root-ca.crt: good
This Update: Sep 1 11:02:47 2023 GMT
Next Update: Sep 4 11:22:43 2023 GMT
Michael
More information about the ipxe-devel
mailing list