From stappers at stappers.nl  Fri Mar 14 21:07:08 2025
From: stappers at stappers.nl (Geert Stappers)
Date: Fri, 14 Mar 2025 22:07:08 +0100
Subject: [ipxe-devel] https://ipxe.org/crypto, add the ipxe.org ca.crt too
Message-ID: <Z9SafPwTkDK7YKVX@gpm.stappers.nl>

12:19 < tpowa> Hi, I try to get the crypto things working for my
               archboot system, I am stuck with the
               certificates. I followed the documentation. When adding
               CERT= and TRUST= to the compilation it is
               first not able to download from external source. For me
               it would be suffice to just have validated
               the downloaded kernel and initrds.
12:20 < tpowa> ipxe is from yesterday git.

16:25 < tpowa> ok found the not obvious solution I had to add the ipxe.org ca.crt too then it works for me

19:07 < stappers> tpowa: Which documentation could be improved?
19:07 < tpowa> stappers, the crypto documentation
19:07 < stappers> OKay
19:08 < tpowa> if you want to run ipxe on a host you cannot access the
               tls things you need to provide the ipxe
               ca.crt to get access via https to the files
19:08 < tpowa> I host my project on a hoster which does not allow me to
               change the tls things
19:08 < stappers> That line, where should it be added?
19:09 < tpowa> one moment I look at the doc
19:10 < tpowa>  make bin/ipxe.iso TRUST=/path/to/ca1.crt,/path/to/ca2.crt
               at this paragraph would it make sense I guess
19:11 < tpowa> referencing ca.ipxe.org/ca.crt to include if you cannot
               change your hosts root certificate
19:14 < tpowa> You probably know it better to phrase what I mean, I am
               not a TLS and https expert
19:15 < tpowa> In the end I added CERT= and TRUST= with my private root
               CA and the ipxe ca.cert then it started to
               work to verify my downloads.
19:15 < tpowa> and also to download the files from my hoster
19:16 < stappers> tpowa: I want to raise it to the mailinglist. Are you
                  OK with 'tpowa' in the posting, or
                  prefered that I use 'redacted'?
19:17 < tpowa> yes sure you can use tpowa :)
19:21 < tpowa> stappers, thanks hope this will make it to the homepage
               it was 2 days of trial and error to find this solution


That was from IRC, back the iPXE source code:

|stappers at paddy:~/src/ipxe
|$ git grep TRUST=
|src/crypto/rootcert.c: * time using the TRUST= build parameter.  If no certificates are
|stappers at paddy:~/src/ipxe
|$ 

That is not the 
19:10 < tpowa>  make bin/ipxe.iso TRUST=/path/to/ca1.crt,/path/to/ca2.crt


I did found that line at https://ipxe.org/crypto


But for
16:25 < tpowa> ok found the not obvious solution I had to add the ipxe.org ca.crt too then it works for me
so the "had to add the ipxe.org ca.crt too then it works",
didn't I find good place.

So now asking the mailinglist for help.
 

Groeten
Geert Stappers
-- 
Silence is hard to parse