On 11/01/2020 15:28, Ibrahim Tachijian wrote:
And all fail because of certificate issues.
The documentation on https://ipxe.org/crypto mentions that,
In the default configuration, iPXE trusts only a single root
certificate: the "iPXE root CA" certificate
<https://ipxe.org/_media/certs/ca.crt>. This root certificate is
used to cross-sign the standard Mozilla list of public CA
certificates
<http://mxr.mozilla.org/comm-central/source/mozilla/security/nss/lib/ckfw/builtins/certdata.txt>.
Do I need to download the iPXE root ca and compile it in? If so how?
No; the iPXE root CA fingerprint is compiled in by default:
https://github.com/ipxe/ipxe/blob/master/src/crypto/rootcert.c#L51
The issues you are experiencing are most likely because the iPXE OCSP
service is still down following a hardware death. Replacement is
currently stalled pending the existence of a suitable ocspd package for
Fedora; the version in the Fedora repos is more than ten years out of date.
Michael
_______________________________________________
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel
