On 14/01/2020 19:54, Ibrahim Tachijian wrote:
    The issues you are experiencing are most likely because the iPXE OCSP
    service is still down following a hardware death.  Replacement is
    currently stalled pending the existence of a suitable ocspd package for
    Fedora; the version in the Fedora repos is more than ten years out
    of date.

How does this work exactly?
I mean, if my https certificate is based on letsencrypt, then am I still dependant on some service (ocsp?) from ipxe to function ?

Can I work around this and still "trust what Mozilla trusts" ?

The root problem is that the Mozilla root certificate list is far too large (150kB) to embed within the iPXE binary.

The way that iPXE works around this is to instead embed the 32-byte SHA-256 fingerprint of a single "iPXE root CA" certificate (which is the certificate that can be downloaded from https://ca.ipxe.org/ca.crt).

This "iPXE root CA" certificate is used to cross-sign every root certificate trusted by Mozilla, and a mechanism exists to allow iPXE to automatically download these cross-signed certificates as needed. There is a reasonable explanation of this at


This cross-signed certificate chain includes OCSP checks; this is the part that is currently failing.

ipxe-devel mailing list

Reply via email to