On 14/01/2020 19:54, Ibrahim Tachijian wrote:
The issues you are experiencing are most likely because the iPXE OCSP
service is still down following a hardware death. Replacement is
currently stalled pending the existence of a suitable ocspd package for
Fedora; the version in the Fedora repos is more than ten years out
How does this work exactly?
I mean, if my https certificate is based on letsencrypt, then am I still
dependant on some service (ocsp?) from ipxe to function ?
Can I work around this and still "trust what Mozilla trusts" ?
The root problem is that the Mozilla root certificate list is far too
large (150kB) to embed within the iPXE binary.
The way that iPXE works around this is to instead embed the 32-byte
SHA-256 fingerprint of a single "iPXE root CA" certificate (which is the
certificate that can be downloaded from https://ca.ipxe.org/ca.crt).
This "iPXE root CA" certificate is used to cross-sign every root
certificate trusted by Mozilla, and a mechanism exists to allow iPXE to
automatically download these cross-signed certificates as needed. There
is a reasonable explanation of this at
This cross-signed certificate chain includes OCSP checks; this is the
part that is currently failing.
ipxe-devel mailing list