On Mon, Nov 26, 2018 at 03:26:20PM +0000, Michael Brown wrote: > On 15/11/2018 21:21, Stephen Soltesz wrote: > > Are there any known issues with the ipxe.org <http://ipxe.org> OSCP > > servers? > > > > Yesterday I was able to boot a test server but today I'm getting an > > error message for http://ipxe.org/err/432fe3 > > On 16/11/2018 18:32, Damien Radtke wrote: > > I was attempting to boot a new server via Vultr using an iPXE > > script, and was given an error message directing me to > > http://ipxe.org/err/432fe3. I also tried to connect to IRC to ask about > > it, but either my chat client or the server didn't seem to be working > > properly. Is the OCSP server down, and if so is there a timeframe for > > when it will be back up? > > I missed the start of November OCSP reissuing, sorry. This should now be > working again. > > Michael > _______________________________________________ > ipxe-devel mailing list
To me it seems some simular actions is needed. 20:34 -!- Guest72 [~Guest72@redacted] has joined #ipxe 20:38 < Guest72> Hi there, I faced unknown behavior when I tried to load linux kernel image via ipxe (error https://ipxe.org/432fe398 which is related to OCSP). I'm using https. I compiled ipxe binary with option DEBUG=ocsp, but nothing useful was in debug output. I'm wondering if ipxe ocsp server alive ? 20:40 < Guest72> It worked perfect today, but 1-2 hours ago it just stopped working and I got error. 21:22 < stappers> That brings back memories of expired certificates 21:24 < Guest72> which certificate exactly ? This error showed while trying to download kernel image with initrd 21:26 < Guest72> should I debug rather with full tls debugging ? 21:27 < stappers> OCSP 21:28 < stappers> in response to 'which certificate' 21:42 < Guest72> When I run it with DEBUG=ocsp, it shows me this (I put snippets from debug): Starting Ubuntu installer https://[some-amazon-s3-bucket]/vmlinuz ..... [OCSP iPXE cross-signing CA] OCSP 0x494fb568 "iPXE cross-singning CA" successfully validated using "iPXE root CA OCSP responder" OCSP 0x494fb568 ..... "4b12a4f9c.......91af", 21:42 < Guest72> followed by error 0x432fe398 21:42 < Guest72> And that's all 21:43 < Guest72> I don't think that amazon's certificate has expired, since I can access it via browser 21:54 < stappers> Is the OCSP server is working? (as adviced by https://ipxe.org/err/432fe3) 22:45 < Guest72> How to check it ? I guess I use OCSP which provided by iPXE 22:45 < Guest72> mcb30 can you advice something, please ? Day changed to 17 aug 2023 00:02 < Guest72> Update: I moved my vmlinuz and initrd files to another https server and it worked! I guess some problem with Amazon s3 bucket :-\ 00:05 < stappers> Acknowledge 01:28 -!- Guest72 [~Guest72@redacted] has quit [Quit: Client closed] 01:48 -!- Guest72 [~Guest72@redacted] has joined #ipxe 02:09 -!- Guest72 [~Guest72@redacted] has quit [Quit: Client closed] 03:15 -!- Guest72 [~Guest72@redacted] has joined #ipxe 03:20 -!- Guest72 [~Guest72@redacted] has quit [Quit: Client closed] Day changed to 18 aug 2023 11:53 -!- Guest61 [~Guest61@redated1] has joined #ipxe 12:05 < Guest61> Hi guys, i'm t-shooting TLS issue noticed yesterday, during the chain OCSP check is required for root certificate "DigiCert Global Root G2" which is make via URI http://ocsp.ipxe.org/ocsp/cross/... and results in response status 3 and eventually certificate validation failed 12:07 < Guest61> undefining OCSP_CHECK seems to help but doubt it's a proper way 12:13 < Guest61> i wonder if http://ocsp.ipxe.org is the right ocsp responder for said certificate 12:15 < Guest61> and what does response status 3 mean? unknown certificate maybe? 12:59 -!- Guest61 [~Guest61@redacted1] has quit [Quit: Client closed] 13:02 -!- Guest61 [~Guest61@redacted1] has joined #ipxe 16:41 -!- Guest61 [~Guest61@redacted1] has quit [Quit: Client closed] Day changed to 19 aug 2023 00:55 -!- Guest98 [~Guest35@redacted2] has joined #ipxe 00:58 < Guest98> hi all, im getting an 0x432fe398 error message (https://ipxe.org/432fe398) when trying to chain load and ipxe boot file hosted on our server 00:58 < Guest98> the error page mentions the iPXE OCSP server may be having problems. is that at all true? 01:24 -!- Guest98 [~Guest35@redacted2] has quit [Quit: Client closed] Day changed to 20 aug 2023 Day changed to 21 aug 2023 15:01 -!- p6r [~p6r@redacted3] has joined #ipxe 15:01 < p6r> hi 15:01 < p6r> just double checking that there s no curent issues with ocsp ... 15:03 < p6r> wget http://ca.ipxe.org/cross-ca.crt && wget https://ca.ipxe.org/ca.crt && openssl x509 -in cross-ca.crt -ocsp_uri -noout && openssl ocsp -issuer ca.crt -cert cross-ca.crt -text -url http://ocsp.ipxe.org/ocsp/root/ 15:04 < p6r> Response Verify Failure : Unable to get local issuer certificate , self signed certificate in certificate chain 15:04 < p6r> But i have no real idea of how ocsp works 16:30 -!- p6r [~p6r@redacted3] has quit [Quit: Leaving] 18:07 < stappers> warthog9: Do you have access to "OSCP server"? [y/n] 18:27 -!- U8n [~U8@redacted4] has joined #ipxe 18:31 < U8n> Hi everyone 18:31 < U8n> can you guys help me to identify which side is the problem we are facing? 18:31 < U8n> I am trying to use iPXE to install EKS Anywhere on Bare Metal(so technically not a bare-metal, but EC2 instances with iPXE AMI on boot). Everything worked for my PoC project till last Tuesday or Wednesday 18:31 < U8n> http://10.1.0.22/phone-home... ok 18:31 < U8n> https://anywhere-assets.eks.amazonaws.com/releases/bundles/30/artifacts/hook/6d43b8b3REDACTEDa9aa98248d7a2/vmlinuz-x86_64...X509 chain 0xf44a4 added X509 0xf5804 "anywhere-assets.eks.amazonaws.com" 18:31 < U8n> X509 chain 0xf44a4 added X509 0xf6804 "Amazon RSA 2048 M01" 18:31 < U8n> X509 chain 0xf44a4 added X509 0xf9434 "Amazon Root CA 1" 18:31 < U8n> X509 chain 0xf44a4 added X509 0xf9994 "Starfield Services Root Certificate Authority - G2" 18:31 < U8n> X509 chain 0xf44a4 found no usable certificates 18:31 < U8n> X509 chain 0xf2854 added X509 0xf8094 "4b12a4f9c47d8e56aebcc69d035e849a1fb30146" 18:31 < U8n> X509 chain 0xf2854 added X509 0xf8564 "iPXE cross-signing CA" 18:31 < U8n> X509 chain 0xf2854 added X509 0xf8984 "iPXE root CA" 18:31 < U8n> X509 chain 0xf44a4 added X509 0xf8094 "4b12a4f9c47d8e56aebcc69d035e849a1fb30146" 18:31 < U8n> X509 chain 0xf44a4 added X509 0xf8564 "iPXE cross-signing CA" 18:31 < U8n> X509 chain 0xf44a4 added X509 0xf8984 "iPXE root CA" 18:31 < U8n> X509 0xf8984 "iPXE root CA" is a root certificate 18:31 < U8n> X509 0xf8564 "iPXE cross-signing CA" requires an OCSP check 18:31 < U8n> . [OCSP iPXE cross-signing CA]X509 0xf7a44 "iPXE root CA OCSP responder" successfully validated using issuer 0xf8984 "iPXE root CA" 18:32 < U8n> sorry, not very used to IRC chats. They don't have any formatting features as far as I know. 18:43 < stappers> FWIW: Color came through (at least to me) 18:44 * stappers scrolls back ... 18:55 < stappers> Day changed to 17 aug 2023 18:56 < stappers> 00:02 < Guest72> Update: I moved my vmlinuz and initrd files to another https server and it worked! I guess some problem with Amazon s3 bucket :-\ 18:56 < stappers> 00:05 < stappers> Acknowledge 19:00 < stappers> U8n: Do note that Guest72 used the words "I guess some problems" and do read my "Acknowledge" as just on acknowledge on the update. 19:01 < U8n> stappers so you are saying it is aws s3 bucked or you answered to someone else? 19:08 < stappers> U8n: Guest72 left after update '2023-08-17 00:02 UTC+2'. 19:08 < U8n> stappers I see, thanks 19:09 < stappers> :-) Groeten Geert Stappers -- Silence is hard to parse _______________________________________________ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel