Hi,
How to do a check on the iPXE OSCP server? Information I have is: IRC> Day changed to 21 aug 2023 IRC> 15:01 -!- p6r [~p6r@redacted3] has joined #ipxe IRC> 15:01 < p6r> hi IRC> 15:01 < p6r> just double checking that there s no curent issues with IRC> ocsp ... IRC> 15:03 < p6r> wget http://ca.ipxe.org/cross-ca.crt && wget IRC> https://ca.ipxe.org/ca.crt && openssl x509 -in cross-ca.crt -ocsp_uri IRC> -noout && openssl ocsp -issuer ca.crt -cert cross-ca.crt -text -url IRC> http://ocsp.ipxe.org/ocsp/root/ IRC> 15:04 < p6r> Response Verify Failure : Unable to get local issuer IRC> certificate , self signed certificate in certificate chain IRC> 15:04 < p6r> But i have no real idea of how ocsp works IRC> 16:30 -!- p6r [~p6r@redacted3] has quit [Quit: Leaving] And email https://lists.ipxe.org/pipermail/ipxe-devel/2023-August/007618.html which can be read as "It should work now". When I do wget http://ca.ipxe.org/cross-ca.crt && \ wget https://ca.ipxe.org/ca.crt && \ openssl x509 -in cross-ca.crt -ocsp_uri -noout && \ openssl ocsp -issuer ca.crt -cert cross-ca.crt -text -url http://ocsp.ipxe.org/ocsp/root/ I get output that ends with <screenshot> Response Verify Failure 3072317184:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:../crypto/ocsp/ocsp_vfy.c:92:Verify error:unable to get local issuer certificate 3072317184:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:../crypto/ocsp/ocsp_vfy.c:92:Verify error:self signed certificate in certificate chain cross-ca.crt: good This Update: Sep 1 11:01:57 2023 GMT Next Update: Sep 3 09:50:03 2023 GMT </screenshot> How to deal with those verify errors? Or: What would be a better approach to check iPXE OSCP server? Groeten Geert Stappers -- Silence is hard to parse _______________________________________________ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
