On Mon, Sep 04, 2023 at 11:21:00AM +0000, Michael Brown via ipxe-devel wrote: > On 03/09/2023 11:11, Geert Stappers via ipxe-devel wrote: > > When I do > > .... > > How to deal with those verify errors? > > When using the openssl tools, you need to specify the iPXE root CA as the > root of trust in order to match iPXE's verification results. For the ocsp > subcommand, the relevant option is "-CAfile". For example: > > $ wget -q https://ca.ipxe.org/ca.crt > $ wget -q https://ca.ipxe.org/cross-ca.crt > $ wget -q https://ca.ipxe.org/cross/cross-gts-root-r4.crt > > $ openssl ocsp -CAfile ca.crt -issuer ca.crt \ > -cert cross-ca.crt \ > -url http://ocsp.ipxe.org/ocsp/root/ > Response verify OK > cross-ca.crt: good > This Update: Sep 1 11:01:57 2023 GMT > Next Update: Sep 4 11:22:25 2023 GMT > > $ openssl ocsp -CAfile ca.crt -issuer cross-ca.crt \ > -cert cross-gts-root-r4.crt \ > -url http://ocsp.ipxe.org/ocsp/cross/ > Response verify OK > cross-digicert-assured-id-root-ca.crt: good > This Update: Sep 1 11:02:47 2023 GMT > Next Update: Sep 4 11:22:43 2023 GMT >
Ah, thanks, for future "copy and paste": --------8<---8<---8<------- wget -q https://ca.ipxe.org/ca.crt wget -q https://ca.ipxe.org/cross-ca.crt wget -q https://ca.ipxe.org/cross/cross-gts-root-r4.crt ls -ltr *.crt openssl ocsp -CAfile ca.crt -issuer ca.crt \ -cert cross-ca.crt \ -url http://ocsp.ipxe.org/ocsp/root/ openssl ocsp -CAfile ca.crt -issuer cross-ca.crt \ -cert cross-gts-root-r4.crt \ -url http://ocsp.ipxe.org/ocsp/cross/ echo rm *.crt --------8<---8<---8<------- Output I got today: -rw-r--r-- 1 stappers stappers 1383 18 mrt 2012 ca.crt -rw-r--r-- 1 stappers stappers 1229 29 feb 2016 cross-ca.crt -rw------- 1 stappers stappers 1180 1 okt 10:36 cross-gts-root-r4.crt Response verify OK cross-ca.crt: good This Update: Oct 1 08:01:19 2023 GMT Next Update: Oct 30 20:39:51 2023 GMT Response verify OK cross-gts-root-r4.crt: good This Update: Oct 1 08:36:38 2023 GMT Next Update: Oct 30 20:39:51 2023 GMT rm ca.crt cross-ca.crt cross-gts-root-r4.crt Groeten Geert Stappers Back in a few days -- Silence is hard to parse _______________________________________________ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel