[arch-releng] ipxe.lkrn BIOS TLS issue
Hi, I prepared a USB netboot image following the netboot wiki: https://wiki.archlinux.org/index.php/Netboot The ipxe.lkrn is from: https://www.archlinux.org/static/netboo … 7b45a.lkrn<https://www.archlinux.org/static/netboot/ipxe.08268867b45a.lkrn> The system is BIOS based. The ipxe.lkrn image boots successfully but when it tries to access https://www.archlinux.org/releng/netboot/archlinux.ipxe it fails with "Operation not permitted". IPXE shows the error url http://ipxe.org/410de13c which points to a TLS issue (Fatal alert). Not sure how to proceed. The networking seems to be working fine. Typing route at the ipxe prompt shows an ip address has been assigned. Is there a certificate issue with ipxe.lkrn? Thanks!
On Tue, Oct 01, 2019 at 10:05:41PM +0000, Anindya Mukherjee via arch-releng wrote:
The ipxe.lkrn image boots successfully but when it tries to access https://www.archlinux.org/releng/netboot/archlinux.ipxe it fails with "Operation not permitted". IPXE shows the error url http://ipxe.org/410de13c which points to a TLS issue (Fatal alert). Not sure how to proceed. The networking seems to be working fine. Typing route at the ipxe prompt shows an ip address has been assigned. Is there a certificate issue with ipxe.lkrn?
Looks to me that the certificate is not being trusted (similar to the bug below): https://bugs.archlinux.org/task/58470 Do you have the certificate that's being requested? Cheers! -Santiago/Sangy
I can load the .ipxe script from Firefox and display the certificate details: Serial: 04:45:82:E5:7F:72:A5:7A:C1:D5:E9:ED:8C:57:3C:1E:BB:B0 SHA-256: AD:8D:28:BE:3D:A1:40:FB:08:AB:4C:1F:1E:B5:8E:B0:3E:4F:4A:52:23:69:AB:85:41:2D:60:A7:C2:80:25:80 SHA1 25:95:32:0A:21:2E:CA:EA:43:AB:3F:1D:89:BF:9A:F7:D9:9E:59:F7 Does that help? The certificate can be viewed by loading https://www.archlinux.org/releng/netboot/archlinux.ipxe in Firefox (for example) and clicking the green padlock. ________________________________ From: Santiago Torres-Arias <santiago@archlinux.org> Sent: October 1, 2019 4:44 PM To: Arch Linux Release Engineering <arch-releng@archlinux.org> Cc: Anindya Mukherjee <anindya49@hotmail.com> Subject: Re: [arch-releng] ipxe.lkrn BIOS TLS issue On Tue, Oct 01, 2019 at 10:05:41PM +0000, Anindya Mukherjee via arch-releng wrote:
The ipxe.lkrn image boots successfully but when it tries to access https://www.archlinux.org/releng/netboot/archlinux.ipxe it fails with "Operation not permitted". IPXE shows the error url http://ipxe.org/410de13c which points to a TLS issue (Fatal alert). Not sure how to proceed. The networking seems to be working fine. Typing route at the ipxe prompt shows an ip address has been assigned. Is there a certificate issue with ipxe.lkrn?
Looks to me that the certificate is not being trusted (similar to the bug below): https://bugs.archlinux.org/task/58470 Do you have the certificate that's being requested? Cheers! -Santiago/Sangy
On Wed, Oct 02, 2019 at 02:21:22AM +0000, Anindya Mukherjee wrote:
I can load the .ipxe script from Firefox and display the certificate details:
Serial: 04:45:82:E5:7F:72:A5:7A:C1:D5:E9:ED:8C:57:3C:1E:BB:B0 SHA-256: AD:8D:28:BE:3D:A1:40:FB:08:AB:4C:1F:1E:B5:8E:B0:3E:4F:4A:52:23:69:AB:85:41:2D:60:A7:C2:80:25:80 SHA1 25:95:32:0A:21:2E:CA:EA:43:AB:3F:1D:89:BF:9A:F7:D9:9E:59:F7
Does that help? The certificate can be viewed by loading https://www.archlinux.org/releng/netboot/archlinux.ipxe in Firefox (for example) and clicking the green padlock.
Hmmm, I wanted to get the certificate chain so I could see if the rootcerts on the ipxe image trust that. I think this is an issue with us just shipping one of the two LE certificates on the ipxe image. Would you kindly share your image/anything else you have so I can debug this? I may have some free time after work today... Cheers! -Santiago/Sangy
Thanks! The image I used is from https://www.archlinux.org/static/netboot/ipxe.08268867b45a.lkrn I have a thread on the forums where I describe the issue, in case that is helpful: https://bbs.archlinux.org/viewtopic.php?pid=1866379#p1866379 Let me now if I can do anything else. ipxe.lkrn BIOS TLS issue / Installation / Arch Linux Forums<https://bbs.archlinux.org/viewtopic.php?pid=1866379#p1866379> Netboot images are maintained by the release engineering people. You might want to file a bug report for "Release Engineering" or post to the arch-releng ML about this. bbs.archlinux.org www.archlinux.org<https://www.archlinux.org/static/netboot/ipxe.08268867b45a.lkrn> ®TUªëUHdrS H ÿÿÿÿÿ 1.0.0+ (b6ffe) h\ Ë1ÀŽÐ¼|üf‹ ( f…Òt+f‰×fƒç fÁÊ ŽÂW¹ÿÿò®÷Ñ^‰ç)σçð‰ü ó¤ f ·Ôf‹. f…íu fƒÍÿèC f1öf1ÿè[ ŽÓ¼Ð0Ph ËPSU…ÿt ˆ Gë » ´ u Í ° Í ][XÃP° èÛÿXÃP¬„Àt èÐÿëöXÃfÁÈ è fÁÈ †Äè †ÄÀÈ è ÀÈ P$ i/è¦ÿXÃfQgó¤fYÃfQP1ÀgóªXfYÃfPfUfh“Ïfhÿÿfh0 jÿfh° jÿfj j f ... www.archlinux.org ________________________________ From: Santiago Torres-Arias <santiago@archlinux.org> Sent: October 2, 2019 7:53 AM To: Anindya Mukherjee <anindya49@hotmail.com> Cc: Arch Linux Release Engineering <arch-releng@archlinux.org> Subject: Re: [arch-releng] ipxe.lkrn BIOS TLS issue On Wed, Oct 02, 2019 at 02:21:22AM +0000, Anindya Mukherjee wrote:
I can load the .ipxe script from Firefox and display the certificate details:
Serial: 04:45:82:E5:7F:72:A5:7A:C1:D5:E9:ED:8C:57:3C:1E:BB:B0 SHA-256: AD:8D:28:BE:3D:A1:40:FB:08:AB:4C:1F:1E:B5:8E:B0:3E:4F:4A:52:23:69:AB:85:41:2D:60:A7:C2:80:25:80 SHA1 25:95:32:0A:21:2E:CA:EA:43:AB:3F:1D:89:BF:9A:F7:D9:9E:59:F7
Does that help? The certificate can be viewed by loading https://www.archlinux.org/releng/netboot/archlinux.ipxe in Firefox (for example) and clicking the green padlock.
Hmmm, I wanted to get the certificate chain so I could see if the rootcerts on the ipxe image trust that. I think this is an issue with us just shipping one of the two LE certificates on the ipxe image. Would you kindly share your image/anything else you have so I can debug this? I may have some free time after work today... Cheers! -Santiago/Sangy
Hi, were you able to update the certificates? I can test or otherwise help if a new image is available. Thanks! ________________________________ From: arch-releng <arch-releng-bounces@archlinux.org> on behalf of Anindya Mukherjee via arch-releng <arch-releng@archlinux.org> Sent: October 2, 2019 9:47 AM To: Santiago Torres-Arias <santiago@archlinux.org> Cc: Anindya Mukherjee <anindya49@hotmail.com>; Arch Linux Release Engineering <arch-releng@archlinux.org> Subject: Re: [arch-releng] ipxe.lkrn BIOS TLS issue Thanks! The image I used is from https://www.archlinux.org/static/netboot/ipxe.08268867b45a.lkrn I have a thread on the forums where I describe the issue, in case that is helpful: https://bbs.archlinux.org/viewtopic.php?pid=1866379#p1866379 Let me now if I can do anything else. ipxe.lkrn BIOS TLS issue / Installation / Arch Linux Forums<https://bbs.archlinux.org/viewtopic.php?pid=1866379#p1866379> Netboot images are maintained by the release engineering people. You might want to file a bug report for "Release Engineering" or post to the arch-releng ML about this. bbs.archlinux.org www.archlinux.org<https://www.archlinux.org/static/netboot/ipxe.08268867b45a.lkrn> ®TUªëUHdrS H ÿÿÿÿÿ 1.0.0+ (b6ffe) h\ Ë1ÀŽÐ¼|üf‹ ( f…Òt+f‰×fƒç fÁÊ ŽÂW¹ÿÿò®÷Ñ^‰ç)σçð‰ü ó¤ f ·Ôf‹. f…íu fƒÍÿèC f1öf1ÿè[ ŽÓ¼Ð0Ph ËPSU…ÿt ˆ Gë » ´ u Í ° Í ][XÃP° èÛÿXÃP¬„Àt èÐÿëöXÃfÁÈ è fÁÈ †Äè †ÄÀÈ è ÀÈ P$ i/è¦ÿXÃfQgó¤fYÃfQP1ÀgóªXfYÃfPfUfh“Ïfhÿÿfh0 jÿfh° jÿfj j f ... www.archlinux.org<http://www.archlinux.org> ________________________________ From: Santiago Torres-Arias <santiago@archlinux.org> Sent: October 2, 2019 7:53 AM To: Anindya Mukherjee <anindya49@hotmail.com> Cc: Arch Linux Release Engineering <arch-releng@archlinux.org> Subject: Re: [arch-releng] ipxe.lkrn BIOS TLS issue On Wed, Oct 02, 2019 at 02:21:22AM +0000, Anindya Mukherjee wrote:
I can load the .ipxe script from Firefox and display the certificate details:
Serial: 04:45:82:E5:7F:72:A5:7A:C1:D5:E9:ED:8C:57:3C:1E:BB:B0 SHA-256: AD:8D:28:BE:3D:A1:40:FB:08:AB:4C:1F:1E:B5:8E:B0:3E:4F:4A:52:23:69:AB:85:41:2D:60:A7:C2:80:25:80 SHA1 25:95:32:0A:21:2E:CA:EA:43:AB:3F:1D:89:BF:9A:F7:D9:9E:59:F7
Does that help? The certificate can be viewed by loading https://www.archlinux.org/releng/netboot/archlinux.ipxe in Firefox (for example) and clicking the green padlock.
Hmmm, I wanted to get the certificate chain so I could see if the rootcerts on the ipxe image trust that. I think this is an issue with us just shipping one of the two LE certificates on the ipxe image. Would you kindly share your image/anything else you have so I can debug this? I may have some free time after work today... Cheers! -Santiago/Sangy
participants (2)
-
Anindya Mukherjee
-
Santiago Torres-Arias