On 03/09/2023 11:11, Geert Stappers via ipxe-devel wrote:
When I do wget http://ca.ipxe.org/cross-ca.crt && \ wget https://ca.ipxe.org/ca.crt && \ openssl x509 -in cross-ca.crt -ocsp_uri -noout && \ openssl ocsp -issuer ca.crt -cert cross-ca.crt -text -url http://ocsp.ipxe.org/ocsp/root/I get output that ends with <screenshot> Response Verify Failure 3072317184:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:../crypto/ocsp/ocsp_vfy.c:92:Verify error:unable to get local issuer certificate 3072317184:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:../crypto/ocsp/ocsp_vfy.c:92:Verify error:self signed certificate in certificate chain cross-ca.crt: good This Update: Sep 1 11:01:57 2023 GMT Next Update: Sep 3 09:50:03 2023 GMT </screenshot> How to deal with those verify errors?
When using the openssl tools, you need to specify the iPXE root CA as the root of trust in order to match iPXE's verification results. For the ocsp subcommand, the relevant option is "-CAfile". For example:
$ wget -q https://ca.ipxe.org/ca.crt $ wget -q https://ca.ipxe.org/cross-ca.crt $ wget -q https://ca.ipxe.org/cross/cross-gts-root-r4.crt $ openssl ocsp -CAfile ca.crt -issuer ca.crt \ -cert cross-ca.crt \ -url http://ocsp.ipxe.org/ocsp/root/ Response verify OK cross-ca.crt: good This Update: Sep 1 11:01:57 2023 GMT Next Update: Sep 4 11:22:25 2023 GMT $ openssl ocsp -CAfile ca.crt -issuer cross-ca.crt \ -cert cross-gts-root-r4.crt \ -url http://ocsp.ipxe.org/ocsp/cross/ Response verify OK cross-digicert-assured-id-root-ca.crt: good This Update: Sep 1 11:02:47 2023 GMT Next Update: Sep 4 11:22:43 2023 GMT Michael _______________________________________________ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
