Hi, On the iPXE IRC channel came some HTTPS notes along.
To prevent that they are lost after the paste bin expire date, do I post them here. Mailinglist archive will preserve them. Enjoy [...] Prepare Source -------------- Requirements: ```sh sudo apt-get build-essential liblzma-dev git ``` Clone repository: ```sh git clone https://github.com/ipxe/ipxe.git cd ipxe/src/ # NOTE: ^ Remaining commands are executed from this directory ``` Basic configuration: ```sh cat >config/local/general.h <<EOF #define DOWNLOAD_PROTO_HTTPS EOF cat >provision.ipxe <<EOF #!ipxe echo Attempting DHCP ... :retry dhcp || goto retry echo Contacting Server ... :chain chain --autofree http://boot.netboot.xyz/ipxe/netboot.xyz.efi || goto failed exit :failed echo Provisioning Failed sleep 9000000 goto chain EOF ``` Certificates ------------ The default build may require updated certificates in order to continue trusting most valid certificates. Depending on final deployment, this may not be needed. ```sh curl -s http://ca.ipxe.org/ca.crt > ca.pem curl -s https://letsencrypt.org/certs/isrgrootx1.pem > isrgrootx1.pem curl -s https://letsencrypt.org/certs/lets-encrypt-r3.pem > lets-encrypt-r3.pem # Make Options CERT=ca.pem,isrgrootx1.pem,lets-encrypt-r3.pem TRUST=ca.pem,isrgrootx1.pem,lets-encrypt-r3.pem DEBUG=tls,httpcore,x509,certstore ``` The current deployment solution sits alongside the package update service. The certificate (.crt) for this server can be copied to the ``ipxe/src/`` directory and then included using ``CERT=server.crt TRUST=server.crt``. Create Image ----------- Build: ```sh make -j8 bin-x86_64-efi/ipxe.efi EMBED=provision.ipxe \ CERT=server.crt TRUST=server.crt ``` Publish: ```sh mv bin-x86_64-efi/ipxe.efi [...]/salt/states/ipxe/provision.efi ``` Actual commands used for current image: ```sh git pull cat >provision.ipxe [...] cat >config/local/general.h [...] cp /.../deb.crt server.crt make -j8 bin-x86_64-efi/ipxe.efi EMBED=provision.ipxe CERT=server.crt TRUST=server.crt cp bin-x86_64-efi/ipxe.efi [...]/salt/states/wipe/provision.efi ``` _______________________________________________ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel