On 03/09/2023 11:11, Geert Stappers via ipxe-devel wrote:
When I do
wget http://ca.ipxe.org/cross-ca.crt && \
wget https://ca.ipxe.org/ca.crt && \
openssl x509 -in cross-ca.crt -ocsp_uri -noout && \
openssl ocsp -issuer ca.crt -cert cross-ca.crt -text -url
http://ocsp.ipxe.org/ocsp/root/
I get output that ends with
<screenshot>
Response Verify Failure
3072317184:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify
error:../crypto/ocsp/ocsp_vfy.c:92:Verify error:unable to get local issuer
certificate
3072317184:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify
error:../crypto/ocsp/ocsp_vfy.c:92:Verify error:self signed certificate in
certificate chain
cross-ca.crt: good
This Update: Sep 1 11:01:57 2023 GMT
Next Update: Sep 3 09:50:03 2023 GMT
</screenshot>
How to deal with those verify errors?
When using the openssl tools, you need to specify the iPXE root CA as
the root of trust in order to match iPXE's verification results. For
the ocsp subcommand, the relevant option is "-CAfile". For example:
$ wget -q https://ca.ipxe.org/ca.crt
$ wget -q https://ca.ipxe.org/cross-ca.crt
$ wget -q https://ca.ipxe.org/cross/cross-gts-root-r4.crt
$ openssl ocsp -CAfile ca.crt -issuer ca.crt \
-cert cross-ca.crt \
-url http://ocsp.ipxe.org/ocsp/root/
Response verify OK
cross-ca.crt: good
This Update: Sep 1 11:01:57 2023 GMT
Next Update: Sep 4 11:22:25 2023 GMT
$ openssl ocsp -CAfile ca.crt -issuer cross-ca.crt \
-cert cross-gts-root-r4.crt \
-url http://ocsp.ipxe.org/ocsp/cross/
Response verify OK
cross-digicert-assured-id-root-ca.crt: good
This Update: Sep 1 11:02:47 2023 GMT
Next Update: Sep 4 11:22:43 2023 GMT
Michael
_______________________________________________
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel