How do I get iPXE to boot from HTTPS server with self signed cert?

Question

I am chainloading iPXE (undionly.kpxe) and using an embedded script wanting to boot from HTTPS.

The problem is the HTTPS server is connecting to the http server (a custom service) via stunnel using a self signed certificate created with:

openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem

When it tries to contact the server I get "Permission denied" errors. Yet the URL works correctly from a browser.

I've tried downloading http://ca.ipxe.org/ca.crt and recompiling undionly.kpxe with the TRUST=ca.crt option but this didn't work.

I'm not very familiar with certificate management. How do I get ipxe to trust the stunnel server?

score 0 · Accepted Answer · answered May 30 '13 at 04:26

0

You need to add your certificate to the CA used by ipxe.

Another solution would be to create a private CA (a root certificate that you will use to sign the host certificates), then configure ipxe to use this CA. See: http://ipxe.org/cfg/crosscert

The best solution is to sign your certificates by a public CA.

answered May 30 '13 at 04:26

Mircea Vutcovici

16,706
4
52
80

Thanks, yes I got it to work by using TRUST= from the stunnel.pem file. Which isn't terribly secure so I may try the cross signing option. – hookenz May 30 '13 at 04:52
Is there a way to keep iPXE's root certificate when adding your own certificate to trust? – CMCDragonkai Nov 21 '19 at 08:43
Concatenate all of them. – Mircea Vutcovici Nov 21 '19 at 13:32

How do I get iPXE to boot from HTTPS server with self signed cert?

1 Answers1