ipxe
Using https on private network; documents could perhaps use more info on how to setup a OCSP proxy.
Trying to use ipxe https on a private network. Public systems with internet access work fine.
cert is generated from ACME letsencrypt using preferred-chain "ISRG Root X1"
The private network is using Nginx proxy to http://ca.ipxe.org/auto for crosscert.
ipxe script
set crosscert http://bringup.xxx.ca/ca/auto
chain --autofree --replace https://bringup.xxx.ca/${mac} ||
shell
However during https negotiations OCSP iPXE cross-signing CA I get error Connection timed out. With DEBUG=dns:7 and other debug options it seems ipxe is trying to access http://ocsp.ipxe.org/.
On the https://ipxe.org/cfg/crosscert page I see that I also need to "provide an OCSP proxy service"
The Nginx service is running with ssl_stapling on is this not a OCSP proxy service?.
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
location /ca {
proxy_cache cache;
proxy_pass http://ca.ipxe.org/;
}
Has anyone got this working? Any pointers or suggestions are greatly appreciated! Thanks!
sadly I had to disable OCSP to get https using the letsencrypt cert working for me on private networks.
sed -i 's|OCSP_CHECK|OCSP_CHECK_DISABLED|g' config/crypto.h