You are not logged in.

#1 2019-09-17 06:11:15

topcat01
Member
Registered: 2019-09-17
Posts: 123

ipxe.lkrn BIOS TLS issue

Hi, I prepared a USB netboot image following the netboot wiki: https://wiki.archlinux.org/index.php/Netboot
The ipxe.lkrn is from: https://www.archlinux.org/static/netboo … 7b45a.lkrn
The system is BIOS based.

The  ipxe.lkrn image boots successfully but when it tries to access https://www.archlinux.org/releng/netboot/archlinux.ipxe it fails with "Operation not permitted". IPXE shows the error url http://ipxe.org/410de13c which points to a TLS issue (Fatal alert).
Not sure how to proceed. The networking seems to be working fine. Typing route at the ipxe prompt shows an ip address has been assigned. Is there a certificate issue with ipxe.lkrn?

Offline

#2 2019-09-19 06:46:23

PiousMinion
Member
Registered: 2009-07-21
Posts: 12

Re: ipxe.lkrn BIOS TLS issue

I have the same problem with the EFI image.
I've tested on bare metal and a VM.

ipxe.org suggests it may be TLS certificate related.  Perhaps an update to the ipxe image is in order? I have no idea. tongue

Offline

#3 2019-09-19 13:06:06

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: ipxe.lkrn BIOS TLS issue

Netboot images are maintained by the release engineering people.

You might want to file  a bug report for "Release Engineering" or post to the arch-releng ML about this.


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Online

#4 2019-10-01 22:06:51

topcat01
Member
Registered: 2019-09-17
Posts: 123

Re: ipxe.lkrn BIOS TLS issue

Offline

#5 2019-10-24 09:29:04

qupfer
Member
Registered: 2014-04-02
Posts: 14

Re: ipxe.lkrn BIOS TLS issue

I played a bit around and found a (dirty) solution.
Just add the script in the pxe directly (using this https://aur.archlinux.org/packages/ipxe-netboot and modify the arch.ipxe file and the PKBUILD file to skip the checksum check. 
my ipxe.pxe

If I link to a file on my site, the same error occurs. So its probably al TLS thing (no matching Cipher....) and not an invalid certificate. Linking to a plain http source works well.

Last edited by qupfer (2019-10-24 09:30:03)

Offline

#6 2019-11-09 15:07:38

callmejoe
Member
Registered: 2019-03-06
Posts: 71

Re: ipxe.lkrn BIOS TLS issue

qupfer wrote:

I played a bit around and found a (dirty) solution.
Just add the script in the pxe directly (using this https://aur.archlinux.org/packages/ipxe-netboot and modify the arch.ipxe file and the PKBUILD file to skip the checksum check. 
my ipxe.pxe

If I link to a file on my site, the same error occurs. So its probably al TLS thing (no matching Cipher....) and not an invalid certificate. Linking to a plain http source works well.

i'm having the same issue but i am not sure how to implement your solution.

Offline

#7 2019-12-08 21:38:33

enc
Member
Registered: 2016-08-31
Posts: 2

Re: ipxe.lkrn BIOS TLS issue

callmejoe wrote:
qupfer wrote:

I played a bit around and found a (dirty) solution.
Just add the script in the pxe directly (using this https://aur.archlinux.org/packages/ipxe-netboot and modify the arch.ipxe file and the PKBUILD file to skip the checksum check. 
my ipxe.pxe

If I link to a file on my site, the same error occurs. So its probably al TLS thing (no matching Cipher....) and not an invalid certificate. Linking to a plain http source works well.

i'm having the same issue but i am not sure how to implement your solution.

Yep it works over HTTP. iPXE does not like the archlinux.org TLS certificate for some reason. So if you download archlinux.ipxe and store it on your either local or remote webserver - it works.

I just did:
1) wget https://www.archlinux.org/releng/netboot/archlinux.ipxe
2) python3 -m http.server 80
3) (when you get prompt in iPXE after error type:) chain http;//192.168.xxx.xxx/archlinux.ipxe

How weird it still has not been fixed : (

Offline

#8 2019-12-12 09:02:23

lrz
Member
Registered: 2019-12-12
Posts: 7

Re: ipxe.lkrn BIOS TLS issue

I confirm the issue and enc solution's works well.

Offline

Board footer

Powered by FluxBB