iPXE discussion forum
imgload from https://developer.mozilla.org causes 'Permission denied' error - Printable Version

+- iPXE discussion forum (https://forum.ipxe.org)
+-- Forum: iPXE user forums (/forumdisplay.php?fid=1)
+--- Forum: General (/forumdisplay.php?fid=2)
+--- Thread: imgload from https://developer.mozilla.org causes 'Permission denied' error (/showthread.php?tid=6251)



imgload from https://developer.mozilla.org causes 'Permission denied' error - asashnov - 2012-10-19 17:18

imgload from https://developer.mozilla.org causes 'Permission denied' error

I compile iPXE with HTTPS protocol enabled and
TRUST=/etc/ssl/certs/GeoTrust_Global_CA.pem
but have 'Permission denied' (http://ipxe.org/0216e63c) error here.


Steps for reproduce:

(all of this steps are implemented into the attached 'makeimage.sh' POSIX shell script). Just get it, chmod +x and run (tested on Ubuntu 12.04).


1. $ git clone git://git.ipxe.org/ipxe.git
$ cd ipxe/src

2. define DOWNLOAD_PROTO_HTTPS in config/general.h

3. $ make bin/ipxe.lkrn TRUST=/etc/ssl/certs/GeoTrust_Global_CA.pem

4. wget http://boot.ipxe.org/ipxe.iso

5. Remaster iso:

* to isolinux.cfg add line:
INITRD script.txt

* create script.txt:

Code:
#!ipxe

echo "iPXE script: configuring network..."
dhcp
route

echo "iPXE script: try to load image"
imgload https://developer.mozilla.org/media/img/favicon.ico || shell

shell

6. Boot from it (under VirtualBox for example).



Actual result:

Error message in console:
Permission denied (http://ipxe.org/0216e63c)


Expected result:
* Successfull file transfer over https
(and then fail on attempt to execute .ico file content).
* TRUST will works even for my own CA and existing one.

Additional details:

If I make with

$ make bin/ipxe.lkrn \
TRUST=/etc/ssl/certs/GeoTrust_Global_CA.pem \
DEBUG=x509,httpcore,https,rootcert

The following I get into console:
(entire console output into attached file com1_raw_dump_https_error_with_debug.bin, you can see it pretty colored with 'less -R <file> command)

Quote:ROOTCERT using 1 built-in certificate(s):
00000000 : ff 85 6a 2d 25 1d cd 88-d3 66 56 f4 50 12 67 98 : ..j-%....fV.P.g.
00000010 : cf ab aa de 40 79 9c 72-2d e4 d2 b5 db 36 a7 3a : ....@y.r-....6.:

This is exactly matches with SHA256 fingerprint of GeoTrustGlobalCA certificate- it is all right.

Quote:https://developer.mozilla.org/media/img/favicon.ico...
X509 chain 0xda154 added X509 0xdcf94 "developer.mozilla.org"
X509 chain 0xda154 added X509 0xdf7f4 "GeoTrust SSL CA"
X509 chain 0xda154 added X509 0xdfc84 "GeoTrust Global CA"
X509 chain 0xda154 found no valid certificates
"GeoTrust Global CA" should be valid, isn't it?
Quote:.HTTP 0xdb244 response "HTTP/1.1 200 OK"
HTTP 0xdb244 header "Date: Fri, 19 Oct 2012 06:12:29 GMT"
HTTP 0xdb244 header "Server: Apache/2.2.22 (Mandriva Linux/PREFORK-0.1mdv2010.2)"
HTTP 0xdb244 header "Last-Modified: Mon, 01 Oct 2012 11:07:43 GMT"
HTTP 0xdb244 header "ETag: "52d8-9ee-4cafd6a221dc0""
HTTP 0xdb244 header "Accept-Ranges: bytes"
HTTP 0xdb244 header "Content-Length: 2542"
HTTP 0xdb244 header "Content-Type: application/x-x509-ca-cert"
HTTP 0xdb244 start of data
X509 chain 0xda134 added X509 0xdbf94 "<NULL>"
X509 chain 0xda134 added X509 0xdc2f4 "iPXE cross-signing CA"
X509 chain 0xda134 added X509 0xdc704 "iPXE root CA"
X509 chain 0xda154 added X509 0xdbf94 "<NULL>"
X509 chain 0xda154 added X509 0xdc2f4 "iPXE cross-signing CA"
X509 chain 0xda154 added X509 0xdc704 "iPXE root CA"
.X509 chain 0xda154 found no valid certificates
Permission denied (http://ipxe.org/0216e63c)
What is the "<NULL>" certificate into the chain? Is it all right?


Also, file com1_raw_dump_https_error_with_debug_7.bin contains console log for build
$ make bin/ipxe.lkrn \
TRUST=/etc/ssl/certs/GeoTrust_Global_CA.pem \
DEBUG=x509:7,httpcore:7,https:7,rootcert:7


RE: imgload from https://developer.mozilla.org causes 'Permission denied' error - robinsmidsrod - 2012-10-26 15:43

If you need to set your own CA cert then you'll need to do the cross-signing yourself (which the built-in cert already is set up for using http://ca.ipxe.org/). You should be able to set up everything by following the guide at http://ipxe.org/crypto.

About the <NULL> certificate, I'm not entirely sure. You might have more luck if you ask on the developer mailing-list.