iPXE discussion forum
DNS problem - Printable Version

+- iPXE discussion forum (https://forum.ipxe.org)
+-- Forum: iPXE user forums (/forumdisplay.php?fid=1)
+--- Forum: General (/forumdisplay.php?fid=2)
+--- Thread: DNS problem (/showthread.php?tid=6959)



DNS problem - Game - 2013-07-01 21:09

Hi, I am setting up some chain loading environment (VMWare auto deploy) and I have the following:
----------------------------
iPXE 1.0.0+ (9361) -- Open Source Network Boot Firmware -- http://ipxe.org
Features: HTTP HTTPS iSCSI DNS TFTP AoE bzImage ELF MBOOT PXE PXEXT Menu

iPXE> dhcp net0
DHCP (net0 b8:ac:6f:82:9d:2a)...... ok
iPXE> show ip
net0.dhcp/ip:ipv4 = 192.168.0.50
iPXE> show dns
net0.dhcp/dns:ipv4 = 192.168.0.1
iPXE> show gateway
net0.dhcp/gateway:ipv4 = 192.168.0.1
iPXE> show next-server
net0.dhcp/next-server:ipv4 = 192.168.0.1
iPXE> show netmask
net0.dhcp/netmask:ipv4 = 255.255.255.0
iPXE> show domain
net0.dhcp/domain:string = test.com
iPXE> chain https://192.168.0.52:6501/vmw/rbd/tramp
https://192.168.0.52:6501/vmw/rbd/tramp... Error 0x3e11613b (http://ipxe.org/3e11613b)
------------------------------------
When i looked up it is "Error: DNS name does not exist". Clearly dns is visible here..


RE: DNS problem - robinsmidsrod - 2013-07-02 08:15

Yes, you have DNS available, but you're trying to do HTTPS on an IP-address. HTTPS expects the host in the URL to be a domain name, or else it can't validate that the certificate matches. So what it actually tries to pretend is a DNS hostname is the literal string "192.168.0.52", which it obviously is not. Configure a hostname for the server at 192.168.0.52 in your DNS and stick that name in your script instead of the IP. Obviously you must also make sure that the certificate you're using on the web server matches that name. See http://ipxe.org/crypto for more details on the HTTPS support.


RE: DNS problem - ArneLovius - 2013-07-02 09:38

(2013-07-02 08:15)robinsmidsrod Wrote:  HTTPS expects the host in the URL to be a domain name, or else it can't validate that the certificate matches

er, you can have an SSL certificate with an IP address as a host name, you're unlikely to get a commercial CA to provide a certificate with an IP address, but an internal private CA is a different kettle of fish


RE: DNS problem - robinsmidsrod - 2013-07-02 23:48

Well, that might be, but have you verified that the iPXE HTTPS implementation allows such a setup? I suggest you try with a DNS name and see if you get a different type of error just to rule out that possibility. My guess HTTPS with IP address is not supported. I haven't checked the source, though, so I might be wrong.


RE: DNS problem - Game - 2013-07-22 02:00

Just so that no one is stuck here..

The problem is indeed in https x509 validation.
The code looks for the same name in the certificate; as the chain loading URL. In my case it was different.