Are old cross-signed certs causing "iPXE cross-signing CA has expired" errors?

Are old cross-signed certs causing "iPXE cross-signing CA has expired" errors? - Printable Version

+- iPXE discussion forum (https://forum.ipxe.org)
+-- Forum: iPXE user forums (/forumdisplay.php?fid=1)
+--- Forum: General (/forumdisplay.php?fid=2)
+--- Thread: Are old cross-signed certs causing "iPXE cross-signing CA has expired" errors? (/showthread.php?tid=8170)

Are old cross-signed certs causing "iPXE cross-signing CA has expired" errors? - soltesz - 2016-09-07 20:30

Are any certs still being served from http://ca.ipxe.org/auto signed by the cross-signing cert that expired in Feb 2016?

I see that http://ca.ipxe.org/cross-ca.crt is up to date. However, when running an https download from google cloud storage, ipxe reports that "iPXE cross-signing CA" has expired.

Adding a new debug log line to crypto/x509.c I see that iPXE is using a cross-signing certificate that is valid "not after" 1456479729 (2016-02-26T09:42:09).

See a screen shot here: https://storage.googleapis.com/dash-test-1/tinycore/ipxe-error.png (I could not upload an attachment for this post)

These are the two HTTP get requests from iPXE for the cross-signed certs (I believe).

Code:

GET /auto/5df65e6d.der?subject=ME4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyR​FcXVpZmF4IFNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHk= HTTP/1.1

GET /ocsp/root/MEIwQDA+MDwwOjAJBgUrDgMCGgUABBSdIkBuCekXxHtcIxfjfzqJURDvHwQUq0EwXAuzDHEHMTwzdkSY​HFHUKnICASk= HTTP/1.1

And, I see that some *.der files have older timestamps than 31-Aug-2016:
http://ca.ipxe.org/auto/ -- one in particular: 5df65e6d.der has an mtime of 01-Nov-2014.

Unfortunately, I'm not able to inspect these .der files; openssl reports:

Code:

$ openssl x509 -inform der -in ~/Downloads/5df65e6d.der -out certificate.pem

unable to load certificate

140437768582816:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1338:

140437768582816:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:390:Type=X509

Is this an issue with out-of-date certs? Will it be fixed?

Is there a repository or location for the scripts used to generate the auto/*.der files for self-hosting cross-signed certificate files?

Commands used to build and test.

Code:

$ make EMBED=embed.ipxe bin/ipxe.iso  DEBUG=x509,validator

$ cat embed.ipxe

dhcp

set crosscert http://ca.ipxe.org/auto

kernel https://storage.googleapis.com/dash-test-1/tinycore/vmlinuz