Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scalable hosting for ca.ipxe.org files #126

Open
4 tasks
mcb30 opened this issue Jul 22, 2020 · 6 comments
Open
4 tasks

Scalable hosting for ca.ipxe.org files #126

mcb30 opened this issue Jul 22, 2020 · 6 comments
Assignees
@mcb30
Labels
infrastructure [zube]: Backlog

Comments

@mcb30
Copy link
Member

mcb30 commented Jul 22, 2020

Description

As a sysadmin, I would like the cross-signed certificate files (see https://ipxe.org/cfg/crosscert) to be hosted on a highly available service, so that I do not have to worry about outages of the single machine currently hosting ca.ipxe.org.

The cross-signed certificate files are just static files (with filenames constructed from a hash of the certificate subject name) and can be served from any infrastructure capable of serving static files via HTTP. The request from iPXE includes a query string encoding the raw subject name but this is only for debugging purposes and can be safely ignored.

Acceptance criteria

  • Cross-signed certificate files are hosted on a highly available service (such as AWS S3 in multiple regions)
  • Cross-signing process is updated to upload files automatically to the HA hosting service
  • Cross-signed certificate files can be downloaded using the existing http://ca.ipxe.org/auto base URI
  • iPXE is able to perform an HTTPS boot using a cross-signed certificate downloaded from the HA hosting service, with no changes to iPXE code or configuration required.
@mcb30 mcb30 self-assigned this Jul 22, 2020
@mcb30 mcb30 mentioned this issue Jul 22, 2020
Open
4 tasks
@mcb30
Copy link
Member Author

mcb30 commented Jul 22, 2020

Added #127 to handle the related scalable hosting for OCSP.

@MaxPeal
Copy link

MaxPeal commented Jul 22, 2020
edited
Loading

i ask packethost https://www.packet.com/community/open-source/
as the use ipxe in many parts
and give you feadback

@MaxPeal
Copy link

MaxPeal commented Jul 22, 2020

i have send packethost a friendly message, to ask about to support ipxe.
@mcb30 i give you direct feedbeck after i got a info form @packethost

@vielmetti
Copy link

@MaxPeal @mcb30 We at @packethost are interested in helping, I'll follow up on the email.

@MaxPeal
Copy link

MaxPeal commented Jul 22, 2020
edited
Loading

  • @mcb30 after i got all the infos and org stuff, you get a Summary [DONE]

@kraxel
Copy link

kraxel commented Jul 24, 2020

qemu can make root ca certificates available to guests, via fw_cfg, and ipxe could use that.

In that case managing the list of certificates would be the job of the host machine,
there would be no need for ipxe to query ca.ipxe.org or ocsp.ipxe.org.

Of course this would solve the problem for (qemu/kvm) virtual machines only,
Deployments on physical hardware still need ca.ipxe.org.

@NiKiZe NiKiZe mentioned this issue Mar 2, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mcb30 mcb30

Labels
infrastructure [zube]: Backlog
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@vielmetti @mcb30 @kraxel @MaxPeal