search

netbootxyz / netboot.xyz

Your favorite operating systems in one place. A network-based bootable operating system installer based on iPXE.
https://netboot.xyz
Apache License 2.0
8.78k stars 663 forks source link

Permission denied when using local assets over HTTPS #1398

Closed shalak closed 6 months ago

shalak commented 7 months ago

Describe the bug I'm facing an issue when using my local asset cache: image

The cert on https:/netbootxyz.mydomain.net/ is valid, signed by Let's Encrypt

I entered the iPXE shell and run show unixtime (and converted it viadate --date=@$((0x65a43aa6))) to verify that the sytem time is correct - it is.

Running curl https://netbootxyz-nginx.mydomain.net/ubuntu-squash/releases/download/22.04.3-7e94379b/vmlinuz downloads the vmlinuz file with no issues.

antonym commented 7 months ago

I'd make sure your web server supports the configurations here: https://ipxe.org/crypto

shalak commented 7 months ago

I did a little oneliner to check if my traefik supports the cyphers listed there:

for cipher in \
    TLS_RSA_WITH_AES_128_CBC_SHA \
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA \
    TLS_RSA_WITH_AES_256_CBC_SHA \
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA \
    TLS_RSA_WITH_AES_128_CBC_SHA256 \
    TLS_RSA_WITH_AES_256_CBC_SHA256 \
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 \
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 \
    TLS_RSA_WITH_AES_128_GCM_SHA256 \
    TLS_RSA_WITH_AES_256_GCM_SHA384 \
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 \
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384; do
    echo -n "$cipher: "
    if openssl s_client -connect netbootxyz-nginx.mydomain.net:443 -cipher "$cipher" < /dev/null > /dev/null 2>&1; then
        echo "Supported"
    else
        echo "Not supported"
    fi
done

All of them are supported:

TLS_RSA_WITH_AES_128_CBC_SHA: Supported
TLS_DHE_RSA_WITH_AES_128_CBC_SHA: Supported
TLS_RSA_WITH_AES_256_CBC_SHA: Supported
TLS_DHE_RSA_WITH_AES_256_CBC_SHA: Supported
TLS_RSA_WITH_AES_128_CBC_SHA256: Supported
TLS_RSA_WITH_AES_256_CBC_SHA256: Supported
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: Supported
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: Supported
TLS_RSA_WITH_AES_128_GCM_SHA256: Supported
TLS_RSA_WITH_AES_256_GCM_SHA384: Supported
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: Supported
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: Supported
antonym commented 6 months ago

Try the latest rolling release, it should handle Let's Encrypt certs better:

https://twitter.com/ipxe/status/1758124717477593405