iPXE netboot fails due to archlinux.org certificate change
As of this week, the ipxe-arch.efi netboot image from https://archlinux.org/releng/netboot/ suddenly fails (the same image worked before, with no changes). It gives the following output:
iPXE initialising devices...ok
iPXE 1.0.0+ -- Open Source Network Boot Firmware -- http://ipxe.org
Features: DNS HTTP HTTPS iSCSI NFS TFTP SRP AoE EFI Menu
Configuring (net0 xx:xx:xx:xx:xx:xx)...... ok
https://ipxe.archlinux.org/releng/netboot/archlinux.ipxe... Operation not permitted (http://ipxe.org/410de18f)
iPXE> The link in the error message hints that it's caused by some kind of TLS failure, and indeed if I host archlinux.ipxe on my own machine over HTTP, it works just fine.
On July 20, archlinux.org got a new certificate. The old certificate had an RSA key:
Validity
Not Before: Jun 12 06:09:43 2024 GMT
Not After : Sep 10 06:09:42 2024 GMT
Subject:
commonName = archlinux.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:a2:e2:da:3d:29:ef:38:6e:ed:2c:d4:03:90:91:
20:68:93:14:eb:f7:b6:d5:93:89:48:d4:82:b0:10:
9c:99:20:e4:3a:31:12:03:05:de:12:6c:03:ee:08:
55:7b:3e:1d:47:80:69:37:27:65:dd:cf:22:e3:93:
cb:20:72:80:d4:59:8e:ff:8a:8b:95:09:36:9e:b8:
70:c0:d8:e3:88:e3:e2:5f:68:05:23:ac:1f:50:a2:
c1:a7:ca:fb:c6:41:15:29:fc:d5:85:ab:b6:99:67:
0d:6e:41:32:8c:d9:d8:b1:3b:6f:bf:2b:f6:5b:ac:
1c:ab:6b:06:28:35:fe:73:d3:f2:eb:49:2c:14:fe:
9c:96:d3:b3:d6:0c:0a:62:bb:84:4f:1f:29:94:dc:
f5:93:50:69:63:7d:da:62:79:bf:cb:0d:f5:7f:2b:
24:33:7e:c8:82:2b:cb:ec:8c:6c:87:fa:e1:f8:1b:
8c:49:75:ae:0d:b1:f3:a1:e8:48:28:c3:85:3a:27:
3d:b1:5b:be:da:9e:b0:2a:df:88:7e:c7:50:b0:bf:
bd:60:5b:9e:44:5a:eb:48:f2:d3:0d:66:01:34:e6:
0a:47:33:cc:14:9b:d0:98:e4:de:ad:c6:22:e9:88:
22:79:c9:b3:1a:36:a5:9c:dc:94:01:11:e0:4f:c7:
93:31:79:00:f0:1e:6c:15:08:a2:ed:9c:ad:7a:db:
3d:92:e7:f5:53:fe:da:7b:9c:c8:71:03:5e:90:e3:
82:19:99:d3:32:6e:15:75:c7:11:21:78:71:8b:6b:
59:3f:ba:85:fe:bd:3d:df:b7:9b:86:0f:98:ac:f2:
6e:24:d1:4a:39:5b:16:18:6d:5d:34:d1:0a:d0:42:
bf:71:68:45:5d:36:ce:b6:ed:72:08:25:26:e5:c8:
11:b1:fe:81:f3:f3:96:6e:13:c0:11:3e:f2:6b:37:
7e:19:bb:6a:2b:63:30:36:56:1c:8c:4b:75:63:58:
2f:49:af:72:c7:e2:81:05:94:0b:71:c7:e3:d7:f2:
60:e1:ce:10:49:44:90:53:5e:ed:06:99:10:88:be:
66:1d:95:91:9d:01:1d:25:71:c9:df:35:6d:8b:78:
b2:02:f5:33:01:0b:64:d2:f2:72:9e:14:1d:bd:1b:
f3:a4:5b:e3:21:07:e7:5c:de:b5:e5:9b:ea:a0:38:
c7:22:92:19:fa:05:99:3b:67:a2:46:7d:b8:0b:c9:
0a:91:03:d6:c1:18:a2:a6:e4:20:f1:67:c9:fc:74:
a3:55:a6:a1:7f:3f:fb:e7:b0:67:ca:af:66:17:fb:
8c:8b:46:de:fd:2e:36:18:3f:b3:76:04:1b:31:a3:
17:9d:2d
Exponent: 65537 (0x10001)Whereas the new certificate has an ECC key:
Validity
Not Before: Jul 20 12:01:41 2024 GMT
Not After : Oct 18 12:01:40 2024 GMT
Subject:
commonName = archlinux.org
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:48:cd:20:d8:d0:b0:cb:09:14:a9:a2:2b:5d:1c:
d4:68:24:1c:98:5b:cb:0b:55:26:19:dc:2a:10:66:
40:f3:89:67:6e:4f:8c:50:6f:36:3f:2e:b8:3b:f5:
55:1b:4f:15:97:80:a1:60:1b:e4:89:bb:19:20:ef:
a3:4e:df:19:60
ASN1 OID: prime256v1
NIST CURVE: P-256iPXE only supports RSA public keys, so presumably the certificate change is causing the boot failure.