• I try to start loading of files through https, but to me gives permission denied error message, tell that it is necessary to register in default.ipxe normally to be loaded? DOWNLOAD_PROTO_HTTPS and IMAGE_TRUST_CMD are included. To the FAQ it is it is unclear written I cannot understand, somebody can tried, tell in more detail as it becomes?

  • Senior Developer

  • Senior Developer

    @brakcounty said in ipxe https:

    so FOG is set to ipxe over https by default? how can trust be established at the BIOS or UEFI level?

    No it’s not by default. There is a flag for the installer to make it use HTTPS (--force-ssl).

    The trust chain is not going all the way down to BIOS/UEFI firmware. When installing FOG with SSL/HTTPS it compiles iPXE binaries for you that include the self-signed certificate used for HTTPS communication within FOG. So loading iPXE via TFTP can still be considered untrusted but iPXE itself loading the boot menu and FOS kernel is kind of trusted. Be aware that we are not doing this to establish some kind of full trust chain like mechanisms like Secure Boot and other means of DRM work. It’s more a thing of providing a secure channel between client and server.

  • Right my freenas server is hosting on http not https via webdav. it is being hosted on an isolated network so i dont see the need to secure it, plus the webdav is set to read only. so FOG is set to ipxe over https by default? how can trust be established at the BIOS or UEFI level?

  • Senior Developer

    @brakcounty While you are right it kind of sounds like @datnt2509 is running into an issue with trying to PXE boot from a HTTPS enabled FOG server. This is known to cause “permission denied” errors as well - not very user friendly but it’s iPXE’s way of telling that it can’t download via HTTPS (usually a trust issue).

  • the only time ive seen permission issues with ipxe is when the tftproot folder isnt public with read and execute, but that was on my freenas server using dnsmasq for dhcp and tftp. maybe check the permissions on /tftproot and /var/www/fog/service/ipxe.

  • Senior Developer

    @datnt2509 Which version of FOG do you use? The most current version compiles iPXE for you including all the HTTPS stuff and certificates, so there shouldn’t be any need for manual compiling it.