[Solved] Is it possible to use a custom CA with no IP SAN, just a domain name?
-
I just stumbled across this:
https://forums.fogproject.org/topic/17719/custom-ca-problem-boot-pxe
It seems like “NoIPName” found the same solution that I did, (edit default.ipxe so clients connect to HTTPS://<domain name>/fog/service/ipxe/boot.php but for us, for some reason, even though this did change the address the clients were attempting to access it still broke with a permission error.
I’m assuming at this point it’s because I got so desperate that I had changed many, many things and something I had changed at some point was breaking things. That being said, we’d rather not have to remember the edit in default.ipxe every time we rebuild the iPXE binaries (something we have needed to do before and likely will have to do again).
So this raises the following questions, how is default.ipxe generated? Where does it get the line: chain https://10.0.0.1/fog/service/ipxe/boot.php##params from? and is this the only remaining obstacle to using a domain name instead of an IP address for iPXE and a custom CA?
UPDATE:
default.ipxe is not generated with the iPXE binaries, it’s generated at FOG install. Editing it is fine and we don’t have to re-edit on re-build. That being said, even on a completely fresh install in our test environment it still fails when attempting to fetch boot.php due to ‘operation not permitted’. Really struggling to work out what is missing/going wrong here.UPDATE2:
Found the problem, our certs are ECDSA not RSA. facepalm