starred/netboot.xyz

Fork 0

mirror of https://github.com/netbootxyz/netboot.xyz.git synced 2026-04-25 07:05:56 +03:00

[GH-ISSUE #22] Use HTTPS #1549

New issue

Closed

opened 2026-03-01 18:34:15 +03:00 by kerem · 5 comments

kerem commented

2026-03-01 18:34:15 +03:00

Owner

Originally created by @3wille on GitHub (Jan 12, 2016).
Original GitHub issue: https://github.com/netbootxyz/netboot.xyz/issues/22

As far as I understand iPXE supports HTTPS connections[0].
It also seems like you could directly include the root cert of an existing CA like let's encrypt.

[0] http://ipxe.org/crypto

Originally created by @3wille on GitHub (Jan 12, 2016). Original GitHub issue: https://github.com/netbootxyz/netboot.xyz/issues/22 As far as I understand iPXE supports HTTPS connections[0]. It also seems like you could directly include the root cert of an existing CA like let's encrypt. [0] http://ipxe.org/crypto

kerem

2026-03-01 18:34:15 +03:00

closed this issue
added the
enhancement
label

kerem commented

2026-03-01 18:34:16 +03:00

Author

Owner

@oarmstrong commented on GitHub (Jan 15, 2016):

Looks like it would be fairly easy to get the final provider images booting from HTTPS, I can take a stab at that tonight.

However, to get the PXE menus loading over HTTPS the certificate needs to be fixed on boot.netboot.zxy. Is that a CDN somewhere? It has various names on the certificate like *.akamaihd.net referring to Akamai.

Also, is this something you'd want an option for @antonym ? Or would it be safe to assume that using plain HTTP would never be needed?

@oarmstrong commented on GitHub (Jan 15, 2016): Looks like it would be fairly easy to get the final provider images booting from HTTPS, I can take a stab at that tonight. However, to get the PXE menus loading over HTTPS the certificate needs to be fixed on boot.netboot.zxy. Is that a CDN somewhere? It has various names on the certificate like `*.akamaihd.net` referring to Akamai. Also, is this something you'd want an option for @antonym ? Or would it be safe to assume that using plain HTTP would never be needed?

kerem commented

2026-03-01 18:34:16 +03:00

Author

Owner

@antonym commented on GitHub (Jan 15, 2016):

Yeah, I'd need to switch the main code over to the HTTPS Akamai CDN link and then also switch all items over to pull from HTTPS mirrors.

I'm currently using the default iPXE root CA in iPXE which doesn't appear to support some of the HTTPS sites I'd need to hit. iPXE currently is pulling the full root ca from http://ca.ipxe.org/ca.crt. Just need to find some time to wrap my head around it. Once that's done though, the other changes above are simple.

@antonym commented on GitHub (Jan 15, 2016): Yeah, I'd need to switch the main code over to the HTTPS Akamai CDN link and then also switch all items over to pull from HTTPS mirrors. I'm currently using the default iPXE root CA in iPXE which doesn't appear to support some of the HTTPS sites I'd need to hit. iPXE currently is pulling the full root ca from http://ca.ipxe.org/ca.crt. Just need to find some time to wrap my head around it. Once that's done though, the other changes above are simple.

kerem commented

2026-03-01 18:34:16 +03:00

Author

Owner

@3wille commented on GitHub (Jan 15, 2016):

I think if you use the cert of "normal" root CA it should work with most servers. Normal means accepted by common browsers which implies that most servers will use one of these.
I don't know how difficult it is to change the root ca in iPXE

@3wille commented on GitHub (Jan 15, 2016): I think if you use the cert of "normal" root CA it should work with most servers. Normal means accepted by common browsers which implies that most servers will use one of these. I don't know how difficult it is to change the root ca in iPXE

kerem commented

2026-03-01 18:34:16 +03:00

Author

Owner

@antonym commented on GitHub (Jan 25, 2016):

boot.netboot.xyz is now HTTPS enabled and the bootloaders now use it by default. You'll need to pull down the latest iPXE builds to chain into it by default. I've left HTTP enabled for now so that users without HTTPS support compiled into iPXE can still chain into netboot.xyz.

Next I'll probably version out the iPXE loaders next and then have it chain a netboot.xyz image if the versions don't match so that anyone chaining will get a HTTPS supported bootloader. Then I should be able to redirect HTTP requests to HTTPS.

github.com/antonym/netboot.xyz@78cdcec6c5

Still have to work on switching things to HTTPS for the provider images along with checksums.

@antonym commented on GitHub (Jan 25, 2016): boot.netboot.xyz is now HTTPS enabled and the bootloaders now use it by default. You'll need to pull down the latest iPXE builds to chain into it by default. I've left HTTP enabled for now so that users without HTTPS support compiled into iPXE can still chain into netboot.xyz. Next I'll probably version out the iPXE loaders next and then have it chain a netboot.xyz image if the versions don't match so that anyone chaining will get a HTTPS supported bootloader. Then I should be able to redirect HTTP requests to HTTPS. https://github.com/antonym/netboot.xyz/commit/78cdcec6c51416971b4f8714c38c3ebf872cb625 Still have to work on switching things to HTTPS for the provider images along with checksums.

kerem commented

2026-03-01 18:34:17 +03:00

Author

Owner

@antonym commented on GitHub (Apr 30, 2016):

netboot.xyz top domain is now https by default now, closing out.

@antonym commented on GitHub (Apr 30, 2016): netboot.xyz top domain is now https by default now, closing out.

kerem referenced this issue

2026-03-01 18:38:06 +03:00

[GH-ISSUE #1549] please move grml to liveCDs section #2039

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/netboot.xyz#1549

No description provided.

Rows
Columns