starred/netboot.xyz

Fork 0

mirror of https://github.com/netbootxyz/netboot.xyz.git synced 2026-04-26 07:35:57 +03:00

[GH-ISSUE #1398] Permission denied when using local assets over HTTPS #1970

New issue

Closed

opened 2026-03-01 18:37:41 +03:00 by kerem · 3 comments

kerem commented

2026-03-01 18:37:41 +03:00

Owner

Originally created by @shalak on GitHub (Jan 14, 2024).
Original GitHub issue: https://github.com/netbootxyz/netboot.xyz/issues/1398

Describe the bug
I'm facing an issue when using my local asset cache:

The cert on https:/netbootxyz.mydomain.net/ is valid, signed by Let's Encrypt

I entered the iPXE shell and run show unixtime (and converted it viadate --date=@$((0x65a43aa6))) to verify that the sytem time is correct - it is.

Running curl https://netbootxyz-nginx.mydomain.net/ubuntu-squash/releases/download/22.04.3-7e94379b/vmlinuz downloads the vmlinuz file with no issues.

Originally created by @shalak on GitHub (Jan 14, 2024). Original GitHub issue: https://github.com/netbootxyz/netboot.xyz/issues/1398 **Describe the bug** I'm facing an issue when using my local asset cache: ![image](https://github.com/netbootxyz/netboot.xyz/assets/1536554/01ca9114-16c1-4d17-ad27-80066f757316) The cert on `https:/netbootxyz.mydomain.net/` is valid, signed by Let's Encrypt I entered the iPXE shell and run `show unixtime` (and converted it via`date --date=@$((0x65a43aa6))`) to verify that the sytem time is correct - it is. Running `curl https://netbootxyz-nginx.mydomain.net/ubuntu-squash/releases/download/22.04.3-7e94379b/vmlinuz` downloads the vmlinuz file with no issues.

kerem

2026-03-01 18:37:41 +03:00

closed this issue
added the
bug
label

kerem commented

2026-03-01 18:37:42 +03:00

Author

Owner

@antonym commented on GitHub (Jan 14, 2024):

I'd make sure your web server supports the configurations here: https://ipxe.org/crypto

@antonym commented on GitHub (Jan 14, 2024): I'd make sure your web server supports the configurations here: https://ipxe.org/crypto

kerem commented

2026-03-01 18:37:42 +03:00

Author

Owner

@shalak commented on GitHub (Jan 14, 2024):

I did a little oneliner to check if my traefik supports the cyphers listed there:

for cipher in \
    TLS_RSA_WITH_AES_128_CBC_SHA \
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA \
    TLS_RSA_WITH_AES_256_CBC_SHA \
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA \
    TLS_RSA_WITH_AES_128_CBC_SHA256 \
    TLS_RSA_WITH_AES_256_CBC_SHA256 \
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 \
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 \
    TLS_RSA_WITH_AES_128_GCM_SHA256 \
    TLS_RSA_WITH_AES_256_GCM_SHA384 \
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 \
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384; do
    echo -n "$cipher: "
    if openssl s_client -connect netbootxyz-nginx.mydomain.net:443 -cipher "$cipher" < /dev/null > /dev/null 2>&1; then
        echo "Supported"
    else
        echo "Not supported"
    fi
done

All of them are supported:

TLS_RSA_WITH_AES_128_CBC_SHA: Supported
TLS_DHE_RSA_WITH_AES_128_CBC_SHA: Supported
TLS_RSA_WITH_AES_256_CBC_SHA: Supported
TLS_DHE_RSA_WITH_AES_256_CBC_SHA: Supported
TLS_RSA_WITH_AES_128_CBC_SHA256: Supported
TLS_RSA_WITH_AES_256_CBC_SHA256: Supported
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: Supported
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: Supported
TLS_RSA_WITH_AES_128_GCM_SHA256: Supported
TLS_RSA_WITH_AES_256_GCM_SHA384: Supported
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: Supported
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: Supported

@shalak commented on GitHub (Jan 14, 2024): I did a little oneliner to check if my traefik supports the cyphers listed there: ```bash for cipher in \ TLS_RSA_WITH_AES_128_CBC_SHA \ TLS_DHE_RSA_WITH_AES_128_CBC_SHA \ TLS_RSA_WITH_AES_256_CBC_SHA \ TLS_DHE_RSA_WITH_AES_256_CBC_SHA \ TLS_RSA_WITH_AES_128_CBC_SHA256 \ TLS_RSA_WITH_AES_256_CBC_SHA256 \ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 \ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 \ TLS_RSA_WITH_AES_128_GCM_SHA256 \ TLS_RSA_WITH_AES_256_GCM_SHA384 \ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 \ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384; do echo -n "$cipher: " if openssl s_client -connect netbootxyz-nginx.mydomain.net:443 -cipher "$cipher" < /dev/null > /dev/null 2>&1; then echo "Supported" else echo "Not supported" fi done ``` All of them are supported: ``` TLS_RSA_WITH_AES_128_CBC_SHA: Supported TLS_DHE_RSA_WITH_AES_128_CBC_SHA: Supported TLS_RSA_WITH_AES_256_CBC_SHA: Supported TLS_DHE_RSA_WITH_AES_256_CBC_SHA: Supported TLS_RSA_WITH_AES_128_CBC_SHA256: Supported TLS_RSA_WITH_AES_256_CBC_SHA256: Supported TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: Supported TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: Supported TLS_RSA_WITH_AES_128_GCM_SHA256: Supported TLS_RSA_WITH_AES_256_GCM_SHA384: Supported TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: Supported TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: Supported ```

kerem commented

2026-03-01 18:37:42 +03:00

Author

Owner

@antonym commented on GitHub (Feb 19, 2024):

Try the latest rolling release, it should handle Let's Encrypt certs better:

https://twitter.com/ipxe/status/1758124717477593405

@antonym commented on GitHub (Feb 19, 2024): Try the latest rolling release, it should handle Let's Encrypt certs better: https://twitter.com/ipxe/status/1758124717477593405

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/netboot.xyz#1970

No description provided.

Rows
Columns