iPXE support broken on apu4d4

I tried to install ipFire on an apu4d4 using iPXE as described here https://wiki.ipfire.org/installation/pxe or here https://pcengines.ch/howto.htm#OS_installation

In the end, it did not work (error message after issuing the “chain” command). My analysis (using tcpdump) showed the following:
The original http-URL issues a 301 and moves to https and lightningwirelabs (I cannot add the link because I am a new user).

As far as I tested, both (301 and https) is not supported by the iPXE delivered by PC-Engines.

Any other ideas on installation via iPXE?

Are you using a recent version of iPXE?

We should not use 301 to redirect or redirect to lightningwirelabs.com at all.

I am using the most recent BIOS version on the apu (https://pcengines.github.io) - which does not answer your question about the integrated iPXE. I suppose an old version is shipped.

This does look like a 301 forward to me: :wink:

The other URL (from the PC-Engines site) does not work, because it redirects to https (which apparently is not supported or does require more configuration (I just checked their build which seems to enable HTTPS in iPXE, it did not work (while a test iPXE boot over HTTP did work)).

So, I did some testing. It looks like this was broken for quite a while.

Everything was set up properly on our load-balancer, but it is more complicated for boot.ipfire.org than that. Some requests are going to the web application which generates the menu, etc.

Some other requests go to the main file server that is serving the ISO files and so on. That however, decided to rather redirect than deliver those files.

We had to downgrade to HTTP instead of HTTPS because iPXE’s support for TLS is - let’s be nice, because I know it is hard - not reliable. Our infrastructure requires TLSv1.3 or TLSv1.2 with PFS enabled, elliptic curves and loads of other modern features that are simply not implemented in iPXE.

If you follow this, https://wiki.ipfire.org/installation/pxe, you will be able to boot into the installer.

I would suggest you install Core Update 143 and upgrade from there, because you might run into Stuck trying to install ipfire 2.25 core 144 on PC Engine

Thanks a lot, I hope you did not spend too much time on this.

If almost no one is using this mechanism maybe support could be dropped (although I find it quite elegant which is why I wanted to use it).

I already used a bootable usb stick to install Core Update 144 and waited a long time + pressed keys on the attached usb keyboard. This finally allowed me to generate enough “randomness” (without knowing) to get past the generating admin password screen and finish installation…

Actually I am using it myself every once in a while, but not on a daily basis.

Since it has been done now and is normally quite low maintenance, I would not really want to drop it right now. But in the future I might consider if it does not work reliably.