In the end, it did not work (error message after issuing the “chain” command). My analysis (using tcpdump) showed the following:
The original http-URL issues a 301 and moves to https and lightningwirelabs (I cannot add the link because I am a new user).
As far as I tested, both (301 and https) is not supported by the iPXE delivered by PC-Engines.
I am using the most recent BIOS version on the apu (https://pcengines.github.io) 4.11.0.5 - which does not answer your question about the integrated iPXE. I suppose an old version is shipped.
This does look like a 301 forward to me:
The other URL (from the PC-Engines site) does not work, because it redirects to https (which apparently is not supported or does require more configuration (I just checked their build which seems to enable HTTPS in iPXE, it did not work (while a test iPXE boot over HTTP did work)).
So, I did some testing. It looks like this was broken for quite a while.
Everything was set up properly on our load-balancer, but it is more complicated for boot.ipfire.org than that. Some requests are going to the web application which generates the menu, etc.
Some other requests go to the main file server that is serving the ISO files and so on. That however, decided to rather redirect than deliver those files.
We had to downgrade to HTTP instead of HTTPS because iPXE’s support for TLS is - let’s be nice, because I know it is hard - not reliable. Our infrastructure requires TLSv1.3 or TLSv1.2 with PFS enabled, elliptic curves and loads of other modern features that are simply not implemented in iPXE.
Thanks a lot, I hope you did not spend too much time on this.
If almost no one is using this mechanism maybe support could be dropped (although I find it quite elegant which is why I wanted to use it).
I already used a bootable usb stick to install Core Update 144 and waited a long time + pressed keys on the attached usb keyboard. This finally allowed me to generate enough “randomness” (without knowing) to get past the generating admin password screen and finish installation…
Actually I am using it myself every once in a while, but not on a daily basis.
Since it has been done now and is normally quite low maintenance, I would not really want to drop it right now. But in the future I might consider if it does not work reliably.