No arguments provided to command install, default arguments will be used:
- PK: default
- KEK: default
- db: default
- dbx: latestDownloading https://www.microsoft.com/pkiops/certs/MicCorKEKCA2011_2011-06-24.crt...error: unable to retrieve certificate from URL: https://www.microsoft.com/pkiops/certs/MicCorKEKCA2011_2011-06-24.crt. Error message: HTTP Error 403: Forbidden.If the failure can't be fixed at the network configuration level, consider downloading the certificates manually and then loading one or more of them with secureboot-certs install <PK-filename>|default <KEK-filename>|default <db-filename>|default <dbx-filename>|latest. Check secureboot-certs install -h for usage details as well as a list of the download links used by secureboot-certs install.
I can validate that the URL is correct and even download the cert from another machine.
I also can verify the XCP-ng host has internet access and can resolve DNS.
@planedrop Ok, so it's a host lockup rather than a crash. That's a bit more irritating to debug.
First of all, can you update to the debug hypervisor. Adjust the /boot/xen.gz -> $foo symlink to use the version of Xen with the -d.gz suffix. This is the same hypervisor changeset but with assertions and extra verbosity enabled.
Also, can you append ,keep to Xen's vga= option on the command line. This should cause Xen to keep on writing out onto the screen even after dom0 has started up. Depending on the system, this might be a bit glacial, but dom0 will come up eventually.
Then reproduce the hang. Hopefully there'll be some output from Xen before the system locks up. You might also want to consider adding noreboot to Xen's command line too, especially if there's a backtrace and you want to take a photo of it to attach here.