I have done this, according to http://www.tc.umn.edu/~brams006/selfsign.html, part 1B (generating your own CA):
a) create a CA authority (ca.key and ca.crt)
b) make a certificate request (server.csr)
c) sign the certificate request (server.crt and server.key) with the new CA authority
d) change the server key so it does not ask for a passphrase.
Afterwards, the server.crt and server.key files are included in /usr/share/fred-client/ssl directory, and the fred-client configuration file is modified like this:
ssl_cert = %(dir)s/server.crt
ssl_key = %(dir)s/server.key
Now, if I try to run fred-client this is the result:
ERROR: socket.sslerror: [Errno 1] _ssl.c:480: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (200.107.82.18:700)
Certificate not signed by verified certificate authority
What should I do for fred-client to identify these certificates as valid?.
Thanks in advance.
Note: the new fred-client is perfectly compatible with FRED 2.2.
--
Mario Guerra <mguerra(a)nic.cr>
Hi,
CZ.NIC will host next ICANN meeting in Prague in June 24-29 this year -
http://prague44.icann.org/ and http://www.icannprague.cz/
I had an idea to do one day workshop for FRED prior to this meeting on
Sunday 24 if there will be some demand. Topics would cover:
- features, architecture, component description
- installation procedure
- basic configuration - adding zone, adding registrar,...
- place for questions.
The workshop would be in our offices where we have small educational
room for 20 people. Please let me know if you would like to participate
in this activity, we have five weeks to arrange it.
Regards,
Jaromir
--
Jaromir Talir
technicky reditel / Chief Technical Officer
-------------------------------------------
CZ.NIC, z.s.p.o. -- .cz domain registry
Americka 23, 120 00 Praha 2, Czech Republic
mailto:jaromir.talir@nic.cz http://nic.cz/
sip:jaromir.talir@nic.cz tel:+420.222745107
mob:+420.739632712 fax:+420.222745112
-------------------------------------------
Anyone tried to install the 2.11!?
I am getting sql/epp_login.sql: No such file or directory on the fred-db* package
fred-db-2.11.0 # make
./orderedsql.sh > structure.sql
cat: ./sql/epp_login.sql: No such file or directory
Regards,
A
Following this thread:
1. I setup an account in cacert.org for having certificates emitted with them. Then I generated a couple of certificates, one for the EPP Apache module and one for the client (which means that both certificates are different, not the same situation described in the README file in /usr/share/fred-mod-eppd/ssl/README. Now, I notice both certificates are emitted by the very same CA, cacert.org in this case. They work perfectly. So I have some questions:
a) What happens if nic.cr has its own certificates with, say, cacert.org and the clients using fred-client generate certificates using the same CA, but with their own usernames?. My guess is that it shouldn't be a problem, because the CA cert associated in the eppd module configuration is the same. That is, for the EPP module certificate nic.cr use a cacert.org user like, say, "nicrcr" and the client connecting with nic.cr use their own user, say, "client1".
b) What if nic.cr uses, say, cacert.org for the EPPD Apache module, but a client uses, Certplus, Thawte or Verising for signing their fred-client certificates?.
c) I have tried to use our own (test) CA following the procedure in http://www.tc.umn.edu/~brams006/selfsign.html, part 1B, but it does not work. I guess I have to include something and I'm not aware of it.
Thanks in advance.
--
Mario Guerra <mguerra(a)nic.cr>
Dear Jaromir,
I would like to be part of the FRED workshop participant.
Thank you. My name is below.
regards,
Ghislain NKERAMUGABA
.rw ccTLD Coordinator - RICTA
Email: cctldc(a)ricta.org.rw / ghislain.n(a)ricta.org.rw
Mob/Cell: +250-788470507
Website: www.ricta.org.rw
I've written this so you can properly use your own certificates in a FRED production environment, either using your own or an external CA.
http://www.blogger.com/blogger.g?blogID=4416341164567520466#editor/target=p…
Consider this a draft and feel free to comment about it.
Best regards.
--
Mario Guerra <mguerra(a)nic.cr>
Dear all,
I am having a problem installing fred when I install fred-pyfred, it is
giving me an error saying that the popen2 is duplicated and I should
use the subprocess module.
I am confused and don't want to make more errors, can you help me?
Thank you
Hello everyone,
Probably this is the best place to ask, since WHMCS is being used by most small hosters today, does anyone know if there is some Module for WHMCS and FRED installations!?
Regards,
A
Hello guys
Bryton's right. But let's not forget about registraracl table and MD5
fingerprint of the certificate after.
Some more details can be found in the excerpt I attach. They're not so
relevant in this case but they might be helpful to some folks in the
future. It's openssl and Ubuntu based.
Best
Piotr
On 21/05/12 18:32, bfocus(a)tznic.or.tz wrote:
>
> Mario,
>
> Have you tweaked epp file in apache by adding the new CA and the server
> cert and key?
>
> What I normally do is I use tinyca on a separate machine...
>
> I create a CA,create server cert and key and finally the client cert and key.
>
> Once done I ship them to the server I want then does a small change on the
> epp file in apache to reflect the ca and server cert/key
>
> Then I use client certs and key for fred-client.
>
> I have never tried to use the same server cert and key for the fred-client.
>
> Bryton.
>
>> I have done this, according to
>> http://www.tc.umn.edu/~brams006/selfsign.html, part 1B (generating your
>> own CA):
>>
>> a) create a CA authority (ca.key and ca.crt)
>> b) make a certificate request (server.csr)
>> c) sign the certificate request (server.crt and server.key) with the new
>> CA authority
>> d) change the server key so it does not ask for a passphrase.
>>
>> Afterwards, the server.crt and server.key files are included in
>> /usr/share/fred-client/ssl directory, and the fred-client configuration
>> file is modified like this:
>>
>> ssl_cert = %(dir)s/server.crt
>> ssl_key = %(dir)s/server.key
>>
>> Now, if I try to run fred-client this is the result:
>>
>> ERROR: socket.sslerror: [Errno 1] _ssl.c:480: error:14094418:SSL
>> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (200.107.82.18:700)
>> Certificate not signed by verified certificate authority
>>
>> What should I do for fred-client to identify these certificates as valid?.
>>
>> Thanks in advance.
>>
>> Note: the new fred-client is perfectly compatible with FRED 2.2.
>>
>>
>> --
>> Mario Guerra <mguerra(a)nic.cr>
>> _______________________________________________
>> fred-users mailing list
>> fred-users(a)lists.nic.cz
>> https://lists.nic.cz/cgi-bin/mailman/listinfo/fred-users
>>
>
>
> _______________________________________________
> fred-users mailing list
> fred-users(a)lists.nic.cz
> https://lists.nic.cz/cgi-bin/mailman/listinfo/fred-users
