I have done this, according to http://www.tc.umn.edu/~brams006/selfsign.html, part 1B (generating your own CA):
a) create a CA authority (ca.key and ca.crt)
b) make a certificate request (server.csr)
c) sign the certificate request (server.crt and server.key) with the new CA authority
d) change the server key so it does not ask for a passphrase.
Afterwards, the server.crt and server.key files are included in /usr/share/fred-client/ssl directory, and the fred-client configuration file is modified like this:
ssl_cert = %(dir)s/server.crt
ssl_key = %(dir)s/server.key
Now, if I try to run fred-client this is the result:
ERROR: socket.sslerror: [Errno 1] _ssl.c:480: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (200.107.82.18:700)
Certificate not signed by verified certificate authority
What should I do for fred-client to identify these certificates as valid?.
Thanks in advance.
Note: the new fred-client is perfectly compatible with FRED 2.2.
--
Mario Guerra <mguerra(a)nic.cr>
Hello all,
How can i only extract the current-expiry-date of a domain??.
Regards,
Timothy
----------------------------------------------------------
Malawi SDNP Webmail: http://www.sdnp.org.mw
Access your Malawi SDNP e-mail from anywhere in the world.
----------------------------------------------------------
Hi,
I'm successfully connecting to and able to login to FRED (demo) at TZNIC
- using the EPP Library that CentralNIC wrote (all PHP) - with some
modifications.
However - all "commands" after that seem to return the same (similar)
error message.
I've looked and copied examples from RFC5731...
As an example - the Info Command...
C:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
C:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
C: <command>
C: <info>
C: <domain:info
C: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
C: <domain:name hosts="all">example.com</domain:name>
C: </domain:info>
C: </info>
C: <clTRID>ABC-12345</clTRID>
C: </command>
C:</epp>
So I actually send:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
<command>
<info>
<domain:info
xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
<domain:name hosts="all">dnssec.or.tz</domain:name>
</domain:info>
</info>
<clTRID>ABC-12345</clTRID>
</command>
</epp>
and get back:
<?xml version="1.0" encoding="UTF-8"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd"><response><result code="2001"><msg>Command syntax error</msg><extValue><value><domain:info xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
<domain:name hosts="all">dnssec.or.tz</domain:name>
</domain:info></value><reason>Schemas validity error: Element '{urn:ietf:params:xml:ns:domain-1.0}info': No matching global element declaration available, but demanded by the strict wildcard.</reason></extValue></result><trID><svTRID>ReqID-0002778177</svTRID></trID></response></epp>
What seems to be common is "Schemas validity error: Element
'{urn:ietf:params:xml:ns:domain-1.0}info': No matching global element
declaration available, but demanded by the strict wildcard." and I have
no idea what that means.
What should I be sending then????
...and from a debugging prospective - getting the reply on more or less
one line is real hard to read for a Human. Yes - a Machine has no
problem. I wish there was a switch for "Human Readable XML" - all
neatly grouped and indented like in the RFC documents.
In case its my login - it looks like this - except with User/Passwd XXXX'ed out:
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
<command>
<login>
<clID>REG-XXXXXXX</clID>
<pw>XXXXXXXX</pw>
<options>
<version>1.0</version>
<lang>en</lang>
</options>
<svcs>
<objURI>urn:ietf:params:xml:ns:domain-1.0</objURI>
<objURI>urn:ietf:params:xml:ns:contact-1.0</objURI>
<svcExtension>
<extURI>urn:ietf:params:xml:ns:secDNS-1.1</extURI>
</svcExtension>
</svcs>
</login>
</command>
</epp>
Reply==>
<?xml version="1.0" encoding="UTF-8"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd"><response><result code="1000"><msg>Command completed successfully</msg></result><trID><svTRID>ReqID-0002778173</svTRID></trID></response></epp>
Please note - the current EPP XML works for the COZA System, Cocca and Central-NIC.
--
Mark James ELKINS - Posix Systems - (South) Africa
mje(a)posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
I'd like to have my own client written in PHP talk to FRED.
I was given separate CRT and KEY files by TZNIC. I've combined this
into a single PEM file with:
cat posix.key posix.crt > /tmp/tznic.pem
I can then successfully get the "Welcome" XML from FRED at TZNIC with:
openssl s_client -connect fred.tznic.or.tz:700 -cert /tmp/tznic.pem
This shows as a self-signed certificate (as expected).
(verify error:num=18:self signed certificate)
The combining of the crt and key is because php seems to want a combined
PEM certificate...
Then - I try connecting with a VERY stripped down PHP script....
(attached)...
The core of which is:
$ip="fred.tznic.or.tz";
$port=700;
$cert="/tmp/tznic.pem";
$context = stream_context_create();
$result = stream_context_set_option($context, 'ssl', 'local_cert',
$cert);
$result = stream_context_set_option($context, 'ssl', 'verify_peer',
false);
$result = stream_context_set_option($context, 'ssl', 'verify_host',
false);
$result = stream_context_set_option($context, 'ssl',
'allow_self_signed', true);
$fp = stream_socket_client("tls://$ip:$port", $errno,$errstr, 20,
STREAM_CLIENT_CONNECT, $context);
if(!$fp) echo "CONNECT ERROR: $errstr ($errno)\n";
else // read the packet......
The "stream_socket_client" simply times out.
What am I doing wrong???
Almost the same code works for: (ie changing machines, ports and Certs)
Central-NIC
ZACR/CO.ZA
CoCCA
The FRED test system at TZNIC is running certificate validation - I'm
assuming its got something to do with that????
I'm using a variety of different versioned PHP's
eg
PHP 5.5.18-pl0-gentoo (cli) (built: Nov 10 2014 22:20:27)
PHP 5.5.21-pl0-gentoo (cli) (built: Feb 6 2015 16:46:22)
PHP 5.4.34-pl0-gentoo (cli) (built: Nov 3 2014 11:10:23)
All do the same thing - timeout.
Is anyone using a PHP based client?? - that would be the start of a
WHMCS plugin for C-Panel (etc).
--
Mark James ELKINS - Posix Systems - (South) Africa
mje(a)posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
Hello All,
I want to make registrar X to register a domain to a certain zone[i.e mw].
How can i grant permission to registrar X to add a domain to a such a zone???
Regards,
Timothy
----------------------------------------------------------
Malawi SDNP Webmail: http://www.sdnp.org.mw
Access your Malawi SDNP e-mail from anywhere in the world.
----------------------------------------------------------
