I have done this, according to http://www.tc.umn.edu/~brams006/selfsign.html, part 1B (generating your own CA):
a) create a CA authority (ca.key and ca.crt)
b) make a certificate request (server.csr)
c) sign the certificate request (server.crt and server.key) with the new CA authority
d) change the server key so it does not ask for a passphrase.
Afterwards, the server.crt and server.key files are included in /usr/share/fred-client/ssl directory, and the fred-client configuration file is modified like this:
ssl_cert = %(dir)s/server.crt
ssl_key = %(dir)s/server.key
Now, if I try to run fred-client this is the result:
ERROR: socket.sslerror: [Errno 1] _ssl.c:480: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (200.107.82.18:700)
Certificate not signed by verified certificate authority
What should I do for fred-client to identify these certificates as valid?.
Thanks in advance.
Note: the new fred-client is perfectly compatible with FRED 2.2.
--
Mario Guerra <mguerra(a)nic.cr>
Jaromir,
Just one or two more clarifications on FRED:
1. Is there a default maximum number of years (or months) for renewing a domain ?
I see that in .cz this is required to be 10 years - is this burned into FRED or can it be
modified?
See: https://www.nic.cz/files/nic/doc/Registration_rules_CZ.pdf
Regards,
Paulos
======================
Dr Paulos B Nyirenda
NIC.MW & .mw ccTLD
http://www.registrar.mw
1. The update_domain source includes the keyset firld. which is correct:
-----
self.epp.update_domain(get_domain.id.id.name, add_admin=None,
rem_admin=None,
chg={'nsset' : None, 'keyset' : keyset_id, 'registrant' : None,
'auth_info' :
None}, val_ex_date=None, cltrid=None)
-----
But the documentation does not. Checking
https://fred.nic.cz/files/fred/fred.txt, we have this fragment
-----
update_domain(self, name, add_admin=None, rem_admin=None, chg=None,
val_ex_date=None,
cltrid=None)
DESCRIPTION:
The EPP 'update_domain' command is used to update values in the domain.
SYNTAX:
update_domain name [other_options]
OPTIONS:
name (required) Domain name
add_admin Administrative contact ID (unbounded list)
rem_admin Administrative contact ID (unbounded list)
chg Change values
nsset NSSET ID
registrant Registrant ID
auth_info Password required by server to authorize the transfer
val_ex_date Validation expires at
cltrid Client transaction ID
-----
2. The DS generated from the DNSKEY included in keysets, only includes
the algorithm 1 (SHA1) but not 2 (SHA256).
Best.
Mario
