I have done this, according to http://www.tc.umn.edu/~brams006/selfsign.html, part 1B (generating your own CA):
a) create a CA authority (ca.key and ca.crt)
b) make a certificate request (server.csr)
c) sign the certificate request (server.crt and server.key) with the new CA authority
d) change the server key so it does not ask for a passphrase.
Afterwards, the server.crt and server.key files are included in /usr/share/fred-client/ssl directory, and the fred-client configuration file is modified like this:
ssl_cert = %(dir)s/server.crt
ssl_key = %(dir)s/server.key
Now, if I try to run fred-client this is the result:
ERROR: socket.sslerror: [Errno 1] _ssl.c:480: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (184.108.40.206:700)
Certificate not signed by verified certificate authority
What should I do for fred-client to identify these certificates as valid?.
Thanks in advance.
Note: the new fred-client is perfectly compatible with FRED 2.2.
Mario Guerra <mguerra(a)nic.cr>
in addition to new FRED release, we have also released a new website at
https://fred.nic.cz and completely new documentation system.
Documentation url is https://fred.nic.cz/documentation. I feel
importance of this deserves to use separate email for announcement. New
documentation is searchable and it contains many new graphical schemas
important to understand FRED architecture and processes. Source code of
this documentation in reStructuredText format is available on github
https://github.com/CZ-NIC/fred-docs. This means that you are more then
welcomed to submit comments or preferably pull requests for things that
you think they are missing in documentation. Please, check
documentation and let us know what you think about this.
we have published FRED version 2.29. During several previous releases
we have rewritten almost all code responsible for EPP communication
with registrars. This refactoring was necessery for implementation of
new features in the future. Here is a compilation of some significant
- support for more operating systems. For the first time we provide
also packages for latest RHEL/Centos version 7. Since Ubuntu 12.04 will
lost its long term support in April, we will not provide packages for
this version anymore. Preffered version of Ubuntu is 16.04. We use
Ubuntu 16.04 in production for some time without any issues. This also
means that Ubuntu 16.04 is most tested platform. In other platforms we
only run limited set of automated tests so registries are required to
do more indepth tests themselves.
- configurable domain name format checking. Checking of validity of
domain name is configurable per zone via linking to set of
preconfigured checkers in database table
- new idn support configuration. There used to be allow_idn option in
server configuration file that meant that regular registrars are able
to register domains in xn-- format (idn domains) in all zones. In
current version it is possible to configure idn support per zone via
mechanism mentioned earlier. Support for idn is just another
- configurable dnssec algorithm checking. Until now, there was no
checking of dnssec algorithm number used in EPP create_keyset or
update_keyset EPP commands. If registries would like to limit this
check only for some algorithms, they can do that via modification of
database tables dnssec_algorithm and dnssec_algorithm_blacklist.
- configurable limit of minimal number of nameservers in nsset. Until
now, there was hardcoded requirement to have at least 2 nameservers and
maximum 10 nameservers in nsset. Since this was limitation for some
registries that wanted to use FRED, we moved this limit into
configuration option nsset_min_hosts and nsset_max_hosts in server
- asynchronous notification about EPP events. Notifications for domain
state change has always been generated asynchronously via fred-admin
commands, but notifications about EPP events done by registrars were
created as part of EPP operation. To speed up system a little bit and
to be able to continue EPP operation even when notification system is
down, we made also notification about EPP events asynchronnous. So
don't forget to add into cron system command 'fred-admin --
notify_email_objects_events' in intervals of your preference if you
want to keep sending notifications.