I have done this, according to http://www.tc.umn.edu/~brams006/selfsign.html, part 1B (generating your own CA):
a) create a CA authority (ca.key and ca.crt)
b) make a certificate request (server.csr)
c) sign the certificate request (server.crt and server.key) with the new CA authority
d) change the server key so it does not ask for a passphrase.
Afterwards, the server.crt and server.key files are included in /usr/share/fred-client/ssl directory, and the fred-client configuration file is modified like this:
ssl_cert = %(dir)s/server.crt
ssl_key = %(dir)s/server.key
Now, if I try to run fred-client this is the result:
ERROR: socket.sslerror: [Errno 1] _ssl.c:480: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (200.107.82.18:700)
Certificate not signed by verified certificate authority
What should I do for fred-client to identify these certificates as valid?.
Thanks in advance.
Note: the new fred-client is perfectly compatible with FRED 2.2.
--
Mario Guerra <mguerra(a)nic.cr>
One of our registrars is facing a problem making an EPP connection to our .mw registry
running FRED.
The connection sometimes succeeds and sometime it fails with "ERROR: socket.sslerror:
_ssl.c:477" - on a random on-and-off scenario that seems rather random, we cannot tell
when it will fail or succeed.
After many observations, I requested the registrar to install fred-client so that I can also test
the connection from their end.
Sessions look like the ones copied here below where one session was successful to conned
and the other one failed.
I have looked at this in detail and I need help to check what is really going on. I have now
done a TCPDUMP of these connections and the result is copied as here attached, one for a
successful connection and one for a failed connection.
You will see that in the failed connection TCPDUMP shows that the fred-client on
88.208.201.35 was talking to the FRED server on 196.45.190.7 but the fred-client appears to
stop listening even though the FRED server makes a few more attempts to the fred-client.
The registrar is experiencing the same for their own client, it sometimes connects
successfully and sometimes fails with no predictable pattern.
My logs including those on DAPHNE show that most other registrars are connecting ok with
no such problems.
Can you help check what the problem could be with this one registrar? Is there another log
that I can check to see what exactly is causing these connections to fail?
Regards,
Paulos
======================
Dr Paulos B Nyirenda
NIC.MW & .mw ccTLD
http://www.registrar.mw
[######## successful connection #############]
paulos@ndovu [~/fred-client-2.8.0]# ./fred-client
Czech translation not available
FredClient PACKAGE_VERSION
Type "help", "license" or "credits" for more information.
Using configuration from conf/fred-client.conf
Connecting to ngoli.sdnp.org.mw, port 700 ...
Connected!
AFRIREGISTER-REG(a)ngoli.sdnp.org.mw> quit
Logout command sent to server
Ending session at ngoli.sdnp.org.mw
Disconnected.
[######## failed connection #############]
paulos@ndovu [~/fred-client-2.8.0]# ./fred-client
Czech translation not available
FredClient PACKAGE_VERSION
Type "help", "license" or "credits" for more information.
Using configuration from conf/fred-client.conf
Connecting to ngoli.sdnp.org.mw, port 700 ...
ERROR: socket.sslerror: _ssl.c:477: The handshake operation timed out
(ngoli.sdnp.org.mw:700)
paulos@ndovu [~/fred-client-2.8.0]#
---
This email has been checked for viruses by AVG.
https://www.avg.com
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
The following section of this message contains a file attachment
prepared for transmission using the Internet MIME message format.
If you are using Pegasus Mail, or any other MIME-compliant system,
you should be able to save it or view it from within your mailer.
If you cannot, please ask your system administrator for assistance.
---- File information -----------
File: afriregister-reg-tcpdump-ok-and-failed-EPP-connection-25-7-18.txt
Date: 25 Jul 2018, 15:09
Size: 8110 bytes.
Type: Text
Good morning,
I have a new registrar that is trying to use Java for EPP connections to our .mw FRED server
and they are having a problem on how to use SSL digital keys and SSL certificates in their
Java EPP client
They want to import the SSL private key and digital certificate into their Java EPP client.
.
The e-mail address of the registrar is domain(a)idcicp.com and their skype IP is slowturtlej
.
As of now they are trying something like the following:
openssl pkcs12 -export -clcerts -in topnets.cert.pem -inkey topnets.key.pem -out
clientuser.p12
keytool -importkeystore -srckeystore clientuser1p12 -srcstoretype PKCS12 -deststoretype
JKS -destkeystore ServerKeystore.jks
Let me know if you can help and please, if you can, also communicate to them direcly on the
above address and skype ID.
Regards,
Paulos
======================
Dr Paulos B Nyirenda
NIC.MW & .mw ccTLD
http://www.registrar.mw
------- End of forwarded message -------
---
This email has been checked for viruses by AVG.
https://www.avg.com
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
