24 Zář
2008
24 Zář
'08
20:03
Jatomir and all:
Thanks. I've tested the Live CD with the 01/01/2008 date. It works
perfectly. The net effect is that it create zones so easily and, at the
same time, stores in a database the administrative data using EPP.
Moreover it keeps it simple.
The disk installation:
In our case my approach has been installing the Ubuntu hardy (8.04)
.deb packages, fred-*.deb, which install dome dependencies too. I see
that there are no .dev for fred-server (including the Python parts), so
I installed these by hand (in /usr/.local) . Is that correct?. What
about generating .deb packages for these, too?.
For installing the certificates I do this:
1. I use the CA included in the ca-certificates Debian package which, in
my opinion, is adequate (I don't have to generate a CA certificate myself.
2. For the mod-eppd Apache module, I generate the self-signed
certificates using the usual procedures for generating them for
encrypted HTML:
openssl genrsa -des3 -out eppd.key 4096
openssl req -new -key eppd.key -out eppd.csr
openssl x509 -req -days 3650 -in eppd.csr -signkey eppd.key -out eppd.crt
openssl rsa -in eppd.key -out eppd.key.insecure
mv eppd.key eppd.key.secure;mv eppd.key.insecure eppd.key
chmod 600 *.key
/etc/init.d/apache2 force-reload
3. For the fred-client certificate configuration I rather use a method I
prefer, say,, for dovecot SSL configuration:
openssl req -new -x509 -nodes -out eppclient.pem -keyout eppclient.pem
4. After generating both certificates I first configure the mod-eppd
virtualhost:
Listen *:700
<VirtualHost *:700>
CorbaEnable On
CorbaNameservice "localhost"
CorbaObject "EPP" "EPP_alias"
EPPprotocol On
EPPObject "EPP_alias"
EPPschema "/usr/share/fred-mod-eppd/schemas/all-1.4.xsd"
EPPservername "CR.NIC's EPP server"
EPPlog "/var/log/apache2/eppd.log"
EPPloglevel error
EPPvalidResponse Off
SSLEngine off
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+
EXP:+eNULL
SSLVerifyClient require
SSLCertificateFile /etc/ssl/fred/eppd.crt
SSLCertificateKeyFile /etc/ssl/fred/eppd.key
SSLCACertificateFile /etc/ssl/certs/ca.pem
SSLVerifyDepth 1
</VirtualHost>
Notice the /etc/ssl/certs/ca.pem CA certificate, which is the standard
Ubuntu CA certificate. This should be adequate, because it expires much
later.
5. /etc/init.d/apache2 force-reload
6. For the epp-client configuration file I have this in
/usr/local/etc/fred/fred-client.conf:
[connect]
;; dir=/usr/local/share/fred-client/ssl
host = localhost
port = 700
ssl_cert = /etc/ssl/fred/eppclient.pem
ssl_key = /etc/ssl/fred/eppclient.pem
username = REG-FRED_A
password = passwd
username2 = REG-FRED_B
password2 = passwd
etc.....
7. When I run fred-client I get this:
root@mguerra:/etc/fred# fred-client
FredClient 1.6.1
Type "help", "license" or "credits" for more information.
Using configuration from /usr/local/etc/fred/fred-client.conf
Connecting to localhost, port 700 ...
ERROR: socket.sslerror: (1, 'error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol') (localhost:700)
Certificate not signed by verified certificate authority.
The date gives this:
mié sep 24 11:33:57 CST 2008 (mié means Wednesday).
What can be the reason for this?. Should I use other CA certificate?. Or
perhaps I should use a certificate in ~/fredclient.pem?.
Thank you in advance.
Mario
22 Říj
22 Říj
8:46
Hi Mario,
sorry for my late answer. In our ubuntu packages repository we have
package fred-server separated into four packages (fred-common,
fred-rifd, fred-pifd, fred-adifd). All this binary packages are build
from fred-server source package. Those fred-*ifd packages contain
servers for registrar interface, public interface and administration
inteface. We separated them just because different importance of these,
for example we upgrade and restart administration interface very often
and on the contrary - registrar interface must be restarted only when we
inform registrars. This is just our policy.
From your email it looks like you forgot to sign your eppclient.pem
certificate with ubuntu CA certificate. Client certificate cannot be
self signed (of course except of situation when the same certificate is
configured as CA certificate)
Hope It will help.
Regards,
Jaromir
On Wed, 2008-09-24 at 12:03 -0600, Mario Guerra wrote:
Jatomir and all:
Thanks. I've tested the Live CD with the 01/01/2008 date. It works
perfectly. The net effect is that it create zones so easily and, at the
same time, stores in a database the administrative data using EPP.
Moreover it keeps it simple.
The disk installation:
In our case my approach has been installing the Ubuntu hardy (8.04)
.deb packages, fred-*.deb, which install dome dependencies too. I see
that there are no .dev for fred-server (including the Python parts), so
I installed these by hand (in /usr/.local) . Is that correct?. What
about generating .deb packages for these, too?.
For installing the certificates I do this:
1. I use the CA included in the ca-certificates Debian package which, in
my opinion, is adequate (I don't have to generate a CA certificate myself.
2. For the mod-eppd Apache module, I generate the self-signed
certificates using the usual procedures for generating them for
encrypted HTML:
openssl genrsa -des3 -out eppd.key 4096
openssl req -new -key eppd.key -out eppd.csr
openssl x509 -req -days 3650 -in eppd.csr -signkey eppd.key -out eppd.crt
openssl rsa -in eppd.key -out eppd.key.insecure
mv eppd.key eppd.key.secure;mv eppd.key.insecure eppd.key
chmod 600 *.key
/etc/init.d/apache2 force-reload
3. For the fred-client certificate configuration I rather use a method I
prefer, say,, for dovecot SSL configuration:
openssl req -new -x509 -nodes -out eppclient.pem -keyout eppclient.pem
4. After generating both certificates I first configure the mod-eppd
virtualhost:
Listen *:700
<VirtualHost *:700>
CorbaEnable On
CorbaNameservice "localhost"
CorbaObject "EPP" "EPP_alias"
EPPprotocol On
EPPObject "EPP_alias"
EPPschema "/usr/share/fred-mod-eppd/schemas/all-1.4.xsd"
EPPservername "CR.NIC's EPP server"
EPPlog "/var/log/apache2/eppd.log"
EPPloglevel error
EPPvalidResponse Off
SSLEngine off
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+
EXP:+eNULL
SSLVerifyClient require
SSLCertificateFile /etc/ssl/fred/eppd.crt
SSLCertificateKeyFile /etc/ssl/fred/eppd.key
SSLCACertificateFile /etc/ssl/certs/ca.pem
SSLVerifyDepth 1
</VirtualHost>
Notice the /etc/ssl/certs/ca.pem CA certificate, which is the standard
Ubuntu CA certificate. This should be adequate, because it expires much
later.
5. /etc/init.d/apache2 force-reload
6. For the epp-client configuration file I have this in
/usr/local/etc/fred/fred-client.conf:
[connect]
;; dir=/usr/local/share/fred-client/ssl
host = localhost
port = 700
ssl_cert = /etc/ssl/fred/eppclient.pem
ssl_key = /etc/ssl/fred/eppclient.pem
username = REG-FRED_A
password = passwd
username2 = REG-FRED_B
password2 = passwd
etc.....
7. When I run fred-client I get this:
root@mguerra:/etc/fred# fred-client
FredClient 1.6.1
Type "help", "license" or "credits" for more information.
Using configuration from /usr/local/etc/fred/fred-client.conf
Connecting to localhost, port 700 ...
ERROR: socket.sslerror: (1, 'error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol') (localhost:700)
Certificate not signed by verified certificate authority.
The date gives this:
mié sep 24 11:33:57 CST 2008 (mié means Wednesday).
What can be the reason for this?. Should I use other CA certificate?. Or
perhaps I should use a certificate in ~/fredclient.pem?.
Thank you in advance.
Mario
_______________________________________________
Fred-users mailing list
Fred-users(a)lists.nic.cz
https://lists.nic.cz/mailman/listinfo/fred-users
6222
days inactive
6250
days old
1 comments
2 participants
participants (2)
-
Jaromír Talíř -
Mario Guerra