Following this thread:
1. I setup an account in cacert.org for having certificates emitted with them. Then I generated a couple of certificates, one for the EPP Apache module and one for the client (which means that both certificates are different, not the same situation described in the README file in /usr/share/fred-mod-eppd/ssl/README. Now, I notice both certificates are emitted by the very same CA, cacert.org in this case. They work perfectly. So I have some questions:
a) What happens if nic.cr has its own certificates with, say, cacert.org and the clients using fred-client generate certificates using the same CA, but with their own usernames?. My guess is that it shouldn't be a problem, because the CA cert associated in the eppd module configuration is the same. That is, for the EPP module certificate nic.cr use a cacert.org user like, say, "nicrcr" and the client connecting with nic.cr use their own user, say, "client1".
b) What if nic.cr uses, say, cacert.org for the EPPD Apache module, but a client uses, Certplus, Thawte or Verising for signing their fred-client certificates?.
c) I have tried to use our own (test) CA following the procedure in http://www.tc.umn.edu/~brams006/selfsign.html, part 1B, but it does not work. I guess I have to include something and I'm not aware of it.
Thanks in advance.
--
Mario Guerra <mguerra(a)nic.cr>
Dear Jaromir,
I would like to be part of the FRED workshop participant.
Thank you. My name is below.
regards,
Ghislain NKERAMUGABA
.rw ccTLD Coordinator - RICTA
Email: cctldc(a)ricta.org.rw / ghislain.n(a)ricta.org.rw
Mob/Cell: +250-788470507
Website: www.ricta.org.rw
I've written this so you can properly use your own certificates in a FRED production environment, either using your own or an external CA.
http://www.blogger.com/blogger.g?blogID=4416341164567520466#editor/target=p…
Consider this a draft and feel free to comment about it.
Best regards.
--
Mario Guerra <mguerra(a)nic.cr>
Dear all,
I am having a problem installing fred when I install fred-pyfred, it is
giving me an error saying that the popen2 is duplicated and I should
use the subprocess module.
I am confused and don't want to make more errors, can you help me?
Thank you
Hello everyone,
Probably this is the best place to ask, since WHMCS is being used by most small hosters today, does anyone know if there is some Module for WHMCS and FRED installations!?
Regards,
A
Hello guys
Bryton's right. But let's not forget about registraracl table and MD5
fingerprint of the certificate after.
Some more details can be found in the excerpt I attach. They're not so
relevant in this case but they might be helpful to some folks in the
future. It's openssl and Ubuntu based.
Best
Piotr
On 21/05/12 18:32, bfocus(a)tznic.or.tz wrote:
>
> Mario,
>
> Have you tweaked epp file in apache by adding the new CA and the server
> cert and key?
>
> What I normally do is I use tinyca on a separate machine...
>
> I create a CA,create server cert and key and finally the client cert and key.
>
> Once done I ship them to the server I want then does a small change on the
> epp file in apache to reflect the ca and server cert/key
>
> Then I use client certs and key for fred-client.
>
> I have never tried to use the same server cert and key for the fred-client.
>
> Bryton.
>
>> I have done this, according to
>> http://www.tc.umn.edu/~brams006/selfsign.html, part 1B (generating your
>> own CA):
>>
>> a) create a CA authority (ca.key and ca.crt)
>> b) make a certificate request (server.csr)
>> c) sign the certificate request (server.crt and server.key) with the new
>> CA authority
>> d) change the server key so it does not ask for a passphrase.
>>
>> Afterwards, the server.crt and server.key files are included in
>> /usr/share/fred-client/ssl directory, and the fred-client configuration
>> file is modified like this:
>>
>> ssl_cert = %(dir)s/server.crt
>> ssl_key = %(dir)s/server.key
>>
>> Now, if I try to run fred-client this is the result:
>>
>> ERROR: socket.sslerror: [Errno 1] _ssl.c:480: error:14094418:SSL
>> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (200.107.82.18:700)
>> Certificate not signed by verified certificate authority
>>
>> What should I do for fred-client to identify these certificates as valid?.
>>
>> Thanks in advance.
>>
>> Note: the new fred-client is perfectly compatible with FRED 2.2.
>>
>>
>> --
>> Mario Guerra <mguerra(a)nic.cr>
>> _______________________________________________
>> fred-users mailing list
>> fred-users(a)lists.nic.cz
>> https://lists.nic.cz/cgi-bin/mailman/listinfo/fred-users
>>
>
>
> _______________________________________________
> fred-users mailing list
> fred-users(a)lists.nic.cz
> https://lists.nic.cz/cgi-bin/mailman/listinfo/fred-users
Jaromir,
I would like to participate.
It is my hope that you will have a detailed hands on installation session. I would like
to return with a working FRED registry on my Fedora laptop that includes the new
features as well like post paid billing.
Regards,
Paulos
==============================
Dr Paulos Nyirenda
Malawi SDNP Coodinator
On 17 May 2012 at 13:55, Jaromir Talir wrote:
> Hi,
>
> CZ.NIC will host next ICANN meeting in Prague in June 24-29 this year -
> http://prague44.icann.org/ and http://www.icannprague.cz/
>
> I had an idea to do one day workshop for FRED prior to this meeting on
> Sunday 24 if there will be some demand. Topics would cover:
> - features, architecture, component description
> - installation procedure
> - basic configuration - adding zone, adding registrar,...
> - place for questions.
>
> The workshop would be in our offices where we have small educational
> room for 20 people. Please let me know if you would like to participate
> in this activity, we have five weeks to arrange it.
>
> Regards,
> Jaromir
>
> --
> Jaromir Talir
> technicky reditel / Chief Technical Officer
> -------------------------------------------
> CZ.NIC, z.s.p.o. -- .cz domain registry
> Americka 23, 120 00 Praha 2, Czech Republic
> mailto:jaromir.talir@nic.cz http://nic.cz/
> sip:jaromir.talir@nic.cz tel:+420.222745107
> mob:+420.739632712 fax:+420.222745112
> -------------------------------------------
>
> _______________________________________________
> fred-users mailing list
> fred-users(a)lists.nic.cz
> https://lists.nic.cz/cgi-bin/mailman/listinfo/fred-users
----------------------------------------------------------
Malawi SDNP Webmail: http://www.sdnp.org.mw
Access your Malawi SDNP e-mail from anywhere in the world.
----------------------------------------------------------
Hi,
finally we managed to complete new version suitable for public release.
I uploaded files to http://fred.nic.cz/wiki/download
Just a quick summary of what are the main changes:
(1) auditing component - after 3 years running fred (2007-2010) we found
out that almost 99% of database size is in tables action and action_xml
used to log all incoming EPP communication and database is getting to be
non-maintainable. So we decided to change fred architecture and create
separate general component for logging incoming request. Database for
this consists of (request_*,session_*,..) monthly partitioned tables and
can be installed separately from main database. It its now used by EPP
fronted, unix whois, web whois and webadmin to store all requests in
FRED.
(2) billing component - invoicing was rewritten with intention to
support not only prepaid but also postpaid model. Price list can be
configured that in the way that charged operations are not blocked when
there is no credit, registrar sees negative credit in 'credit_info'
command and this is cleared when there is an incoming payment. Tables
for holding incoming payments were simplified and there is a simple way
to register new payment from general xml file describing payments. There
is also new component fred-transproc for transaction processing. It
queries IMAP and HTTP sources and transform responses into this new xml
file that is passed to fred. There are some example modules for our
local banks that can be used as starting point for your own modules
(3) messaging component - we added possibility to send and archive SMS
and snail mail letters automatically. But this is based on external
services so there must be some local company having web service for sms
or snail mail processing. Then script that call this web service must be
created and uploaded into fred for this feature to work.
(4) mojeid changes - we build a identity solution called mojeid (myid)
over registry (www.mojeid.cz). This is not part of fred and just use
fred as backend. It constis of validation of contact data by sending sms
to his phone number, email to his email address and snail mail letter to
his postal address. After completion of three pieces of information
send by this three channels we set status identified to this contact and
user can maintain his contact data directly through new application.
This contact also can take advantage of openid server and used the same
authentication process for different website supporting openid. I
mention this because you may see some of these mojeid changes in fred,
but actually are not useful for you. We are in the process of more
separating these things out of fred.
If you will decide to migrate we suggest to do new installation because
there are quite a lot of changes in configurations and than migrate
database according upgrade scripts in fred-db packages. Of course there
should be a intensive testing before going to production.
Regards,
Jaromir
--
Jaromir Talir
technicky reditel / Chief Technical Officer
-------------------------------------------
CZ.NIC, z.s.p.o. -- .cz domain registry
Americka 23, 120 00 Praha 2, Czech Republic
mailto:jaromir.talir@nic.cz http://nic.cz/
sip:jaromir.talir@nic.cz tel:+420.222745107
mob:+420.739632712 fax:+420.222745112
-------------------------------------------
Hello,
Does anyone know if there exists a full list of all the possible errors that might happen during the connection of Fred-Client with the server? The respective error messages might also be useful.
Thanks,
Besmira
