Anyone tried to install the 2.11!?
I am getting sql/epp_login.sql: No such file or directory on the fred-db* package
fred-db-2.11.0 # make
./orderedsql.sh > structure.sql
cat: ./sql/epp_login.sql: No such file or directory
Regards,
A
As of today, 12 June, we are using our EPP module and fred-client certificates.They are signed by the same CA, in our case, our own.
These scripts can help you to do that:
CA creation (if you decide to have your own):
--------------------------------------------
#!/bin/bash
openssl genrsa -des3 -out nicca.key 4096
openssl req -new -x509 -days 1095 -key nicca.key -out nicca.crt -subj /C=<country>/L=<City>/O=<country>.NIC/OU=Registry/CN=localhost/
Certificate request and signing (the later is done by an external CA if you decide so):
#!/bin/bash
echo "Create CSR for $1"
openssl genrsa -des3 -out $1.key 4096
openssl req -new -key $1.key -out $1.csr -subj /C=<country>/ST=<province/state>/L=<Location>/O=<country>.NIC/OU=Registry/CN=localhost/emailAddress=<your email address>
echo "Sign certificate for $1" (you don't need this if you use an external CA)
openssl x509 -req -days 1095 -in $1.csr -CA nicca.crt -CAkey nicca.key -set_serial 01 -out $1.crt
echo "Generate key w/o passphrase"
openssl rsa -in $1.key -out $1.key.insecure
mv $1.key $1.key.secure
mv $1.key.insecure $1.key
The later script is used both for the EPP module and fred-client but create two independent certificates. Algo, for fred-client you need to modify the cert field in the registraracl table for the respective registrar so it states the FRED certificate fingerprint. Calculate that with this:
openssl x509 -md5 -noout -in NIC-REG1.crt -fingerprint | awk 'BEGIN {FS="="} {print $2}'
More details at http://www.guerra.co.cr/ (Certificate management using FRED).
Any comment is welcome.
--
Mario Guerra <mguerra(a)nic.cr>
Following this thread:
1. I setup an account in cacert.org for having certificates emitted with them. Then I generated a couple of certificates, one for the EPP Apache module and one for the client (which means that both certificates are different, not the same situation described in the README file in /usr/share/fred-mod-eppd/ssl/README. Now, I notice both certificates are emitted by the very same CA, cacert.org in this case. They work perfectly. So I have some questions:
a) What happens if nic.cr has its own certificates with, say, cacert.org and the clients using fred-client generate certificates using the same CA, but with their own usernames?. My guess is that it shouldn't be a problem, because the CA cert associated in the eppd module configuration is the same. That is, for the EPP module certificate nic.cr use a cacert.org user like, say, "nicrcr" and the client connecting with nic.cr use their own user, say, "client1".
b) What if nic.cr uses, say, cacert.org for the EPPD Apache module, but a client uses, Certplus, Thawte or Verising for signing their fred-client certificates?.
c) I have tried to use our own (test) CA following the procedure in http://www.tc.umn.edu/~brams006/selfsign.html, part 1B, but it does not work. I guess I have to include something and I'm not aware of it.
Thanks in advance.
--
Mario Guerra <mguerra(a)nic.cr>
Dear Jaromir,
I would like to be part of the FRED workshop participant.
Thank you. My name is below.
regards,
Ghislain NKERAMUGABA
.rw ccTLD Coordinator - RICTA
Email: cctldc(a)ricta.org.rw / ghislain.n(a)ricta.org.rw
Mob/Cell: +250-788470507
Website: www.ricta.org.rw
I've written this so you can properly use your own certificates in a FRED production environment, either using your own or an external CA.
http://www.blogger.com/blogger.g?blogID=4416341164567520466#editor/target=p…
Consider this a draft and feel free to comment about it.
Best regards.
--
Mario Guerra <mguerra(a)nic.cr>
Dear all,
I am having a problem installing fred when I install fred-pyfred, it is
giving me an error saying that the popen2 is duplicated and I should
use the subprocess module.
I am confused and don't want to make more errors, can you help me?
Thank you
Hello everyone,
Probably this is the best place to ask, since WHMCS is being used by most small hosters today, does anyone know if there is some Module for WHMCS and FRED installations!?
Regards,
A
Hello guys
Bryton's right. But let's not forget about registraracl table and MD5
fingerprint of the certificate after.
Some more details can be found in the excerpt I attach. They're not so
relevant in this case but they might be helpful to some folks in the
future. It's openssl and Ubuntu based.
Best
Piotr
On 21/05/12 18:32, bfocus(a)tznic.or.tz wrote:
>
> Mario,
>
> Have you tweaked epp file in apache by adding the new CA and the server
> cert and key?
>
> What I normally do is I use tinyca on a separate machine...
>
> I create a CA,create server cert and key and finally the client cert and key.
>
> Once done I ship them to the server I want then does a small change on the
> epp file in apache to reflect the ca and server cert/key
>
> Then I use client certs and key for fred-client.
>
> I have never tried to use the same server cert and key for the fred-client.
>
> Bryton.
>
>> I have done this, according to
>> http://www.tc.umn.edu/~brams006/selfsign.html, part 1B (generating your
>> own CA):
>>
>> a) create a CA authority (ca.key and ca.crt)
>> b) make a certificate request (server.csr)
>> c) sign the certificate request (server.crt and server.key) with the new
>> CA authority
>> d) change the server key so it does not ask for a passphrase.
>>
>> Afterwards, the server.crt and server.key files are included in
>> /usr/share/fred-client/ssl directory, and the fred-client configuration
>> file is modified like this:
>>
>> ssl_cert = %(dir)s/server.crt
>> ssl_key = %(dir)s/server.key
>>
>> Now, if I try to run fred-client this is the result:
>>
>> ERROR: socket.sslerror: [Errno 1] _ssl.c:480: error:14094418:SSL
>> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (200.107.82.18:700)
>> Certificate not signed by verified certificate authority
>>
>> What should I do for fred-client to identify these certificates as valid?.
>>
>> Thanks in advance.
>>
>> Note: the new fred-client is perfectly compatible with FRED 2.2.
>>
>>
>> --
>> Mario Guerra <mguerra(a)nic.cr>
>> _______________________________________________
>> fred-users mailing list
>> fred-users(a)lists.nic.cz
>> https://lists.nic.cz/cgi-bin/mailman/listinfo/fred-users
>>
>
>
> _______________________________________________
> fred-users mailing list
> fred-users(a)lists.nic.cz
> https://lists.nic.cz/cgi-bin/mailman/listinfo/fred-users
Jaromir,
I would like to participate.
It is my hope that you will have a detailed hands on installation session. I would like
to return with a working FRED registry on my Fedora laptop that includes the new
features as well like post paid billing.
Regards,
Paulos
==============================
Dr Paulos Nyirenda
Malawi SDNP Coodinator
On 17 May 2012 at 13:55, Jaromir Talir wrote:
> Hi,
>
> CZ.NIC will host next ICANN meeting in Prague in June 24-29 this year -
> http://prague44.icann.org/ and http://www.icannprague.cz/
>
> I had an idea to do one day workshop for FRED prior to this meeting on
> Sunday 24 if there will be some demand. Topics would cover:
> - features, architecture, component description
> - installation procedure
> - basic configuration - adding zone, adding registrar,...
> - place for questions.
>
> The workshop would be in our offices where we have small educational
> room for 20 people. Please let me know if you would like to participate
> in this activity, we have five weeks to arrange it.
>
> Regards,
> Jaromir
>
> --
> Jaromir Talir
> technicky reditel / Chief Technical Officer
> -------------------------------------------
> CZ.NIC, z.s.p.o. -- .cz domain registry
> Americka 23, 120 00 Praha 2, Czech Republic
> mailto:jaromir.talir@nic.cz http://nic.cz/
> sip:jaromir.talir@nic.cz tel:+420.222745107
> mob:+420.739632712 fax:+420.222745112
> -------------------------------------------
>
> _______________________________________________
> fred-users mailing list
> fred-users(a)lists.nic.cz
> https://lists.nic.cz/cgi-bin/mailman/listinfo/fred-users
----------------------------------------------------------
Malawi SDNP Webmail: http://www.sdnp.org.mw
Access your Malawi SDNP e-mail from anywhere in the world.
----------------------------------------------------------
