Nominet Help

[CSNM-Carl]

Please can someone guide me through the Nominet module setup?

 

What exactly do we need to do on the server?

 

I've generated a new key on the server using GnuPG, tried to import it into our online services account at Nominet and it says the key does not match our tag.

 

I've already got 2 keys registered and working with other systems that work fine.

 

Help please!

 

[othellotech]

>What exactly do we need to do on the server?

 

Not a lot - install gpg, install your keyring

 

>I've generated a new key

 

You dont need a new key

 

>I've already got 2 keys registered

 

Why ? We've only got 1 key for each of our 11 Nominet tags

[CSNM-Carl]

What do you mean install your keyring?

 

So I need to import one I have registered in my Nominet online services account to the server?

 

Thanks for the reply.

[othellotech]

http://www.gnupg.org/gph/en/manual.html

 

A not-exactly-how-to .....

 

1. install gpg:

yum -y install gpg gnupg

 

2. upload your public and secret keyrings to the users gpg directory

(usually /.gnupg/)

If you're used to using pgp from your desktop then its just a case of copying the pubring and secring pkr files and renaming them to .gpg

 

3. set the various gpg config options

personally I enable verbose, and as we have a lot of keys, specify which to use as default

 

4. test it - this *will* tell you where any problems are

- create a text file in /whmcs/modules/registrars/nominet/tmp called nominettest.txt

with the content...

operation:list

month:all

- from your ssh prompt at the whmcs user type

echo {passphrase} | gpg --no-tty --passphrase-fd 0 --clearsign ./tmp/nominettest.txt

this will produce you a nominettest.txt.asc file which will look *something* like ...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

operation:list
month:all

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQCVAwUBRtF5LPERzWw/ilcHAQIDlAQAhYt6+0XYwHyrEYfOo+a+kYaSr4YAAyZe
6wc9GG94ng91cpiDinu68wRVebgeGlp680jpZER7iNGeuBoX60yw1U9PwYGkRA9t
0M2fe5TszUg2yxLTTjw6+3EAKpsW+GvdcSEPunkQFzKT1qSEZZHxSfGDAXDc6Ou+
7aaPxI4tbDI=
=iLjd
-----END PGP SIGNATURE-----

- email that

file to auto-co@nominet.org.uk and see what they say about it

 

5. add the right options to the module setup in WHMCS and Job done

[CSNM-Carl]

Thanks for this!

 

I've sent the email to auto-co@nominet.org.uk with no subject. Not had anything back though?

 

Cheers,

 

Carl

[CSNM-Carl]

When I try to register a domain, Nominet sends the response back as:

 

V046 Message not in Clear Text Signed Format

[othellotech]

you need a subject on the email of "{TAG} List"

and it was the .asc you sent them ?

[CSNM-Carl]

Ok,

 

Just re-sent the email. and yes I'm sending the .asc content.

 

Not had a response back yet, how long does it normally take?

 

Thanks again,

 

Carl

[othellotech]

It takes however log eth automaton takes to respond - anything from 5 seconds to 3 days

[CSNM-Carl]

Automaton seems OK for manual registrations I've put through.

 

With everything configured in WHMCS and when I attempt to register a .co.uk via the Nominet module, Nominet send this back in the email:

 

V046 Message not in Clear Text Signed Format

[othellotech]

then you're not doing what i said in my post regarding the list test

[CSNM-Carl]

then you're not doing what i said in my post regarding the list test

 

I am...

[CSNM-Carl]

Just to confirm, I should be emailing auto-co@nominet.org.uk with the .asc content?

[othellotech]

same as you would if you did a LIST manually etc.

 

automaton instructions can be found at http://www.nic.uk

 

the problem you have is not related to who you mail it to, but what you're sending - is the .asc actually signed - i.e. have you got gpg correctly installed and the command line working.

[CSNM-Carl]

I'm sending this via Outlook:

 

This was in the .asc file that got produced when I did the SSH thing as per your instructions.

[othellotech]

apart from using a long obsolete version (1.4.6 has been stable a while now) it looks fine

you'll need totalk to Nominet about why they think its not clearsigned as it obviously is.

[CSNM-Carl]

Ok thanks, will update PGP and try it again.

[CSNM-Carl]

Ok, I've made further progress.

 

Rob - you told me to email auto-co@nominet.org.uk with the list thingy, it should be auto-co@nic.uk

 

List comes back with a list of all the domains on my TAG showing no problems, but WHMCS still doesn't want to register domains.

[CSNM-Carl]

Ok, further update:

 

I've changed the "test email" box to my own email address to see what WHMCS is sending - the email was blank, nothing in it at all.

 

Thanks,

 

Carl

[othellotech]

I've changed the "test email" box to my own email address to see what WHMCS is sending - the email was blank, nothing in it at all.

 

Then the command line is failing gpg signing is failing, check your error logs, check the permissions on the ./nominet/tmp folder, check the keyring is accessible for the user running the php

[othellotech]

Ok, its clear a couple more "tweaks" will be needed to the nominet module to make life a little simpler.

 

the first will be to include the .txt *unsigned* automaton email if for some reason the signing fails, so at least you do get an email (and a meaningful answer from nominet with the necessary data to manually sign) - will ask Matt to add a check when reading the .asc if file not exist or length < 64 chars then include the .txt in the message

 

the 2nd looks ike a generic issue with people not running suexec/phpsuexec where the whmcs scripsare running as "nobody" and therefore cannot access the gpg keyrings - not sure yet what to do about that, as it makes sense to me that scripst shoudl run as the owner not some generic "fallback" user ...

[CSNM-Carl]

It's now working!

 

It was an issue with the Apache user unable to access the keyring. Many thanks for your assistance though Rob, without your guide I'd have been no where. This post may be worth a sticky.

 

Cheers,

 

Carl

[othellotech]

what user is your apache running as ?

 

a new version will shortly be available which will include the unsigned file if signing fails (so you dont lose the details and can maually sign it)

[arhost]

Why not store the gpg public/private keys and pass phrase in the database like WHMCS competitor, which works well?

[othellotech]

passphrase is stored in the DB, and its very inefficient havng to create the secret keyring each time you want to sign something - especially when pgp/gpg has keyrings which *is* effectively a database