Introduction / Use Case Question

[Jeremias Braß]

Greetings,

we are small company that resells subdomains under a pool short domains registered to us. 

Our current backend is quite dated by now and we are considering upgrading to Nomulus.  

From our initial look at the project it seems to meet all our requirements and more.
(https://groups.google.com/d/topic/nomulus-discuss/tLBCLAbPRc8/discussion)

We are already partnered with multiple resellers and we would be developing/ revamping our front-end to interface with Nomulus over EPP.

Would it be possible to run this project without the ICANN compliance features or are they irrevocably tied into it? 

Thanks

[Lai Jiang]

Hi Jeremias,

ICANN compliance features are somewhat ited to Nomulus. That said, it should be fairly straightforward to make those that you don't need no-ops in that they would simply do nothing or to turn them off via config files.

Thanks,

Lai Jiang |

Software Engineer |

jian...@google.com |

212-565-6361

--
NOTE: This is a public discussion list for the Nomulus domain registry project.
---
You received this message because you are subscribed to the Google Groups "nomulus-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nomulus-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nomulus-discuss/3fa0a0ef-df0f-462a-a8ec-1932eddb1076o%40googlegroups.com.

[mashfuk hossain]

Hello,

I am another employee of the company. We want to configure and test Nomulus for our back end software.

We have gone through the https://github.com/google/nomulus/issues/365 link . we have managed to deploy initially but we are not sure which documet is up to date.

I shall be very thankful if you suggest an updated guideline to install, configure and test the Nomulus.

Thanks

Mashfuk

On Thursday, June 11, 2020 at 3:50:14 PM UTC+2, Lai Jiang wrote:

Hi Jeremias,

ICANN compliance features are somewhat ited to Nomulus. That said, it should be fairly straightforward to make those that you don't need no-ops in that they would simply do nothing or to turn them off via config files.

Thanks,

Lai Jiang |

Software Engineer |

jian...@google.com |

212-565-6361

On Thu, Jun 11, 2020 at 8:27 AM Jeremias Braß <br...@kv-gmbh.de> wrote:

Greetings,

we are small company that resells subdomains under a pool short domains registered to us. 

Our current backend is quite dated by now and we are considering upgrading to Nomulus.  

From our initial look at the project it seems to meet all our requirements and more.
(https://groups.google.com/d/topic/nomulus-discuss/tLBCLAbPRc8/discussion)

We are already partnered with multiple resellers and we would be developing/ revamping our front-end to interface with Nomulus over EPP.

Would it be possible to run this project without the ICANN compliance features or are they irrevocably tied into it? 

Thanks

--
NOTE: This is a public discussion list for the Nomulus domain registry project.
---
You received this message because you are subscribed to the Google Groups "nomulus-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to nomulus...@googlegroups.com.

[Michael Muller]

HI Mashfuk,

Yes, sadly our install guide is still completely out-of-date.  We'll try to get around to updating it this week.  In the meantime, the general procedure for build/install is something like:

1) set up GCP projects for production and test environments

2) update projects.gradle with the names of those environments

3) update the configuration files in core/src/main/java/google/registry/config/files with correct configuration for those environments (e.g. nomulus-config-production.yaml, overriding the values in default-config.yaml as appropriate).  At minimum you'll want to set up a client id and secret for registryTool.

4) deploy to an environment with "./nom_build appengineDeploy --environment=<environment-name>" where <environment-name> is the short name of an environment in projects.gradle.  For example, to deploy to sandbox: "./nom_build appengineDeploy --environment=sandbox"

We'll reply on this thread when the install guide has been updated. 

To unsubscribe from this group and stop receiving emails from it, send an email to nomulus-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nomulus-discuss/6149bdd1-3b42-4972-8819-174bbdd4102co%40googlegroups.com.

--

Michael Muller
Ym9yZWQ/

[Jeremias Braß]

Hello,

Thanks for the reply. we followed all the instruction guide https://github.com/google/nomulus/blob/master/docs/first-steps-tutorial.md

we successfully done the Temporary extra steps with out error but after Create a TLD if we run this command  we get the following exception:

java -jar nomulus.jar -e alpha create_tld example --roid_suffix EXAMPLE   --initial_tld_state GENERAL_AVAILABILITY --tld_type TEST
Exception in thread "main" java.lang.IllegalArgumentException: password not set
    at com.google.appengine.tools.remoteapi.ClientLogin.login(ClientLogin.java:37)
    at com.google.appengine.tools.remoteapi.RemoteApiInstaller.loginImpl(RemoteApiInstaller.java:370)
    at com.google.appengine.tools.remoteapi.RemoteApiInstaller.login(RemoteApiInstaller.java:335)
    at com.google.appengine.tools.remoteapi.RemoteApiInstaller.install(RemoteApiInstaller.java:171)
    at google.registry.tools.RegistryCli.runCommand(RegistryCli.java:231)
    at google.registry.tools.RegistryCli.run(RegistryCli.java:171)
    at google.registry.tools.RegistryTool.main(RegistryTool.java:129)
   
   
Can you please inform us the possible solution for this.

Thanks

To view this discussion on the web visit https://groups.google.com/d/msgid/nomulus-discuss/6149bdd1-3b42-4972-8819-174bbdd4102co%40googlegroups.com.

--

Michael Muller
Ym9yZWQ/

[Michael Muller]

I'm not entirely sure, but can you try "nomulus -e <environment> login" and see if that fixes it?

To unsubscribe from this group and stop receiving emails from it, send an email to nomulus-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nomulus-discuss/5068dfa7-e016-406d-91ae-1cf12ec25485o%40googlegroups.com.

--

Michael Muller
Ym9yZWQ/

[Lai Jiang]

It does look like the issue is related to the credential not set:

https://cs.opensource.google/nomulus/nomulus/+/master:core/src/main/java/google/registry/tools/RegistryCli.java;l=228?q=registrycli&ss=nomulus%2Fnomulus

Running nomulus login as suggested by Mike should fix it.

[Jeremias Braß]

Hello,

Thanks for the reply. When we first time run the log in command it shifted us to a new browsing window where we have done google cloude 2 step login and
after the first time we ran the nomuls login command a new window for Google O2Auth opend up. We allowed all the required acces in that window,
but there was a warning that this O2Auth was not confirmend. After the first call of nomulus login every further call does no longer seem to do anything.login when we run

 java -jar nomulus.jar -e alpha create_tld example --roid_suffix EXAMPLE   --initial_tld_state GENERAL_AVAILABILITY --tld_type TEST
Exception in thread "main" java.lang.IllegalArgumentException: password not set

the upper command we get the error

I have attached the screen shot for better understanding


Thanks

[Lai Jiang]

Hi, if you get a warning that OAuth2 is not confirmed that should result in the error that you are seeing.

Have you followed the OAuth config procedure here: https://github.com/google/nomulus/blob/master/docs/configuration.md#oauth-2-client-id-configuration?

After that, can you do `nomulus -e <env> logout` and then try logging in again? Remember to take screenshots for any errors you might encounter during the process so that we can better help you.

Lai Jiang |

Software Engineer |

jian...@google.com |

212-565-6361

You received this message because you are subscribed to a topic in the Google Groups "nomulus-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/nomulus-discuss/4QyFknshKSU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to nomulus-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nomulus-discuss/c369a1e4-8791-4d76-80ab-a12ba040ba80o%40googlegroups.com.

[Jeremias Braß]

Hello,

we have followed the O2Auth procedure and the O2Auth2 config part looks like this:

Though during the creation of the credentials in developer console there was no "Other" type available for creation.
These were all the available options:

We chose Desktop App because it seemed the closest to other, but that may be what caused the problem.

We also used the project_id from the client_secret.json as the Oauth username and without any username but had the same result.

If we then run nomulus login we get the following output in the terminal:

In the chrome browser window that opens we get the following warning after selecting the account to authenticate:

This warning links to here: https://support.google.com/cloud/answer/7454865?authuser=0, though according to the help page apps in development do not need to be verified.

After skipping the warning we get 3 prompts to allow access for different scopes:

And after granting access to all requested scopes we get the following confirmation in the browser window:

We have encountered no explicit error message during this process.

Here is the full console log:

The account we are trying to authenticate is also the owner of the App Engine Project:

Once again, thank you for your time and support.

[Lai Jiang]

I think Desktop App should be the correct one. This has changed since the document was written. The username is for SQL access and should not be relevant. Some of the error messages are in German which makes it hard to debug. But just as a sanity check, did you rebuild the nomulus tool and re-deploy the app engine application after you change the config yaml file? 

Lai Jiang |

Software Engineer |

jian...@google.com |

212-565-6361

--
NOTE: This is a public discussion list for the Nomulus domain registry project.
---
You received this message because you are subscribed to a topic in the Google Groups "nomulus-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/nomulus-discuss/4QyFknshKSU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to nomulus-discu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/nomulus-discuss/9d05e49a-65ed-44a9-a143-c026f6815fc7o%40googlegroups.com.

[Jeremias B.]

Hello,

yeah, we did rebuild and redeploy before retrying. 

After some digging into the source code we noticed that there is a need to explicitly configure the project to not use login/test credentials in the .yaml.

Once we made the following additions to our environment configuration

we now encounter the following error with most admin tool commands.

java -jar nomulus.jar -e alpha create_tld foo.example --roid_suffix FOOEXAM --initial_tld_state GENERAL_AVAILABILITY --tld_type TEST

Exception in thread "main" java.lang.IllegalStateException: Requested secret 'tools-cloud-sql-password-string' does not exist.

at com.google.common.base.Preconditions.checkState(Preconditions.java:589)

at google.registry.keyring.kms.KmsKeyring.getDecryptedData(KmsKeyring.java:205)

at google.registry.keyring.kms.KmsKeyring.getString(KmsKeyring.java:178)

at google.registry.keyring.kms.KmsKeyring.getToolsCloudSqlPassword(KmsKeyring.java:100)

at google.registry.persistence.PersistenceModule.providesNomulusToolJpaTm(PersistenceModule.java:129)

at google.registry.persistence.PersistenceModule_ProvidesNomulusToolJpaTmFactory.proxyProvidesNomulusToolJpaTm(PersistenceModule_ProvidesNomulusToolJpaTmFactory.java:73)

at google.registry.persistence.PersistenceModule_ProvidesNomulusToolJpaTmFactory.get(PersistenceModule_ProvidesNomulusToolJpaTmFactory.java:44)

at google.registry.persistence.PersistenceModule_ProvidesNomulusToolJpaTmFactory.get(PersistenceModule_ProvidesNomulusToolJpaTmFactory.java:13)

at dagger.internal.DoubleCheck.get(DoubleCheck.java:47)

at google.registry.tools.DaggerRegistryToolComponent.nomulusToolJpaTransactionManager(DaggerRegistryToolComponent.java:835)

at google.registry.tools.RegistryCli.runCommand(RegistryCli.java:243)

at google.registry.tools.RegistryCli.run(RegistryCli.java:171)

at google.registry.tools.RegistryTool.main(RegistryTool.java:129)

Is there a need to configure a working keyring for secret storage to work with a deployed system or do we need to configure the cloudSql in the enviroment configuration?

[Weimin Yu]

Hi Jeremias,

Clarification: once you have updated from Nomulus head, you should be able to login using the nomulus tool.

The Cloud SQL set up instructions are provided in case you need it in the future.

[Jeremias B.]

Hello,

Thanks for the reply. After rebuild and deploy the project we find the following error. At least one DNS writer must be specified. Can any one please tell us where to configure the DNS. I attached the screenshot here.

Thanks

[Michael Muller]

Hi Jeremias,

DNS writers are specified per-tld in the create_tld command itself.  Just add "--dns_writers=CloudDnsWriter" to your command.  Alternately, use "--dns_writers=VoidDnsWriter" for testing purposes if you don't want to currently publish to Cloud DNS.

--

NOTE: This is a public discussion list for the Nomulus domain registry project.
---

You received this message because you are subscribed to the Google Groups "nomulus-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to nomulus-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nomulus-discuss/f77e4bf4-f890-4495-ace8-495a1c912745o%40googlegroups.com.

--

Michael Muller
Ym9yZWQ/

[Weimin Yu]

+nomulus-discuss 

---------- Forwarded message ---------
From: Weimin Yu <weim...@google.com>
Date: Wed, Jun 24, 2020 at 2:31 PM
Subject: Re: [NOMULUS-DISCUSS] Introduction / Use Case Question
To: Jeremias B. <br...@kv-gmbh.de>

Hello Jeremias,

Yes, you need to configure a Cloud SQL instance and a working keyring to work with a deployed system. 

Please pull from head to pick up a recent fix to the nomulus tools. 

Please also find below additional information on how to set up Cloud SQL.

Cloud SQL Credential

Since you are just checking Nomulus out, you only need to create one user. You can use the default 'postgres' user that would be created during Cloud SQL setup.

For production systems we recommended creating different logins for different roles.

You don't need to deploy the SQL schema. The system should be functional without it.

Cloud KMS

You'll need to choose a project to host the KMS keyring. Best practice is to create a separate project with strict IAM policy. However,  you can use your current project when experimenting.

You need to create a KMS keyring in the chosen project. The default keyring name is 'nomulus', though you can override it in the config file.

gcloud kms keyrings create "nomulus" --location "global" --project YOUR_KEYS_PROJECT

Next, you need to create two keys in the keyring:

gcloud kms keys create "cloud-sql-password-string" \
    --location "global" \
    --keyring "nomulus" \
    --purpose "encryption"

gcloud kms keys create "tools-cloud-sql-password-string" \
    --location "global" \
    --keyring "nomulus" \
    --purpose "encryption"

Install Cloud SQL Passwords in Nomulus Server

Use the update_kms_keyring command to upload the Cloud SQL passwords to the Nomulus server:

Paste the password for the Registry server user to a file, say /tmp/server.pass. Make sure to avoid any trailing '\n' inserted by the editor.

set ENV=alpha

nomulus -e $ENV update_kms_keyring --keyname CLOUD_SQL_PASSWORD --input /tmp/server.pass

Repeat the steps for the tools sql password:

nomulus -e $ENV update_kms_keyring --keyname TOOLS_CLOUD_SQL_PASSWORD --input /tmp/tools.pass

Use get_keyring_secret command to verify the data you put in.

The Relevant Parts of the Configuration File

cloudSql:
  jdbcUrl: jdbc:postgresql://google/postgres
  username: nomulus
  instanceConnectionName: THE_NAME_SHOWN_ON_THE_DB_INFO_PAGE

keyring:
  activeKeyring: KMS
  kms:
    projectId: THE_PROJECT_WITH_THE_NOMULUS_KEYRING

registryTool:
  clientId: TOOLS_OAUTH_CLIENT_ID

  clientSecret: TOOLS_OAUTH_SECRET
  username: tool

--

NOTE: This is a public discussion list for the Nomulus domain registry project.
---

You received this message because you are subscribed to the Google Groups "nomulus-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to nomulus-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nomulus-discuss/d7f1fd55-a4db-498f-a515-4b83ae202349o%40googlegroups.com.

[mashfuk hossain]

Hello,

Thanks for the detail description for SQL part. Can you please inform us more details about the DNS configuration

Thanks

Mashfuk

+nomulus-discuss 

To unsubscribe from this group and stop receiving emails from it, send an email to nomulus...@googlegroups.com.

[Lai Jiang]

Hi Mashfuk

As Mike mentioned earlier if you append add the flag "--dns_writers=VoidDnsWriter" in your create_tld command you should be able to bypass the need to have a working DNS.

[Jeremias B.]

Hello,

we have now tried to experiment with the CloudDNSWriter with the goal of creating a test domain and the associated zone managed by a nomulus deployment.

We are using CloudDNS in the same project as our nomulus deployment. After creating the tld co.de with the CloudDNSWriter and then creating the domain new.co.de we first encountered the following error :

java.lang.RuntimeException: com.google.api.client.googleapis.json.GoogleJsonResponseException: 404 Not Found
{
"code" : 404,
"errors" : [ {
"domain" : "global",
"message" : "The 'parameters.managedZone' resource named 'co-de' does not exist.",
"reason" : "notFound"
} ],
"message" : "The 'parameters.managedZone' resource named 'co-de' does not exist."
}

So after this we manually created the zone in the cloud DNS console with the DNS name co.de. and the zone name co-de. 

We now have the following error during the DNS write: 

java.lang.RuntimeException: com.google.api.client.googleapis.json.GoogleJsonResponseException: 400 Bad Request
{
"code" : 400,
"errors" : [ {
"domain" : "global",
"message" : "Invalid value for 'entity.change.additions[0].name': 'new.co.de.'",
"reason" : "invalid"
} ],
"message" : "Invalid value for 'entity.change.additions[0].name': 'new.co.de.'"
}

Full trace here.

We are using the recommend production settings for cloud DNS out of the example for this environment.

Are we misunderstanding the way nomulus and CloudDNS interact and do we need to do more preparation/ configuration work or did we mess up during the DNS zone creation?

[Lai Jiang]

My understanding is that you should not need to manually interact with CloudDNS. If you create a TLD within Nomulus and set CloudDNS to be the DNS writer, it should automatically create the zone. Any SLDs created will also automatically insert the records to the zone.

Can you please try setting the following values in your config file:

cloudDns:
	# Override test configuration in default-config
	rootUrl: null
	servicePath: null

Lai Jiang |

Software Engineer |

jian...@google.com |

212-565-6361

--

NOTE: This is a public discussion list for the Nomulus domain registry project.
---

You received this message because you are subscribed to a topic in the Google Groups "nomulus-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/nomulus-discuss/4QyFknshKSU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to nomulus-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nomulus-discuss/6a26b383-db39-4702-b3ea-c5f3ee22a20bo%40googlegroups.com.