Let's Encrypt is an initiative which allows you to get a real certificate for your server. That is, a certificate from a trusted Certificate Authority. By using Let's Encrypt with UnrealIRCd and having your users on SSL/TLS you make your IRC network safer.
The goal
After this guide you will have a dual certificate setup:
- Clients will connect to your server and see the Let's Encrypt certificate (from /etc/letsencrypt/...). That way they will see a "real certificate" that is validated by trusted certificate authority
- Server-to-server connections will use the self-signed certificates (from ~/unrealircd/conf/tls/server...). This makes things easy for server linking since the certificate/keys will stay the same (and not change every 30-90 days).
Requirements
This tutorial is written for *NIX. Perhaps one day someone could expand it for Windows (if possible).
The Let's Encrypt installation as described in this tutorial requires root access. We will assume you are running UnrealIRCd on a VPS and you have root access, this is after all the most common situation. Be sure to do all the things in this tutorial as root. Become root now by using sudo -i or whatever command or login method you normally use to become root.
Let's Encrypt requires you to setup a number of things and will issue you 90-day certificate. Getting the certificate for the first time requires some manual labor. After this, you will setup automatic renewal.
Installing certbot and getting your certificate
This is now explained in Setting up certbot for use with UnrealIRCd. Be sure to follow the instructions there. Only continue reading below AFTER you have successfully set up certbot and acquired your first certificate.
Updating your listen blocks
Now that you have your Let's Encrypt certificate, we are going to update the listen { } blocks so UnrealIRCd will actually use the certificate and key file.
Most, if not all networks, have 1 SSL/TLS port open for users and this is 6697. So find this block in your unrealircd.conf:
/* Standard IRC SSL/TLS port 6697 */
listen {
ip *;
port 6697;
options { tls; };
};
And change it to make it use your Let's encrypt certificate. In this example we will assume your hostname (for the certificate) is irc.example.org. Naturally you must replace the name/path with your real certificate!:
/* Standard IRC SSL/TLS port 6697 */
listen {
ip *;
port 6697;
options { tls; };
tls-options {
certificate "/etc/letsencrypt/live/irc.example.org/fullchain.pem";
key "/etc/letsencrypt/live/irc.example.org/privkey.pem";
};
};
After this, /REHASH the IRC server. Ensure that it does not display any errors in ircd.log or on IRC when you rehash as an IRCOp.
Making sure it works
You could manually connect with an IRC client to the SSL/TLS port 6697. Have a look at the certificate to make sure that it is now trusted.
It is also a good idea to visit https://www.sslshopper.com/ssl-checker.html and enter there: irc.example.org:6697 (so the name of your IRC server followed by :6697). After the test it should show you many green checkmarks. See below for an example:
Setting up certbot for use with UnrealIRCd
Installing a recent certbot version
For this to work, we need certbot 0.29.0 or later. Unfortunately a lot of distros ship too old versions. So we uninstall the package first (ignore any errors) and fetch the latest one.
Run the following as root:
Ubuntu
This is for Ubuntu 18.04 LTS. It should also work on other Ubuntu versions.
# Uninstall existing package first, just ignore any errors: apt remove certbot # Now update an install the latest certbot apt-get update apt-get install software-properties-common add-apt-repository universe add-apt-repository ppa:certbot/certbot apt-get update apt-get install certbot
Debian
apt-get remove certbot-auto cd /root wget https://dl.eff.org/certbot-auto sudo mv certbot-auto /usr/local/bin/certbot-auto sudo chown root /usr/local/bin/certbot-auto sudo chmod 0755 /usr/local/bin/certbot-auto
Verifying certbot version
We need certbot 0.29.0 or newer, so double check:
# certbot --version certbot 0.31.0
If this is below 0.29.0 then go back and read the previous instructions. Certbot below 0.29.0 will not work as it will screw up permissions!
Acquire the certificate for the first time
Now you need to acquire a certificate for the first time: certbot certonly --standalone --preferred-challenges http-01 -d irc.example.org
Naturally, replace irc.example.org with the name of your server!
Here is example output of a successful session:
root@irc:~# certbot certonly --standalone --preferred-challenges http-01 -d irc.example.org Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): syzop@example.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: a - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: n Obtaining a new certificate Performing the following challenges: http-01 challenge for irc.example.org Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/irc.example.org/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/irc.example.org/privkey.pem Your cert will expire on 2020-03-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le root@irc:~#
Using --webroot instead of --standalone
Acquire a certificate for the first time: certbot certonly --webroot --preferred-challenges http-01 -d irc.example.org
replace irc.example.org with the name of your server!
Here is example output of a successful session:
root@sisrv:~# certbot certonly --standalone --preferred-challenges http-0 1 -d irc.sisrv.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for irc.sisrv.net
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/irc.sisrv.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/irc.sisrv.net/privkey.pem
Your cert will expire on 2022-08-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Tweaking permissions on the key file
Right now you have a certificate and a key file, but only root can read these files. This is a problem as UnrealIRCd does not run as root but under a low privileged account. So we need to change the access permissions.
First of all, run the following:
chmod go+x /etc/letsencrypt/live/ /etc/letsencrypt/archive/
Change the group ownership to the group of your irc user. In this case I have a user irc with group irc. So I do:
chown root:irc /etc/letsencrypt/live/irc.sisrv.net /etc/letsencrypt/archive/irc.sisrv.net/ -R
chmod g+r,o-rwx /etc/letsencrypt/live/irc.sisrv.net /etc/letsencrypt/archive/irc.sisrv.net/ -R
Now, your files will look like this:
root@sisrv:# ls -al /etc/letsencrypt/live/irc.sisrv.net/ total 12 drwxr-x--- 2 root irc 4096 Dec 16 12:10 . drwx--x--x 3 root root 4096 Dec 16 12:10 .. lrwxrwxrwx 1 root irc 40 Dec 16 12:10 cert.pem -> ../../archive/irc.sisrv.net/cert1.pem lrwxrwxrwx 1 root irc 41 Dec 16 12:10 chain.pem -> ../../archive/irc.sisrv.net/chain1.pem lrwxrwxrwx 1 root irc 45 Dec 16 12:10 fullchain.pem -> ../../archive/irc.sisrv.net/fullchain1.pem lrwxrwxrwx 1 root irc 43 Dec 16 12:10 privkey.pem -> ../../archive/irc.sisrv.net/privkey1.pem -rw-r----- 1 root irc 692 Dec 16 12:10 README root@sisrv:# ls -al /etc/letsencrypt/archive/irc.sisrv.net/ total 24 drwxr-x--- 2 root irc 4096 Dec 16 12:10 . drwx--x--x 3 root root 4096 Dec 16 12:10 .. -rw-r----- 1 root irc 1911 Dec 16 12:10 cert1.pem -rw-r----- 1 root irc 1647 Dec 16 12:10 chain1.pem -rw-r----- 1 root irc 3558 Dec 16 12:10 fullchain1.pem -rw-r----- 1 root irc 1708 Dec 16 12:10 privkey1.pem
This way only root and members of the irc group can read the key and certificate files.
Certbot 0.29.0 and later will remember this, so you don't need to chown/chmod them ever again.
Periodic certificate renewal
Your certificate will be renewed automatically after around 30 days (so way before the 90 days expiry). If there is something wrong with the certificate not renewing then you should receive email(s) about this from certbot a month from now.
