Using Let's Encrypt with UnrealIRCd

Let's Encrypt is an initiative which allows you to get a real certificate for your server. That is, a certificate from a trusted Certificate Authority. By using Let's Encrypt with UnrealIRCd and having your users on SSL/TLS you make your IRC network safer.

The goal

After this guide you will have a dual certificate setup:

  • Clients will connect to your server and see the Let's Encrypt certificate (from /etc/letsencrypt/...). That way they will see a "real certificate" that is validated by trusted certificate authority
  • Server-to-server connections will use the self-signed certificates (from ~/unrealircd/conf/tls/server...). This makes things easy for server linking since the certificate/keys will stay the same (and not change every 30-90 days).

Requirements

This tutorial is written for *NIX. Perhaps one day someone could expand it for Windows (if possible).

The Let's Encrypt installation as described in this tutorial requires root access. We will assume you are running UnrealIRCd on a VPS and you have root access, this is after all the most common situation. Be sure to do all the things in this tutorial as root. Become root now by using sudo -i or whatever command or login method you normally use to become root.

Let's Encrypt requires you to setup a number of things and will issue you 90-day certificate. Getting the certificate for the first time requires some manual labor. After this, you will setup automatic renewal.

Installing certbot and getting your certificate

This is now explained in Setting up certbot for use with UnrealIRCd. Be sure to follow the instructions there. Only continue reading below AFTER you have successfully set up certbot and acquired your first certificate.

Updating your listen blocks

Now that you have your Let's Encrypt certificate, we are going to update the listen { } blocks so UnrealIRCd will actually use the certificate and key file.

Most, if not all networks, have 1 SSL/TLS port open for users and this is 6697. So find this block in your unrealircd.conf:

/* Standard IRC SSL/TLS port 6697 */
listen {
        ip *;
        port 6697;
        options { tls; };
};

And change it to make it use your Let's encrypt certificate. In this example we will assume your hostname (for the certificate) is irc.example.org. Naturally you must replace the name/path with your real certificate!:

/* Standard IRC SSL/TLS port 6697 */
listen {
        ip *;
        port 6697;
        options { tls; };
        tls-options {
                certificate "/etc/letsencrypt/live/irc.example.org/fullchain.pem";
                key "/etc/letsencrypt/live/irc.example.org/privkey.pem";
        };
};

After this, /REHASH the IRC server. Ensure that it does not display any errors in ircd.log or on IRC when you rehash as an IRCOp.

Making sure it works

You could manually connect with an IRC client to the SSL/TLS port 6697. Have a look at the certificate to make sure that it is now trusted.

It is also a good idea to visit https://www.sslshopper.com/ssl-checker.html and enter there: irc.example.org:6697 (so the name of your IRC server followed by :6697). After the test it should show you many green checkmarks. See below for an example:

Setting up certbot for use with UnrealIRCd

Installing a recent certbot version

For this to work, we need certbot 0.29.0 or later. Unfortunately a lot of distros ship too old versions. So we uninstall the package first (ignore any errors) and fetch the latest one.

Run the following as root:

Ubuntu

This is for Ubuntu 18.04 LTS. It should also work on other Ubuntu versions.

# Uninstall existing package first, just ignore any errors:
apt remove certbot
# Now update an install the latest certbot
apt-get update
apt-get install software-properties-common
add-apt-repository universe
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

Debian

apt-get remove certbot-auto
cd /root
wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto

Verifying certbot version

We need certbot 0.29.0 or newer, so double check:

# certbot --version
certbot 0.31.0

If this is below 0.29.0 then go back and read the previous instructions. Certbot below 0.29.0 will not work as it will screw up permissions!

Acquire the certificate for the first time

Now you need to acquire a certificate for the first time: certbot certonly --standalone --preferred-challenges http-01 -d irc.example.org
Naturally, replace irc.example.org with the name of your server!

Here is example output of a successful session:

root@irc:~# certbot certonly --standalone --preferred-challenges http-01 -d irc.example.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): syzop@example.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for irc.example.org
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/irc.example.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/irc.example.org/privkey.pem
   Your cert will expire on 2020-03-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@irc:~#

Using --webroot instead of --standalone

Acquire a certificate for the first time: certbot certonly --webroot --preferred-challenges http-01 -d irc.example.org
replace irc.example.org with the name of your server!

Here is example output of a successful session:

root@sisrv:~# certbot certonly --standalone --preferred-challenges http-0                                                                             1 -d irc.sisrv.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for irc.sisrv.net
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/irc.sisrv.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/irc.sisrv.net/privkey.pem
   Your cert will expire on 2022-08-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Tweaking permissions on the key file

Right now you have a certificate and a key file, but only root can read these files. This is a problem as UnrealIRCd does not run as root but under a low privileged account. So we need to change the access permissions.

First of all, run the following:

chmod go+x /etc/letsencrypt/live/ /etc/letsencrypt/archive/

Change the group ownership to the group of your irc user. In this case I have a user irc with group irc. So I do:

chown root:irc /etc/letsencrypt/live/irc.sisrv.net /etc/letsencrypt/archive/irc.sisrv.net/ -R
chmod g+r,o-rwx /etc/letsencrypt/live/irc.sisrv.net /etc/letsencrypt/archive/irc.sisrv.net/ -R

Now, your files will look like this:

root@sisrv:# ls -al /etc/letsencrypt/live/irc.sisrv.net/
total 12
drwxr-x--- 2 root irc  4096 Dec 16 12:10 .
drwx--x--x 3 root root 4096 Dec 16 12:10 ..
lrwxrwxrwx 1 root irc    40 Dec 16 12:10 cert.pem -> ../../archive/irc.sisrv.net/cert1.pem
lrwxrwxrwx 1 root irc    41 Dec 16 12:10 chain.pem -> ../../archive/irc.sisrv.net/chain1.pem
lrwxrwxrwx 1 root irc    45 Dec 16 12:10 fullchain.pem -> ../../archive/irc.sisrv.net/fullchain1.pem
lrwxrwxrwx 1 root irc    43 Dec 16 12:10 privkey.pem -> ../../archive/irc.sisrv.net/privkey1.pem
-rw-r----- 1 root irc   692 Dec 16 12:10 README
root@sisrv:# ls -al /etc/letsencrypt/archive/irc.sisrv.net/
total 24
drwxr-x--- 2 root irc  4096 Dec 16 12:10 .
drwx--x--x 3 root root 4096 Dec 16 12:10 ..
-rw-r----- 1 root irc  1911 Dec 16 12:10 cert1.pem
-rw-r----- 1 root irc  1647 Dec 16 12:10 chain1.pem
-rw-r----- 1 root irc  3558 Dec 16 12:10 fullchain1.pem
-rw-r----- 1 root irc  1708 Dec 16 12:10 privkey1.pem

This way only root and members of the irc group can read the key and certificate files.

Certbot 0.29.0 and later will remember this, so you don't need to chown/chmod them ever again.

Periodic certificate renewal

Your certificate will be renewed automatically after around 30 days (so way before the 90 days expiry). If there is something wrong with the certificate not renewing then you should receive email(s) about this from certbot a month from now.

  • unrealircd cron, Let's Encrypt, certificate renewal, letsencrypt
  • 205 Kunder som kunne bruge dette svar
Hjalp dette svar dig?

Relaterede artikler

Upgrading from UnrealIRCd 4 to UnrealIRCd 5

Upgrading from UnrealIRCd 4.x to UnrealIRCd 5.x is really easy, there are almost no configuration...

How to install UnrealIRCd modules

UnrealIRCd has a module manager which allows you to install, update and uninstall 3rd party...

UnrealIRCd FAQ

Is UnrealIRCd suitable for me? UnrealIRCd is a highly advanced and customizable IRC daemon. It...

How to install UnrealIRCd 5

To install UnrealIRCd on Linux, FreeBSD, OpenBSD, OS X and other *NIX systems you generally...

How to link Unrealircd servers

This page explains how to link two (or more) UnrealIRCd servers securely so you have a...

Powered by WHMCompleteSolution