Page 1 of 1

Let's Encrypt support (free SSL certificates)

Posted: Thu Dec 03, 2015 8:44 pm
by Alucard
First, my question: I'm using Unreal 3.2.10.4. Is there a way I can run an equivalent of "/rehash -ssl" from the Linux command line? ./unreal rehash and ./unreal rehash -ssl do not appear to do that.

As many of you have heard, Let's Encrypt is now in public beta and offering FREE SSL certificates.
Rather than using the official client that (currently) requires root and makes a lot of assumptions about your Web server, I used this tool and the Web server already running on the same domain as my IRCd to just generate a certificate. That was successful, and with a manual /rehash -ssl, I was able to connect over SSL.
LE certs expire every 90 days (this process is meant to be automatable). I can (easily) automate everything but the /rehash -ssl command. Is there a command-line equivalent (not restart) or do I have to script a connect-oper-rehash?

Re: Let's Encrypt support (free SSL certificates)

Posted: Fri Dec 04, 2015 11:00 am
by Syzop
To answer your question: right now this is not possible, but you can request the feature at http://bugs.unrealircd.org/ especially when you feel it will be useful to others too.

Re: Let's Encrypt support (free SSL certificates)

Posted: Fri Dec 04, 2015 7:43 pm
by Alucard
Thanks. I was able to automate this with the aforementioned acme_tiny.py and a script that connects, opers, and rehashes.

Next question: what's the minimum required level/permission to do /rehash -ssl? For testing I tried an oper with just can_rehash (full flags rGHq) and got the following:

Code: Select all

 << REHASH
 >> :alderaan 382 DeathStarLaser unrealircd.conf :Rehashing
 >> :alderaan NOTICE DeathStarLaser :*** Notice -- Loading IRCd configuration ..
 >> :alderaan NOTICE DeathStarLaser :*** Notice -- Configuration loaded without any problems ..
 << REHASH -ssl
 >> :alderaan 481 DeathStarLaser :Permission Denied- You do not have the correct IRC operator privileges

Re: Let's Encrypt support (free SSL certificates)

Posted: Tue Mar 08, 2016 2:59 pm
by Alucard
Updates:

Unreal 4.0.1 brings ./unrealircd reloadtls, which means no more having to script an IRC connection and have it oper up just to reload the certs.

On the topic of Let's Encrypt, one of the gotchas was that, if you wanted each leaf's hostname on the/a cert, you needed control over an HTTP server running on each leaf, and if you wanted your round robin (irc.example.com) on the cert, you needed some export/mount trickery (due to you not knowing which IP Let's Encrypt will get for the round robin). That's all solved by the addition of the dns-01 challenge. If you have control over your DNS, you can get arbitrary hostnames / Subject Alternate Names on your certs. I used letsencrypt.sh after moving my DNS (only) to CloudFlare (because it has a good API supported by letsencrypt.sh, and is free) and was able to get one certificate with SANs for every leaf and round robin, even though I do not have control over the Web server on every leaf.