OpenSSL / Anope / certificate authority

If you hit any installation issues or cannot connect to your freshly installed UnrealIRCd then this forum is for you.

Moderator: Supporters

Locked
Mystara
Posts: 3
Joined: Sun Dec 29, 2019 10:08 am

OpenSSL / Anope / certificate authority

Post by Mystara » Sun Dec 29, 2019 11:16 am

I'm having trouble with getting unreal 5.0.0 to accept a letsencrypt certificate presented by anope 2.0.7. The error being presented is: "Certificate is not issued by a trusted Certificate Authority'

I'm using the same certificate for https without issue. In fact, I'm actually using the same certificate for both unreal and anope, and unreal doesn't complain about the certificate when it is directly provided for it to use.

I've tried providing both fullchain.pem and cert.pem in anope, but both certificates produce the same error.

Looking at 'openssl verify' it seems there's no way to verify the fullchain. However, at the same time, there's no way for anope to provide the chain separately.

Any ideas?

Syzop
UnrealIRCd head coder
Posts: 1955
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: OpenSSL / Anope / certificate authority

Post by Syzop » Tue Dec 31, 2019 9:07 am

Could you give some pastes of the errors with more context? Like the full lines you see on IRC when they try to link (server names can be censored).

Mystara
Posts: 3
Joined: Sun Dec 29, 2019 10:08 am

Re: OpenSSL / Anope / certificate authority

Post by Mystara » Tue Dec 31, 2019 9:13 am

Sure, but there isn't much:

[Sat Dec 28 19:02:46 2019] - Loading IRCd configuration..
[Sat Dec 28 19:02:46 2019] - Configuration loaded.
[Sat Dec 28 19:02:51 2019] - Link denied for 'services.xxxxx.com' (Certificate verification failed) [@xx.x.xxx.xxx.60900]
[Sat Dec 28 19:02:51 2019] - Reason for certificate verification failure: Certificate is not issued by a trusted Certificate Authority

Mystara
Posts: 3
Joined: Sun Dec 29, 2019 10:08 am

Re: OpenSSL / Anope / certificate authority

Post by Mystara » Tue Dec 31, 2019 9:14 am

As I said, I tried manually verifying the certificate using CL 'openssl verify' and it produces the same result unless I separately provide the certificate and the chain. Providing both in a single file doesn't seem to work.

Syzop
UnrealIRCd head coder
Posts: 1955
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: OpenSSL / Anope / certificate authority

Post by Syzop » Wed Jan 01, 2020 10:15 am

I see. I would trust the message that UnrealIRCd is giving, unless you fiddled with set::ssl / set::tls settings or cacert.pem. So I'm going to assume the error is correct.

So that would mean the issue is anope then. I don't think many people use SSL/TLS on anope and even less people with non-self-signed certificates. So just saying that that part of their code may be undertested or underdocumented.

Perhaps you can verify with the anope guys that what you configured in anope is correct and is known to work?

Syzop
UnrealIRCd head coder
Posts: 1955
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: OpenSSL / Anope / certificate authority

Post by Syzop » Wed Jan 01, 2020 10:21 am

In addition to my previous comment, and I totally understand this works around the problem:
In the latest tutorial which I updated for UnrealIRCd 5 & Let's Encrypt we now recommend a dual certificate structure, so to say:
  • A Let's Encrypt certificate/key presented to clients (short term, changes every 30-90 days)
  • A long-term self-signed cert/keys used exclusively for server linking
There have always been 2 approaches to dealing with Let's Encrypt and server linking, both have up and downsides. Me and others are nowadays convinced that this is the best practice. You may consider that too for server linking, including your anope:
See this document: Using Let's Encrypt with UnrealIRCd.

In your case it would mean generating and using a self-signed certificate/key for anope, and using spkifp to verify them (as explained in Tutorial Linking servers, but I'm sure you are already familiar with it).

Locked