Page 1 of 1

OpenSSL / Anope / certificate authority

Posted: Sun Dec 29, 2019 11:16 am
by Mystara
I'm having trouble with getting unreal 5.0.0 to accept a letsencrypt certificate presented by anope 2.0.7. The error being presented is: "Certificate is not issued by a trusted Certificate Authority'

I'm using the same certificate for https without issue. In fact, I'm actually using the same certificate for both unreal and anope, and unreal doesn't complain about the certificate when it is directly provided for it to use.

I've tried providing both fullchain.pem and cert.pem in anope, but both certificates produce the same error.

Looking at 'openssl verify' it seems there's no way to verify the fullchain. However, at the same time, there's no way for anope to provide the chain separately.

Any ideas?

Re: OpenSSL / Anope / certificate authority

Posted: Tue Dec 31, 2019 9:07 am
by Syzop
Could you give some pastes of the errors with more context? Like the full lines you see on IRC when they try to link (server names can be censored).

Re: OpenSSL / Anope / certificate authority

Posted: Tue Dec 31, 2019 9:13 am
by Mystara
Sure, but there isn't much:

[Sat Dec 28 19:02:46 2019] - Loading IRCd configuration..
[Sat Dec 28 19:02:46 2019] - Configuration loaded.
[Sat Dec 28 19:02:51 2019] - Link denied for 'services.xxxxx.com' (Certificate verification failed) [@xx.x.xxx.xxx.60900]
[Sat Dec 28 19:02:51 2019] - Reason for certificate verification failure: Certificate is not issued by a trusted Certificate Authority

Re: OpenSSL / Anope / certificate authority

Posted: Tue Dec 31, 2019 9:14 am
by Mystara
As I said, I tried manually verifying the certificate using CL 'openssl verify' and it produces the same result unless I separately provide the certificate and the chain. Providing both in a single file doesn't seem to work.

Re: OpenSSL / Anope / certificate authority

Posted: Wed Jan 01, 2020 10:15 am
by Syzop
I see. I would trust the message that UnrealIRCd is giving, unless you fiddled with set::ssl / set::tls settings or cacert.pem. So I'm going to assume the error is correct.

So that would mean the issue is anope then. I don't think many people use SSL/TLS on anope and even less people with non-self-signed certificates. So just saying that that part of their code may be undertested or underdocumented.

Perhaps you can verify with the anope guys that what you configured in anope is correct and is known to work?

Re: OpenSSL / Anope / certificate authority

Posted: Wed Jan 01, 2020 10:21 am
by Syzop
In addition to my previous comment, and I totally understand this works around the problem:
In the latest tutorial which I updated for UnrealIRCd 5 & Let's Encrypt we now recommend a dual certificate structure, so to say:
  • A Let's Encrypt certificate/key presented to clients (short term, changes every 30-90 days)
  • A long-term self-signed cert/keys used exclusively for server linking
There have always been 2 approaches to dealing with Let's Encrypt and server linking, both have up and downsides. Me and others are nowadays convinced that this is the best practice. You may consider that too for server linking, including your anope:
See this document: Using Let's Encrypt with UnrealIRCd.

In your case it would mean generating and using a self-signed certificate/key for anope, and using spkifp to verify them (as explained in Tutorial Linking servers, but I'm sure you are already familiar with it).