Can't get Set::TLS::Certificate to work

If you hit any installation issues or cannot connect to your freshly installed UnrealIRCd then this forum is for you.

Moderator: Supporters

Post Reply
Tristan
Posts: 2
Joined: Tue Feb 23, 2021 6:34 pm

Can't get Set::TLS::Certificate to work

Post by Tristan »

I've either misunderstood how this works, or I've done something wrong that I cannot see, but I'm stuck.

I'm setting up a new 5.0.8 server and trying to configure TLS with SNI to support both irc.domain.org and subdomain.domain.org. I can add a tls-options section to the listen block and it works fine, although obviously not with SNI

Code: Select all

listen {
        ip *;
        port 6697;
        options { tls; }
        tls-options {
                certificate "/etc/letsencrypt/live/subdomain.domain.org/fullchain.pem";
                key "/etc/letsencrypt/live/subdomain.domain.org/privkey.pem";
        };
}
connects fine and presents me with the expected certificate, as does the irc.domain.org variant (although obviously not at the same time).

However I don't appear to be able to override the default certificate via Set::TLS::*, so

Code: Select all

set {
        tls {
                certificate "/etc/letsencrypt/live/irc.domain.org/fullchain.pem";
                key "/etc/letsencrypt/live/irc.domain.org/privkey.pem";
        };
};

sni [i]subdomain.domain[/i].org {
        tls-options {
                certificate "/etc/letsencrypt/live/subdomain.domain.org/fullchain.pem";
                key "/etc/letsencrypt/live/subdomain.domain.org/privkey.pem";
        };
};

listen {
        ip *;
        port 6697;
        options { tls; }
}
gives me the self-sign certificate from unrealircd-5.0.8/conf/tls. configtest doesn't report any errors, but it also doesn't seem to care if I break the config - set::tls::certficate is also accepted perfectly happily (listen::tls-options::certficate is not) so I can't rule out a syntax error. I copied from the documentation at https://www.unrealircd.org/docs/Sni_block though and it looks correct.

I've tried removing the sni block, moving the set block before the listen block, moving it after, moving the certificates into the conf/tls directory, and so on without effect. As far as I can tell, the Set::TLS::* block is just ignored, and with it ignored the SNI block is as well.

I can't find anything in the documentation, forums, or bug reports so have I misunderstood what the point of the Set::TLS block is, or is there something obvious that I'm done wrong?

Thanks
Tristan
Posts: 2
Joined: Tue Feb 23, 2021 6:34 pm

Re: Can't get Set::TLS::Certificate to work

Post by Tristan »

Right, forget all of that. The blindingly obvious mistake I've made doesn't actually show up in the code I've quoted above, it shows up in the line immediately before.

Code: Select all

/* TLS Configuration

set {
    tls {
        certificate "/etc/letsencrypt/live/irc.domain.org/fullchain.pem";
        key "/etc/letsencrypt/live/irc.domain.org/privkey.pem";
    };
};
with the result that if you miss closing your comment, then you comment out your configuration up until the next comment. At which point all of your configuration will be ignored, as by design.

Complete failure on my part.
CrazyCat
Posts: 214
Joined: Thu Apr 28, 2005 1:05 pm
Location: France
Contact:

Re: Can't get Set::TLS::Certificate to work

Post by CrazyCat »

LOL !
I'm not laughing at you, but it's a common mistake when editors don't do syntax highlighting or make it badly.

I already had troubles like this, and it's sometime the hardest to find because we never check our comments :)
Post Reply