Page 1 of 1

Can't get Set::TLS::Certificate to work

Posted: Tue Feb 23, 2021 7:08 pm
by Tristan
I've either misunderstood how this works, or I've done something wrong that I cannot see, but I'm stuck.

I'm setting up a new 5.0.8 server and trying to configure TLS with SNI to support both irc.domain.org and subdomain.domain.org. I can add a tls-options section to the listen block and it works fine, although obviously not with SNI

Code: Select all

listen {
        ip *;
        port 6697;
        options { tls; }
        tls-options {
                certificate "/etc/letsencrypt/live/subdomain.domain.org/fullchain.pem";
                key "/etc/letsencrypt/live/subdomain.domain.org/privkey.pem";
        };
}
connects fine and presents me with the expected certificate, as does the irc.domain.org variant (although obviously not at the same time).

However I don't appear to be able to override the default certificate via Set::TLS::*, so

Code: Select all

set {
        tls {
                certificate "/etc/letsencrypt/live/irc.domain.org/fullchain.pem";
                key "/etc/letsencrypt/live/irc.domain.org/privkey.pem";
        };
};

sni [i]subdomain.domain[/i].org {
        tls-options {
                certificate "/etc/letsencrypt/live/subdomain.domain.org/fullchain.pem";
                key "/etc/letsencrypt/live/subdomain.domain.org/privkey.pem";
        };
};

listen {
        ip *;
        port 6697;
        options { tls; }
}
gives me the self-sign certificate from unrealircd-5.0.8/conf/tls. configtest doesn't report any errors, but it also doesn't seem to care if I break the config - set::tls::certficate is also accepted perfectly happily (listen::tls-options::certficate is not) so I can't rule out a syntax error. I copied from the documentation at https://www.unrealircd.org/docs/Sni_block though and it looks correct.

I've tried removing the sni block, moving the set block before the listen block, moving it after, moving the certificates into the conf/tls directory, and so on without effect. As far as I can tell, the Set::TLS::* block is just ignored, and with it ignored the SNI block is as well.

I can't find anything in the documentation, forums, or bug reports so have I misunderstood what the point of the Set::TLS block is, or is there something obvious that I'm done wrong?

Thanks

Re: Can't get Set::TLS::Certificate to work

Posted: Wed Feb 24, 2021 4:12 pm
by Tristan
Right, forget all of that. The blindingly obvious mistake I've made doesn't actually show up in the code I've quoted above, it shows up in the line immediately before.

Code: Select all

/* TLS Configuration

set {
    tls {
        certificate "/etc/letsencrypt/live/irc.domain.org/fullchain.pem";
        key "/etc/letsencrypt/live/irc.domain.org/privkey.pem";
    };
};
with the result that if you miss closing your comment, then you comment out your configuration up until the next comment. At which point all of your configuration will be ignored, as by design.

Complete failure on my part.

Re: Can't get Set::TLS::Certificate to work

Posted: Wed Feb 24, 2021 10:50 pm
by CrazyCat
LOL !
I'm not laughing at you, but it's a common mistake when editors don't do syntax highlighting or make it badly.

I already had troubles like this, and it's sometime the hardest to find because we never check our comments :)