Using Let's Encrypt with UnrealIRCd

If your UnrealIRCd is up and running but you have a question about it, then use this forum.
(NOT for installation or connecting issues! Use the other forum instead.)

Moderator: Supporters

Post Reply
Syzop
UnrealIRCd head coder
Posts: 1808
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Using Let's Encrypt with UnrealIRCd

Post by Syzop » Fri Sep 08, 2017 6:00 am

There's a new tutorial Using Let's Encrypt with UnrealIRCd. This will walk you through the procedure to acquire an SSL certificate from a trusted Certificate Authority.

If you have any feedback regarding this, feel free to use this thread (provided this won't get out of hand :D) or start a new thread.

The_Myth
Posts: 25
Joined: Tue Jun 27, 2017 4:42 pm

Re: Using Let's Encrypt with UnrealIRCd

Post by The_Myth » Fri Sep 08, 2017 10:35 am

Worth to mention that Let's Encrypt Will probably support wildcard certificates in January, 2018 (no specific date provided yet).

When I have a few more spare time I'll provide a tutorial to use Apache to grab the certificate from. Let's Encrypt (since the majority of the persons do run a web server).
PeGaSuS

HeXiLeD
Posts: 31
Joined: Mon Jan 16, 2017 8:07 pm
Location: online

Re: Using Let's Encrypt with UnrealIRCd

Post by HeXiLeD » Fri Sep 08, 2017 12:57 pm

Worth to mention that Let's Encrypt Will probably support wildcard certificates in January, 2018
Everything points to yes.

@ Syzop
The tutorial and script is very nice. However from experience with apache and nginx at some point I had to make my own scripts to overcome some issues with certbot and a very custom way to use the certs to prevent the keys to possibly be grabbed by third parties (such has vps or dedicated hosting services) as well as SNI httpd setups and having to stop httpd's to renew certs and so on. CertBOT has an easy implementation but it hits the curve fast.

I would recommend looking into dns-01 -based verification (and the register provider api) which right away avoids touching anything doing with web servers, works a lot better with SNI and how certificates are distributed across the links.

I've been using the acme.sh client to manage all the certs. A few small scripts to copy the certs to where they should be placed and cron jobs run it all, one operation after the other.

Example goes like this:

Code: Select all

1: cron job executes acme.sh for renewal
2: X time later cron job executes script to copy certificates to all needed locations of the operating system (including unrealircd)
3: Right after unreal is rehashed by cron (this can be set in step 2)
4: for sni records another cron job SCP's the cert to remote machines proper unrealircd paths and step 2 and 3 are accordingly repeated.
No need to run or touch any httpd's in any machines. Avoids a lot of hassle
Constructive criticism leads to evolution and progress. Negative criticism leads to obsolescence. We should not be living in 1990s irc management & developing standards just because it was cool.

Syzop
UnrealIRCd head coder
Posts: 1808
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: Using Let's Encrypt with UnrealIRCd

Post by Syzop » Fri Sep 08, 2017 5:35 pm

Thanks for the feedback. Let's Encrypt offers a number of options, allowing everyone to choose what options is best for his/her case.
In case you wonder, I made specific choices for the common (and preferable) situation where an IRC server is hosted on a VPS without other services like an http(s) server.

On a personal note, I'm aware and not a fan of dns-01. Most providers don't have fine-grained access control so granting API access to DNS then means the whole zone. I wouldn't want to run a client that has API access to modify all records in the unrealircd.org domain for instance. If that machine then gets hacked an attacker controls the entire domain. But like I said, everyone can make their own decision. My risk assessment may be different than your risk assessment. Your message got me thinking that we should at least mention it in the "Note on Round Robin DNS" section. Done so now. Thanks!

Post Reply