Page 1 of 1

ssl error

Posted: Tue Aug 04, 2020 10:30 pm
by s7ntax
I am getting this error after adding the tls-options line to this block

listen::tls-options specified without a value

Code: Select all

/* Standard IRC SSL/TLS port 6697 */
listen {
        ip *;
        port 6697;
        options { ssl; };
        tls-options {
                certificate "/etc/letsencrypt/live/irc.arpradio.com/fullchain.pem";
                key "/etc/letsencrypt/live/irc.arpradio.com/privkey.pem";
        };
};
The same error occurs when I use ssl-options. Also if i change options { ssl; }; to options { tls; }; it gives an error.

I used the information on this page as a reference https://www.unrealircd.org/docs/Using_L ... UnrealIRCd

Re: ssl error

Posted: Tue Aug 04, 2020 10:33 pm
by westor
What is your unrealircd version ?

Re: ssl error

Posted: Wed Aug 05, 2020 6:47 pm
by PeGaSuS
1. In UnrealIRCd 5.x the "ssl" word has been changed to "tls".
So, it is something like:

Code: Select all

listen {
        ip *;
        port 6697;
        options { tls; };
        tls-options {
                certificate "/etc/letsencrypt/live/irc.arpradio.com/fullchain.pem";
                key "/etc/letsencrypt/live/irc.arpradio.com/privkey.pem";
        };
};
2. Be sure that the user that runs the IRCd can read the files (usually they can't).
If that's the case, you have to options to grant the user that ability:
2.1)

Code: Select all

chmod -R 755 /etc/letsencrypt/
2.2)

Code: Select all

setfacl -mR u:USER:r /etc/letsencrypt/live/sub.domain.tld
Small explanation about the commands above: the former will allow ANY user to read the files under the /etc/letsencrypt/ directory, although they can't modify them.
The latter, allow ONLY the specified user to read the files under the /etc/letsencrypt/live/sub.domain.tld and disallow ant kind of editing.

Hope this helps.

Cheers

Re: ssl error

Posted: Thu Aug 06, 2020 9:06 pm
by s7ntax
Hi, I am running UnrealIRCd-4.0.1

I tried the first chmod and it still doesn't work, same error.

Re: ssl error

Posted: Fri Aug 07, 2020 10:24 pm
by s7ntax
I will upgrade to 5 and see if this fixes the issue

Re: ssl error

Posted: Tue Aug 18, 2020 1:06 am
by katsklaw
PeGaSuS wrote: Wed Aug 05, 2020 6:47 pm 2.2)

Code: Select all

setfacl -mR u:USER:r /etc/letsencrypt/live/sub.domain.tld
Actually, that would be u:user:rx since you are affecting a directory. The x or exec flag works differently on directories than on files. x on a directory allows the user to "stat" or get the contents of the directory; which is required to be able to read from the directory. Then u:user:r on only the .pem files in question would be the most secure.

Code: Select all

setfacl -m u:USER:rx /etc/letsencrypt/live/sub.domain.tld
setfacl -m u:USER:r /etc/letsencrypt/live/sub.domain.tld/fullchain.pem
setfacl -m u:USER:r /etc/letsencrypt/live/sub.domain.tld/privkey.pem