That module sounds very nice!
One question related to the ssl cert thing. If I'm using a free ssl cert service like let's encrypt, I've to renew the cert all ⁓60 days. Is it necessary to restart the unrealircd or reload the module in this case?
Websocket & SSL certs
Moderator: Supporters
Re: Websocket
Another question. Is it possible to use a separate ssl cert only for the websocket or I've to use one ssl cert for the whole unrealircd?
Sorry for double posting. :/
Sorry for double posting. :/
Re: Websocket
If you set up a dedicated port for your websocket connections, so a listen { } block, then you can use listen::ssl-options to use a specific certificate. See the Listen block documentation (in particular the ssl-options section).
Re: Websocket
Thanks for your reply. Is it possible to reload only a specific ssl cert with the "reload tls" command? If I would use a extra cert for the websocket (for example lets encrypt), it would be better if I could reload only that ssl cert instead of reload ALL ssl certs my irc is using.
Re: Websocket
It's not possible to reload specific certificates. But there should be no need. Reloading a certificate should be harmless for both new and existing users.
(Well, unless you replaced the certificate with some incorrect certificate of course.. then new users won't be able to connect, but that's only logical :D)
(Well, unless you replaced the certificate with some incorrect certificate of course.. then new users won't be able to connect, but that's only logical :D)
Re: Websocket
Thank you again. As far as I know, the existing users will be disconnected, if the ssl cert is changed (which will happen, if let's encrypt is used).
My plan is to use lets encrypt for one port (websocket) and a self signed cert for another port. If the "reload tls" command doesn't affect the self signed cert and users won't be disconnected it should be fine.
The websocket feature looks very good, but I wasn't sure about the ssl cert thing. Because my site uses ssl, I need a trusted ssl certificate or all browser will reject the websocket chat. :/
My plan is to use lets encrypt for one port (websocket) and a self signed cert for another port. If the "reload tls" command doesn't affect the self signed cert and users won't be disconnected it should be fine.
The websocket feature looks very good, but I wasn't sure about the ssl cert thing. Because my site uses ssl, I need a trusted ssl certificate or all browser will reject the websocket chat. :/
Re: Websocket
What is that based on? Speculation?As far as I know, the existing users will be disconnected
I mean, I know how I coded it. It will only refresh the SSL_CTX for new connections.
And I and many users have been using this feature for years now, without any such issues. I used it as recently as a week ago on 3 servers.
I would suggest to use the certificate on all ports. Then non-webirc IRC users can also benefit from a "proper" certificate :)
Re: Websocket & SSL certs
I tried the websocket modul with a let's encrypt cert, but it looks like, unreal ignores the extra websocket cert. I'm running unrealircd version 4.0.14 with the following websocket config part for the ssl cert:
On the reloadtls command the cert is recognized, because there is a error message if the permissions are incorrect. Nevertheless it's not possible to connect to the websocket (port in firewall is open) and I don't know why.
Code: Select all
listen {
ip *;
port 12345;
options { ssl; };
ssl-options {
certificate "sslcert/server.cert.pem";
key "sslcert/server.key.pem";
options { no-client-certificate; };
};
};
Re: Websocket & SSL certs
Sorry, I posted the wrong config part.
This is the correct part:
A check via openssl s_client to the websocket port reveals that the websocket's specific cert options are ignored and the default cert is used instead.
This is the correct part:
Code: Select all
listen {
ip *;
port 12345;
options { ssl; };
ssl-options {
certificate "/path/to/letsencrypt/fullchain.pem";
key "/path/to/letsencrypt/privkey.pem";
options { no-client-certificate; };
};
};
Re: Websocket & SSL certs
Ok, it's working now. Don't know why, but looks like unreal reads the config now correctly.