No PEM, have Let's Encrypt CRT, KEY, ISSUER.CRT

If your UnrealIRCd is up and running but you have a question about it, then use this forum.
(NOT for installation or connecting issues! Use the other forum instead.)

Moderator: Supporters

Post Reply
fusionx
Posts: 5
Joined: Mon Apr 24, 2023 5:49 pm

No PEM, have Let's Encrypt CRT, KEY, ISSUER.CRT

Post by fusionx »

Hello all,

I'm not much of a Linux admin, so I'm looking for a little help before I break everything, and potentially destroy the universe.

I have unrealIRCD 6.0.7 on CentOS 7, with DirectAdmin. I have a wildcard cert for the domain through Let's Encrypt.

All the reading I've done shows people using a .pem file - under DirectAdmin we don't get those.

I didn't want to install certbot, since I already have certs. Does that make sense?

I looked at the contents of the locally issued pem files, and they look just like my letsencrypt crt and key files.

I used /usr/local/directadmin/data/.lego/certificates/domain.org.crt and .key - these are working. At first it wouldn't rehash - directory and file permissions.

I changed the groups on the data and .lego subdirs from root:root to diradmin:diradmin and added +r on the cert files so unrealircd could read the files.

Now it rehashes fine, and I can connect with TLS. My main concern is that with the permission changes I may have made my server unsafe. I'm the only user on it, btw. Here's my listen block:

Code: Select all

listen {
        ip xxx.xxx.xxx.xxx;
        port 6697;
        options { tls; }
          tls-options {
                certificate "/usr/local/directadmin/data/.lego/certificates/domain.org.crt";
                key "/usr/local/directadmin/data/.lego/certificates/domain.org.key";
          };
};
Is there anything I could do differently to use these certfiles in a better way?

Thanks in advance!
PeGaSuS
Official supporter
Posts: 96
Joined: Tue Jun 27, 2017 4:42 pm
Contact:

Re: No PEM, have Let's Encrypt CRT, KEY, ISSUER.CRT

Post by PeGaSuS »

The only thing I'd if I were you, would be to copy the cert and ky to the UnrealIRCd TLS folder (never used CentOS but on Ubuntu that'd be "/home/USER/unrealircd/conf/tls") and change the permissions of the files there only.

Other than that, since I've never used CentOS or DirectAdmin, I can't be of much more help.

Cheers!
IRC Network: PTirc - GitHub: TehPeGaSuS - Help and support: #unreal-support
fusionx
Posts: 5
Joined: Mon Apr 24, 2023 5:49 pm

Re: No PEM, have Let's Encrypt CRT, KEY, ISSUER.CRT

Post by fusionx »

Thanks, Pegasus - I thought about doing that, but then they wouldn't get updated/reissued automagically. I suppose I could use cron to copy them monthly - that might be a more elegant solution.
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: No PEM, have Let's Encrypt CRT, KEY, ISSUER.CRT

Post by Syzop »

Our guide Using Let's Encrypt with UnrealIRCd has this initial step: Setting up certbot for use with UnrealIRCd. In the section "Tweaking permissions on the key file" it does things similar to what you did. It talks about setting permissions (and how), if/when they will be maintained, minimum certbot version for it, etc.
Post Reply