I'm having trouble with getting unreal 5.0.0 to accept a letsencrypt certificate presented by anope 2.0.7. The error being presented is: "Certificate is not issued by a trusted Certificate Authority'
I'm using the same certificate for https without issue. In fact, I'm actually using the same certificate for both unreal and anope, and unreal doesn't complain about the certificate when it is directly provided for it to use.
I've tried providing both fullchain.pem and cert.pem in anope, but both certificates produce the same error.
Looking at 'openssl verify' it seems there's no way to verify the fullchain. However, at the same time, there's no way for anope to provide the chain separately.
Any ideas?
OpenSSL / Anope / certificate authority
Moderator: Supporters
Re: OpenSSL / Anope / certificate authority
Could you give some pastes of the errors with more context? Like the full lines you see on IRC when they try to link (server names can be censored).
Re: OpenSSL / Anope / certificate authority
Sure, but there isn't much:
[Sat Dec 28 19:02:46 2019] - Loading IRCd configuration..
[Sat Dec 28 19:02:46 2019] - Configuration loaded.
[Sat Dec 28 19:02:51 2019] - Link denied for 'services.xxxxx.com' (Certificate verification failed) [@xx.x.xxx.xxx.60900]
[Sat Dec 28 19:02:51 2019] - Reason for certificate verification failure: Certificate is not issued by a trusted Certificate Authority
[Sat Dec 28 19:02:46 2019] - Loading IRCd configuration..
[Sat Dec 28 19:02:46 2019] - Configuration loaded.
[Sat Dec 28 19:02:51 2019] - Link denied for 'services.xxxxx.com' (Certificate verification failed) [@xx.x.xxx.xxx.60900]
[Sat Dec 28 19:02:51 2019] - Reason for certificate verification failure: Certificate is not issued by a trusted Certificate Authority
Re: OpenSSL / Anope / certificate authority
As I said, I tried manually verifying the certificate using CL 'openssl verify' and it produces the same result unless I separately provide the certificate and the chain. Providing both in a single file doesn't seem to work.
Re: OpenSSL / Anope / certificate authority
I see. I would trust the message that UnrealIRCd is giving, unless you fiddled with set::ssl / set::tls settings or cacert.pem. So I'm going to assume the error is correct.
So that would mean the issue is anope then. I don't think many people use SSL/TLS on anope and even less people with non-self-signed certificates. So just saying that that part of their code may be undertested or underdocumented.
Perhaps you can verify with the anope guys that what you configured in anope is correct and is known to work?
So that would mean the issue is anope then. I don't think many people use SSL/TLS on anope and even less people with non-self-signed certificates. So just saying that that part of their code may be undertested or underdocumented.
Perhaps you can verify with the anope guys that what you configured in anope is correct and is known to work?
Re: OpenSSL / Anope / certificate authority
In addition to my previous comment, and I totally understand this works around the problem:
In the latest tutorial which I updated for UnrealIRCd 5 & Let's Encrypt we now recommend a dual certificate structure, so to say:
See this document: Using Let's Encrypt with UnrealIRCd.
In your case it would mean generating and using a self-signed certificate/key for anope, and using spkifp to verify them (as explained in Tutorial Linking servers, but I'm sure you are already familiar with it).
In the latest tutorial which I updated for UnrealIRCd 5 & Let's Encrypt we now recommend a dual certificate structure, so to say:
- A Let's Encrypt certificate/key presented to clients (short term, changes every 30-90 days)
- A long-term self-signed cert/keys used exclusively for server linking
See this document: Using Let's Encrypt with UnrealIRCd.
In your case it would mean generating and using a self-signed certificate/key for anope, and using spkifp to verify them (as explained in Tutorial Linking servers, but I'm sure you are already familiar with it).