using fingerprint for links, false good idea ?
Posted: Thu Jan 06, 2022 11:05 am
Since I use spkifp, I frequently encounter troubles (failed authentication) with my links.
WHY ?
I use Let's encrypt certificates (wildcarded ones), so I met some problems:
- only one of my servers (master) renew them, then I've to create a little script to copy them to other servers (done, working, ok)
- the ./unrealircd spkifp command uses (hardcoded?) conf/tls/server.cert.pem and conf/tls/server.key.pem, so I've to rename the files for each servers (done, working, ok)
- the certificates change every 3 months, so I've to change my configs each time (gonna do a script to automate that)
- I'm unable to use the spkifp to link anope and unreal, I'm forced to use plaintext password wich decreases my network security level => now corrected, the solution was to use password = "*" in anope configuration
SO...
I'll try to find the best way to automate the certificate changements, but if it's too complicated to use in a long-term, I'll probably find another way to link my servers, just using certs and not any fingerprint thing.
BTW, I'll make my update script public when it will be clean and fully functionnal, it will probably give some ideas to other pple having the same troubles as I have
WHY ?
I use Let's encrypt certificates (wildcarded ones), so I met some problems:
- only one of my servers (master) renew them, then I've to create a little script to copy them to other servers (done, working, ok)
- the ./unrealircd spkifp command uses (hardcoded?) conf/tls/server.cert.pem and conf/tls/server.key.pem, so I've to rename the files for each servers (done, working, ok)
- the certificates change every 3 months, so I've to change my configs each time (gonna do a script to automate that)
- I'm unable to use the spkifp to link anope and unreal, I'm forced to use plaintext password wich decreases my network security level => now corrected, the solution was to use password = "*" in anope configuration
SO...
I'll try to find the best way to automate the certificate changements, but if it's too complicated to use in a long-term, I'll probably find another way to link my servers, just using certs and not any fingerprint thing.
BTW, I'll make my update script public when it will be clean and fully functionnal, it will probably give some ideas to other pple having the same troubles as I have