Page 1 of 1

using fingerprint for links, false good idea ?

Posted: Thu Jan 06, 2022 11:05 am
by CrazyCat
Since I use spkifp, I frequently encounter troubles (failed authentication) with my links.

I use Let's encrypt certificates (wildcarded ones), so I met some problems:
- only one of my servers (master) renew them, then I've to create a little script to copy them to other servers (done, working, ok)
- the ./unrealircd spkifp command uses (hardcoded?) conf/tls/server.cert.pem and conf/tls/server.key.pem, so I've to rename the files for each servers (done, working, ok)
- the certificates change every 3 months, so I've to change my configs each time (gonna do a script to automate that)
- I'm unable to use the spkifp to link anope and unreal, I'm forced to use plaintext password wich decreases my network security level => now corrected, the solution was to use password = "*" in anope configuration

I'll try to find the best way to automate the certificate changements, but if it's too complicated to use in a long-term, I'll probably find another way to link my servers, just using certs and not any fingerprint thing.

BTW, I'll make my update script public when it will be clean and fully functionnal, it will probably give some ideas to other pple having the same troubles as I have

Re: using fingerprint for links, false good idea ?

Posted: Fri Jan 07, 2022 2:51 pm
by Syzop
Yes, what you describe is indeed normal. In our tutorial (updated in Dec 2019) we therefore suggest to use two sets of cert/keys: ... UnrealIRCd

After following that guide you will have a dual certificate setup:
  • Clients will connect to your server and see the Let's Encrypt certificate (from /etc/letsencrypt/...). That way they will see a "real certificate" that is validated by trusted certificate authority
  • Server-to-server connections will use the self-signed certificates (from ~/unrealircd/conf/tls/server...). This makes things easy for server linking since the certificate/keys will stay the same (and not change every 30-90 days).
You say you use uploading instead of of requesting/generating it on every machine via certbot, but.. you can still use the idea of using a fixed long-term key/cert for server to server connections, like mentioned here :)

As for anope, people normally link services via localhost. If it's on localhost then it's OK if it is not SSL/TLS but plaintext, you "won't loose any points" :)

Re: using fingerprint for links, false good idea ?

Posted: Sat Jan 08, 2022 2:36 pm
by CrazyCat
Hi Syzop and thanks for the explanations.
I understand that and I then will probably use a self-signed long-term certificate to link servers if my script doesn't feat how I hope.

And for anope, the trouble is that I sometime have to stop the ircd where is located anope, so I make it join another server. But my problem was solved with the password="*" in anope settings.