using fingerprint for links, false good idea ?

This forum is for everyone having trouble with linking two UnrealIRCd servers

Moderator: Supporters

Post Reply
CrazyCat
Posts: 215
Joined: Thu Apr 28, 2005 1:05 pm
Location: France
Contact:

using fingerprint for links, false good idea ?

Post by CrazyCat »

Since I use spkifp, I frequently encounter troubles (failed authentication) with my links.

WHY ?
I use Let's encrypt certificates (wildcarded ones), so I met some problems:
- only one of my servers (master) renew them, then I've to create a little script to copy them to other servers (done, working, ok)
- the ./unrealircd spkifp command uses (hardcoded?) conf/tls/server.cert.pem and conf/tls/server.key.pem, so I've to rename the files for each servers (done, working, ok)
- the certificates change every 3 months, so I've to change my configs each time (gonna do a script to automate that)
- I'm unable to use the spkifp to link anope and unreal, I'm forced to use plaintext password wich decreases my network security level => now corrected, the solution was to use password = "*" in anope configuration

SO...
I'll try to find the best way to automate the certificate changements, but if it's too complicated to use in a long-term, I'll probably find another way to link my servers, just using certs and not any fingerprint thing.

BTW, I'll make my update script public when it will be clean and fully functionnal, it will probably give some ideas to other pple having the same troubles as I have
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Re: using fingerprint for links, false good idea ?

Post by Syzop »

Yes, what you describe is indeed normal. In our tutorial (updated in Dec 2019) we therefore suggest to use two sets of cert/keys: https://www.unrealircd.org/docs/Using_L ... UnrealIRCd

After following that guide you will have a dual certificate setup:
  • Clients will connect to your server and see the Let's Encrypt certificate (from /etc/letsencrypt/...). That way they will see a "real certificate" that is validated by trusted certificate authority
  • Server-to-server connections will use the self-signed certificates (from ~/unrealircd/conf/tls/server...). This makes things easy for server linking since the certificate/keys will stay the same (and not change every 30-90 days).
You say you use uploading instead of of requesting/generating it on every machine via certbot, but.. you can still use the idea of using a fixed long-term key/cert for server to server connections, like mentioned here :)

As for anope, people normally link services via localhost. If it's on localhost then it's OK if it is not SSL/TLS but plaintext, you "won't loose any points" :)
CrazyCat
Posts: 215
Joined: Thu Apr 28, 2005 1:05 pm
Location: France
Contact:

Re: using fingerprint for links, false good idea ?

Post by CrazyCat »

Hi Syzop and thanks for the explanations.
I understand that and I then will probably use a self-signed long-term certificate to link servers if my script doesn't feat how I hope.

And for anope, the trouble is that I sometime have to stop the ircd where is located anope, so I make it join another server. But my problem was solved with the password="*" in anope settings.
Post Reply