UnrealIRCd Forums

I am having issues linking the servers using the spkifp. The hub and leaf will link just fine if I use a password in plain text, so I know it's not a firewall issue or any other issues going on.I have tried switching them even though I knew I had them correct. I use certbot for the certs and I’m using the cert file from letsencrypt dir. I even used genlinkblock cmd to make sure I have everything correct. I have spent hrs trying to get this figured out. here is paste bin link for both my link blocks and log.
https://0bin.xyz/?8506d2e28814289c#E4Cf ... XtYXK3xNeB

If you use the certificate/key from Let's Encrypt for server linking then the certificate fingerprint and usually spkifp too will change every xx days. So that isn't ideal. While that may not be the problem you are having today, it sounds like trouble waiting to be happen tomorrow . It is possible, depending on the let's encrypt tool to keep the key static, which results in the spkifp staying the same, but we tend to recommend something different:

We recommend following this tutorial for Let's Encrypt with UnrealIRCd. Then you end up with two certificates/keys, one for server linking that is long-lived (for use with spkifp), and one from Let's Encrypt that is for client connections (as mentioned there under "The goal").

Thank you for the response, I have tried that way also for testing the issue. using the genlinkblock cmd seems to pull the cert from letsencrypt and spkifp cmd is pulling cert from /tls. I will change them back using the server certs. Any other suggestions that I can try? I have spent a lot of time trying to get this figured out.

If you follow the tutorial then you should not have a set::ssl or set::tls block. If you have such a set::tls::key/certificate then better to remove that. That way, the default cert and key will be from conf/tls/server.cert.pem and the like. That default will then be used for outgoing SSL/TLS connects such as to servers, and listen blocks that don't have any tls-options, like the listen block for servers (6900).
Then, ONLY for the 6697 listen port (for clients) the tls settings are overridden through a listen::tls-options that uses the let's encrypt certificate.

If you do it that way, then ./unrealircd spkifp and ./unrealircd genlinkblock will always use the same default cert/key from conf/tls/server.cert.pem and the like, which is the correct one for linking servers.

so I added other certs using the spkifp cmd to get the keys. the ircd's linked but with the following log error..

link.SERVER_SYNCED info: Link leaf -> hub is now synced [secs: 0, recv: 5971, sent: 6209]
[Mon Dec 18 15:06:17 2023] hub link.CLOAK_KEY_MISMATCH+ warn: Server leaf has a DIFFERENT CLOAK KEY (OR METHOD)!!! You should fix this ASAP!
[Mon Dec 18 15:06:17 2023] hub link.CLOAK_KEY_MISMATCH warn: When the cloaking configuration is different on servers, this will cause channel bans on cloaked hosts/IPs not to work correctly, meaning users can bypass channel bans!

Ok, problem fixed after using correct certs and fixing cloak keys. Thank you for the advice today!!!

Great!