Tip of the day: Check out Special users on how to give trusted users/bots more rights without making them IRCOp.

Setting up certbot for use with UnrealIRCd

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

IMPORTANT: Using Let's Encrypt with UnrealIRCd is the main article. This sub-article below only deals with setting up certbot, including tweaking permissions so UnrealIRCd can actually read the certificate and key (otherwise you will have Permission denied errors).

Installing a recent certbot version

For this to work, we need certbot 0.29.0 or later. Unfortunately, some older distro's like Ubuntu 16.04 and 18.04 have a too old version.

Verify your version with: certbot --version

If it is older than 0.29.0, then:

  1. Uninstall the existing package, eg apt remove certbot or similar
  2. Install a newer certbot by going to https://certbot.eff.org/ - on that page choose "Other" and then choose your Linux distro or BSD. Then follow all the instructions.

Verifying certbot version

We need certbot 0.29.0 or newer, so double check:

# certbot --version
certbot 0.31.0

If this is below 0.29.0 then go back and read the previous instructions. Certbot below 0.29.0 will not work as it will screw up permissions!

Acquire the certificate for the first time

NOTE: On some Debian distros you may have to apt install psmisc because the killall command is missing by default.

Now you need to acquire a certificate for the first time: certbot certonly --standalone --preferred-challenges http-01 -d irc.example.org --deploy-hook "killall -USR1 unrealircd"
Naturally, replace irc.example.org with the name of your server!

Some information regarding the deploy-hook:

  • The --deploy-hook "killall -USR1 unrealircd" means: send a USR1 signal to all unrealircd processes to reload the TLS certificate. This works perfectly if you have 1 unrealircd running on your server.
  • If you run multiple unrealircd processes on the same machine, then consider something like:
    --deploy-hook "su -c 'cd ~/unrealircd; ./unrealircd reloadtls' - unrealircdaccountnamehere"
    (Replace unrealircdaccountnamehere with the name of the account that runs unrealircd)

Here is example output of a successful session:

root@irc:~# certbot certonly --standalone --preferred-challenges http-01 -d irc.example.org --deploy-hook "killall -USR1 unrealircd"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for irc.example.org
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/irc.example.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/irc.example.org/privkey.pem
   Your cert will expire on 2020-03-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@irc:~#

Tweaking permissions on the key file

Again: this requires certbot 0.29.0 or newer!

Right now you have a certificate and a key file, but only root can read these files. This is a problem as UnrealIRCd does not run as root but under a low privileged account. So we need to change the access permissions.

First of all, run the following:

chmod go+x /etc/letsencrypt/live/ /etc/letsencrypt/archive/

Then, change the group ownership to the group of your irc user. For example, in my case I have a user irc with group irc and the certificate is for irc.example.org. So I do:

chown root:irc /etc/letsencrypt/live/irc.example.org /etc/letsencrypt/archive/irc.example.org/ -R
chmod g+rx,o-rwx /etc/letsencrypt/live/irc.example.org /etc/letsencrypt/archive/irc.example.org/ -R

NOTE: Be sure to change the group (irc) and certificate (irc.example.org) to match your situation in the above 2 commands!

Now, your files will look like this:

root@irc:/etc/letsencrypt# ls -al /etc/letsencrypt/live/irc.example.org/
total 12
drwxr-x--- 2 root irc  4096 Dec 16 12:10 .
drwx--x--x 3 root root 4096 Dec 16 12:10 ..
lrwxrwxrwx 1 root irc    40 Dec 16 12:10 cert.pem -> ../../archive/irc.example.org/cert1.pem
lrwxrwxrwx 1 root irc    41 Dec 16 12:10 chain.pem -> ../../archive/irc.example.org/chain1.pem
lrwxrwxrwx 1 root irc    45 Dec 16 12:10 fullchain.pem -> ../../archive/irc.example.org/fullchain1.pem
lrwxrwxrwx 1 root irc    43 Dec 16 12:10 privkey.pem -> ../../archive/irc.example.org/privkey1.pem
-rw-r----- 1 root irc   692 Dec 16 12:10 README
root@irc:/etc/letsencrypt# ls -al /etc/letsencrypt/archive/irc.example.org/
total 24
drwxr-x--- 2 root irc  4096 Dec 16 12:10 .
drwx--x--x 3 root root 4096 Dec 16 12:10 ..
-rw-r----- 1 root irc  1911 Dec 16 12:10 cert1.pem
-rw-r----- 1 root irc  1647 Dec 16 12:10 chain1.pem
-rw-r----- 1 root irc  3558 Dec 16 12:10 fullchain1.pem
-rw-r----- 1 root irc  1708 Dec 16 12:10 privkey1.pem

This way only root and members of the irc group can read the key and certificate files.

Certbot 0.29.0 and later will remember this, so you don't need to chown/chmod them ever again.

Periodic certificate renewal

Your certificate will be renewed automatically after around 30 days (so way before the 90 days expiry). If there is something wrong with the certificate not renewing then you should receive email(s) about this from certbot a month from now.

FIXME: Maybe on Debian it needs an explicit cron job?? Ubuntu works fine, though.