Tip of the day: If you still have users on plaintext port 6667, consider enabling Strict Transport Security to gently move users to SSL/TLS on port 6697.

Using Let's Encrypt with UnrealIRCd

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

Let's Encrypt allows you to get a real certificate for your server. That is, a certificate from a trusted Certificate Authority. By using Let's Encrypt with UnrealIRCd and having your users on SSL/TLS you make your IRC network safer.

The goal

After this guide you will have a dual certificate setup:

  • Clients will connect to your server and see the Let's Encrypt certificate (from /etc/letsencrypt/...). That way they will see a "real certificate" that is validated by trusted certificate authority
  • Server-to-server connections will use the self-signed certificates (from ~/unrealircd/conf/tls/server...). This makes things easy for server linking since the certificate/keys will stay the same (and not change every 30-90 days).

Requirements

This tutorial is written for *NIX. Perhaps one day someone could expand it for Windows (if possible).

The Let's Encrypt installation as described in this tutorial requires root access. We will assume you are running UnrealIRCd on a VPS and you have root access, this is after all the most common situation. Be sure to do all the things in this tutorial as root. Become root now by using sudo -i or whatever command or login method you normally use to become root.

Let's Encrypt requires you to setup a number of things and will issue you 90-day certificate. Getting the certificate for the first time requires some manual labor. After this, you will setup automatic renewal.

Installing certbot and getting your certificate

This is now explained in Setting up certbot for use with UnrealIRCd. Be sure to follow the instructions there as it also tells you how set permissions correctly on files. If you skip this step then you will get Permission denied errors later on. So again, only continue reading below AFTER you have successfully set up certbot and acquired your first certificate, and set permissions according to the article.

Updating your listen blocks

Now that you have your Let's Encrypt certificate, we are going to update the listen { } blocks so UnrealIRCd will actually use the certificate and key file.

Most, if not all networks, have 1 SSL/TLS port open for users and this is 6697. So find this block in your unrealircd.conf:

/* Standard IRC SSL/TLS port 6697 */
listen {
        ip *;
        port 6697;
        options { tls; };
};

And change it to make it use your Let's encrypt certificate. In this example we will assume your hostname (for the certificate) is irc.example.org. Naturally you must replace the name/path with your real certificate!:

/* Standard IRC SSL/TLS port 6697 */
listen {
        ip *;
        port 6697;
        options { tls; };
        tls-options {
                certificate "/etc/letsencrypt/live/irc.example.org/fullchain.pem";
                key "/etc/letsencrypt/live/irc.example.org/privkey.pem";
        };
};

After this, /REHASH the IRC server. Ensure that it does not display any errors in ircd.log or on IRC when you rehash as an IRCOp.

Do you see any Permission denied errors? Then you failed to read Setting up certbot for use with UnrealIRCd. Read that article again, it contains very important instructions on 1) the minimum version of certbot required and 2) how to tweak permissions!

Making sure it works

You could manually connect with an IRC client to the SSL/TLS port 6697. Have a look at the certificate to make sure that it is now trusted.

It is also a good idea to visit https://www.sslshopper.com/ssl-checker.html and enter there: irc.example.org:6697 (so the name of your IRC server followed by :6697). After the test it should show you many green checkmarks. See below for an example:

Sslcheck.png