Setting up certbot for use with UnrealIRCd

IMPORTANT: Using Let's Encrypt with UnrealIRCd is the main article. This sub-article below only deals with setting up certbot, including tweaking permissions so UnrealIRCd can actually read the certificate and key (otherwise you will have Permission denied errors).

Installing a recent certbot version
For this to work, we need certbot 0.29.0 or later. Unfortunately a lot of distros ship too old versions.

Verify your version with:

If it is older than 0.29.0, then:
 * 1) Uninstall the existing package, eg   or similar
 * 2) Install a newer certbot by going to https://certbot.eff.org/ - on that page choose "Other" and then choose your Linux distro or BSD. Then follow all the instructions.

Verifying certbot version
We need certbot 0.29.0 or newer, so double check: certbot 0.31.0
 * 1) certbot --version

If this is below 0.29.0 then go back and read the previous instructions. Certbot below 0.29.0 will not work as it will screw up permissions!

Acquire the certificate for the first time
Now you need to acquire a certificate for the first time: Naturally, replace irc.example.org with the name of your server!

Some information regarding the deploy-hook:
 * The  means: send a USR1 signal to all unrealircd processes to reload the TLS certificate. This works perfectly if you have 1 unrealircd running on your server.
 * If you run multiple unrealircd processes on the same machine, then consider something like: (Replace unrealircdaccountnamehere with the name of the account that runs unrealircd)

Here is example output of a successful session: root@irc:~# certbot certonly --standalone --preferred-challenges http-01 -d irc.example.org --deploy-hook "killall -USR1 unrealircd" Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): syzop@example.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: a

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: n Obtaining a new certificate Performing the following challenges: http-01 challenge for irc.example.org Waiting for verification... Cleaning up challenges

IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/irc.example.org/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/irc.example.org/privkey.pem Your cert will expire on 2020-03-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a  secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so  making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:  https://letsencrypt.org/donate Donating to EFF:                   https://eff.org/donate-le

root@irc:~#

Tweaking permissions on the key file
Again: this requires certbot 0.29.0 or newer!

Right now you have a certificate and a key file, but only root can read these files. This is a problem as UnrealIRCd does not run as root but under a low privileged account. So we need to change the access permissions.

First of all, run the following: chmod go+x /etc/letsencrypt/live/ /etc/letsencrypt/archive/

Then, change the group ownership to the group of your irc user. For example, in my case I have a user irc with group irc and the certificate is for irc.example.org. So I do: chown root:irc /etc/letsencrypt/live/irc.example.org /etc/letsencrypt/archive/irc.example.org/ -R chmod g+r,o-rwx /etc/letsencrypt/live/irc.example.org /etc/letsencrypt/archive/irc.example.org/ -R NOTE: Be sure to change the group and certificate  to match your situation in the above 2 commands!

Now, your files will look like this: root@irc:/etc/letsencrypt# ls -al /etc/letsencrypt/live/irc.example.org/ total 12 drwxr-x--- 2 root irc 4096 Dec 16 12:10. drwx--x--x 3 root root 4096 Dec 16 12:10 .. lrwxrwxrwx 1 root irc   40 Dec 16 12:10 cert.pem -> ../../archive/irc.example.org/cert1.pem lrwxrwxrwx 1 root irc   41 Dec 16 12:10 chain.pem -> ../../archive/irc.example.org/chain1.pem lrwxrwxrwx 1 root irc   45 Dec 16 12:10 fullchain.pem -> ../../archive/irc.example.org/fullchain1.pem lrwxrwxrwx 1 root irc   43 Dec 16 12:10 privkey.pem -> ../../archive/irc.example.org/privkey1.pem -rw-r- 1 root irc  692 Dec 16 12:10 README root@irc:/etc/letsencrypt# ls -al /etc/letsencrypt/archive/irc.example.org/ total 24 drwxr-x--- 2 root irc 4096 Dec 16 12:10. drwx--x--x 3 root root 4096 Dec 16 12:10 .. -rw-r- 1 root irc 1911 Dec 16 12:10 cert1.pem -rw-r- 1 root irc 1647 Dec 16 12:10 chain1.pem -rw-r- 1 root irc 3558 Dec 16 12:10 fullchain1.pem -rw-r- 1 root irc 1708 Dec 16 12:10 privkey1.pem

This way only root and members of the irc group can read the key and certificate files.

Certbot 0.29.0 and later will remember this, so you don't need to chown/chmod them ever again.

Periodic certificate renewal
Your certificate will be renewed automatically after around 30 days (so way before the 90 days expiry). If there is something wrong with the certificate not renewing then you should receive email(s) about this from certbot a month from now.

FIXME: Maybe on Debian it needs an explicit cron job?? Ubuntu works fine, though.