Using Let's Encrypt with UnrealIRCd

Introduction
TODO: expand

Use LE certificate & key via set::ssl::certificate and set::ssl::key.

Then use the self-signed certificate and key via listen::ssl-options on the dedicated server port (=incoming server connections) and cert/key via link::outgoing::ssl-options (=outgoing server connection).

This only works on UnrealIRCd 4.0.10+

Requirements
This tutorial is written for *NIX. Perhaps one day someone could expand it for Windows (if possible).

Using Let's Encrypt (effectively) requires root access to the machine. We will assume you are running UnrealIRCd on a VPS and you have root access. Be sure to do the things in this tutorial as root (use sudo -i to become root if not already so).

Installing certbot
First, you need to install the 'certbot' tool. Follow the Install instructions on EFF's certbot page. A typical choice for a Linux user would be to choose I'm using None of the above on Ubuntu/Debian/..

IMPORTANT: Follow the Install instructions only, then get back here!

Open up port 80 (firewall!)
In this tutorial we will use port 80 for let's encrypt verification mechanism. Make sure incoming port 80 is not firewalled. If you use the ufw firewall you may want to run something like ufw allow 80/tcp. If you are using Amazon EC2 then don't forget to also allow port 80 in your Security Group.

Getting your first certificate (TEST)
If you run a single-server network run the following as root. Replace irc1.example.net with your server name: certbot certonly --test-cert --standalone -d irc1.example.net

You will be asked a few questions: Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): Enter your email address here Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
 * 1) certbot certonly --test-cert --standalone -d irc1.example.net

--- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-staging.api.letsencrypt.org/directory --- (A)gree/(C)ancel: A

--- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. --- (Y)es/(N)o: N Obtaining a new certificate

multi
If you have a multi-server network with round robin DNS then run the following as root. Replace irc.example.net with your "round robin DNS name" and irc2.example.net with your servername: certbot certonly --test-cert --standalone -d irc.example.net -d irc2.example.net

Why this tutorial has not been written yet

 * Let's Encrypt requires you to run a webserver or use the 'standalone' option. This is solvable but a bit of a hassle.
 * Most IRC networks use DNS Round Robin (RR). Users can connect both by the individual server name (eg: irc1.test.net) and the round robin name (eg: irc.test.net). Let's Encrypt makes it really difficult to acquire and renew certificates for DNS RR names. If you want to acquire a certificate on server A, you have to run a command on server B, C and D also. Not just initially but also for your XX day renewal. Argh!

There are a number of "how to authenticate to Let's Encrypt" options. One of them being DNS TXT record to confirm ownership. You would think this would solve above cases but it does not: you would have to change the DNS TXT record every time you renew your <90 day certificate.