Using Let's Encrypt with UnrealIRCd

Let's Encrypt is an initiative which allows you to get a real certificate for your server. That is, a certificate from a trusted Certificate Authority. By using Let's Encrypt with UnrealIRCd and having your users on SSL/TLS you make your IRC network safer.

The goal
After this guide you will have a dual certificate setup:
 * Clients will connect to your server and see the Let's Encrypt certificate (from /etc/letsencrypt/...). That way they will see a "real certificate" that is validated by trusted certificate authority
 * Server-to-server connections will use the self-signed certificates (from ~/unrealircd/conf/tls/server...). This makes things easy for server linking since the certificate/keys will stay the same (and not change every 30-90 days).

Requirements
This tutorial is written for *NIX. Perhaps one day someone could expand it for Windows (if possible).

The Let's Encrypt installation as described in this tutorial requires root access. We will assume you are running UnrealIRCd on a VPS and you have root access, this is after all the most common situation. Be sure to do all the things in this tutorial as root. Become root now by using  or whatever command or login method you normally use to become root.

Let's Encrypt requires you to setup a number of things and will issue you 90-day certificate. Getting the certificate for the first time requires some manual labor. After this, you will setup automatic renewal.

Installing certbot and getting your certificate
This is now explained in Setting up certbot for use with UnrealIRCd. Be sure to follow the instructions there. Only continue reading below AFTER you have successfully set up certbot and acquired your first certificate.

Updating your listen blocks
Now that you have your Let's Encrypt certificate, we are going to update the  blocks so UnrealIRCd will actually use the certificate and key file.

Most, if not all networks, have 1 SSL/TLS port open for users and this is 6697. So find this block in your unrealircd.conf: /* Standard IRC SSL/TLS port 6697 */ listen { ip *; port 6697; options { tls; }; };

And change it to make it use your Let's encrypt certificate. In this example we will assume your hostname (for the certificate) is irc.example.org. Naturally you must replace the name/path with your real certificate!:

/* Standard IRC SSL/TLS port 6697 */ listen { ip *; port 6697; options { tls; }; tls-options { certificate "/etc/letsencrypt/live/irc.vulnscan.org/fullchain.pem"; key "/etc/letsencrypt/archive/irc.vulnscan.org/privkey.pem"; }; };

After this, /REHASH the IRC server. Ensure that it does not display any errors in ircd.log or on IRC when you rehash as an IRCOp.

Making sure it works
You could manually connect with an IRC client to the SSL/TLS port 6697. Have a look at the certificate to make sure that it is now trusted.

Or, you can visit a site like https://www.sslshopper.com/ssl-checker.html and enter there:  (so the name of your IRC server followed by :6697). After the test it should show you many green checkmarks. See below for an example: