Tip of the day: To upgrade UnrealIRCd on *NIX simply run: ./unrealircd upgrade

Setting up certbot for use with UnrealIRCd

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

IMPORTANT: Using Let's Encrypt with UnrealIRCd is the main article. This sub-article below only deals with setting up certbot, including tweaking permissions so UnrealIRCd can actually read the certificate and key (otherwise you will have Permission denied errors).

Installing a recent certbot version

You need to have certbot 0.29.0 or later installed. So install the distro package, or download manually at https://certbot.eff.org/

Then verify with certbot --version that you are running 0.29.0 or later.

Note about multi-server

This tutorial assumes only 1 IRC server is deployed so we use the simple http-01 verification method. If you have multiple IRC servers on the network (with round robin DNS, so irc.example.net pointing to multiple servers) you will have to use another method, namely dns-01 which is more complex as it requires managing the DNS!

Acquire the certificate for the first time

NOTE: On some Debian distros you may have to apt install psmisc because the killall command is missing by default.

Now you need to acquire a certificate for the first time: certbot certonly --standalone --preferred-challenges http-01 -d irc.example.org --deploy-hook "killall -USR1 unrealircd"
Naturally, replace irc.example.org with the name of your server!

Some information regarding the deploy-hook:

  • The --deploy-hook "killall -USR1 unrealircd" means: send a USR1 signal to all unrealircd processes to reload the TLS certificate. This works perfectly if you have 1 unrealircd running on your server.
  • If you run multiple unrealircd processes on the same machine, then consider something like:
    --deploy-hook "su -c 'cd ~/unrealircd; ./unrealircd reloadtls' - unrealircdaccountnamehere"
    (Replace unrealircdaccountnamehere with the name of the account that runs unrealircd)

Here is example output of a successful session: 

root@irc:~# certbot certonly --standalone --preferred-challenges http-01 -d irc.example.org --deploy-hook "killall -USR1 unrealircd"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for irc.example.org
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/irc.example.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/irc.example.org/privkey.pem
   Your cert will expire on 2020-03-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@irc:~#

You are not done yet, be sure to keep on reading below.

Tweaking permissions on the key file

Right now you have a certificate and a key file, but only root can read these files. This is a problem as UnrealIRCd does not run as root but under a low privileged account. So we need to change the access permissions.

First of all, run the following: 

chmod go+x /etc/letsencrypt/live/ /etc/letsencrypt/archive/

Then, change the group ownership to the group of your irc user. For example, in my case I have a user irc with group irc and the certificate is for irc.example.org. So I do: 

chown root:irc /etc/letsencrypt/live/irc.example.org /etc/letsencrypt/archive/irc.example.org/ -R
chmod g+rx,o-rwx /etc/letsencrypt/live/irc.example.org /etc/letsencrypt/archive/irc.example.org/ -R

NOTE: Be sure to change the group (irc) and certificate (irc.example.org) to match your situation in the above 2 commands!

Now, your files will look like this: 

root@irc:/etc/letsencrypt# ls -al /etc/letsencrypt/live/irc.example.org/
total 12
drwxr-x--- 2 root irc  4096 Dec 16 12:10 .
drwx--x--x 3 root root 4096 Dec 16 12:10 ..
lrwxrwxrwx 1 root irc    40 Dec 16 12:10 cert.pem -> ../../archive/irc.example.org/cert1.pem
lrwxrwxrwx 1 root irc    41 Dec 16 12:10 chain.pem -> ../../archive/irc.example.org/chain1.pem
lrwxrwxrwx 1 root irc    45 Dec 16 12:10 fullchain.pem -> ../../archive/irc.example.org/fullchain1.pem
lrwxrwxrwx 1 root irc    43 Dec 16 12:10 privkey.pem -> ../../archive/irc.example.org/privkey1.pem
-rw-r----- 1 root irc   692 Dec 16 12:10 README
root@irc:/etc/letsencrypt# ls -al /etc/letsencrypt/archive/irc.example.org/
total 24
drwxr-x--- 2 root irc  4096 Dec 16 12:10 .
drwx--x--x 3 root root 4096 Dec 16 12:10 ..
-rw-r----- 1 root irc  1911 Dec 16 12:10 cert1.pem
-rw-r----- 1 root irc  1647 Dec 16 12:10 chain1.pem
-rw-r----- 1 root irc  3558 Dec 16 12:10 fullchain1.pem
-rw-r----- 1 root irc  1708 Dec 16 12:10 privkey1.pem

This way only root and members of the irc group can read the key and certificate files.

Certbot 0.29.0 and later will remember this, so you don't need to chown/chmod them ever again.

Periodic certificate renewal

Your certificate will be renewed automatically after around 30 days (so way before the 90 days expiry). If there is something wrong with the certificate not renewing then you should receive email(s) about this from certbot a month from now.


On FreeBSD, you need to configure Let's Encrypt to check for certificate renewals on a weekly basis. To enable this, run the following command: 

echo 'weekly_certbot_enable="YES"' >> /etc/periodic.conf

FIXME: Maybe on Debian or some GNU/Linux distributions, you may need an explicit cron job to handle certificate renewals?? Ubuntu works fine, though.

Final step

Now, continue reading Using Let's Encrypt with UnrealIRCd: Updating your listen blocks.

Retrieved from "https://www.unrealircd.org/docwiki/index.php?title=Setting_up_certbot_for_use_with_UnrealIRCd&oldid=14586"