IRCD-Hybrid SSL Setup/Explanation?


#1

I currently run a small IRC server with IRCD-Hyrbid. Users connect through the same address as my website (Which already has a proper certificate set up using Let’s Encrypt). I allow secure connections to my IRC server through port 6697, but as of right now, I use a self-signed SSL certificate. I was wondering how easy it would be to link my current certificates to be used with IRCD-Hyrbid. In my “/etc/letsencrypt/live/domainname/” folder, I have four different links to files related to my current certificate (cert.pem, chain.pem, fullchain.pem, and privkey.pem). Within IRCD-Hybrid’s configuration files, it asks for the following (Explanations attached):

/*

  • rsa_private_key_file: the path to the file containing the
  • RSA key. RSA keys with less than 2048 bits are no longer
  • supported.
  • Example commands to store a 2048 bit RSA key in rsa.key:
  • OpenSSL/LibreSSL:
  • openssl genrsa -out rsa.key 2048
  • GnuTLS:
  • certtool --generate-privkey --sec-param=medium --outfile rsa.key
  • Once the RSA key is generated, it is highly recommended to lock down
  • its file permissions:
  • chown .<ircd.group> rsa.key
  • chmod 0600 rsa.key
    */
    rsa_private_key_file = “etc/rsa.key”;

/*

  • ssl_certificate_file: the path to the file containing our
  • SSL certificate for encrypted client connection.
  • This assumes your private RSA key is stored in rsa.key. You
  • MUST have an RSA key in order to generate the certificate.
  • Example command:
  • OpenSSL/LibreSSL:
  • openssl req -new -days 365 -x509 -key rsa.key -out cert.pem
  • GnuTLS:
  • certtool --generate-self-signed --load-privkey rsa.key --outfile cert.pem
    */
    ssl_certificate_file = “etc/cert.pem”;

/*

  • ssl_dh_param_file: path to the PEM encoded Diffie-Hellman
  • parameter file. DH parameters are required when using
  • ciphers with EDH (ephemeral Diffie-Hellman) key exchange.
  • A DH parameter file can be created by running:
  • OpenSSL/LibreSSL:
  • openssl dhparam -out dhparam.pem 2048
  • GnuTLS:
  • certtool --generate-dh-params --sec-param=medium --outfile dhparam.pem
    */
    ssl_dh_param_file = “etc/dhparam.pem”;

I tried to mess with a little bit in hopes of getting something working, but my server would immediately kill itself like I had done something wrong. This may have been related to permissions, however. Regardless, some explanation on how I would get this up and running would be fantastic!

Thank you!


#2

Most likely is permissions, the client makes the cert and key readable by root only.


#3

Yeah, that’s what I was thinking… I know I have the primary key and certificate files, but what (if any) of the files I have belong in the “ssl_dh_param_file” parameter? Also, the Primary Key is in “.pem” format. Is there any issue with converting my Let’s Encrypt Primary key to this format only for my IRC’s use?

I’d love to just fix permissions and maybe make some scripts to do some copy/pasting/converting for me. Hopefully it’s that simple.

Thanks!


#4

You don’t need to covert the private key, .key is sometimes used for a .pem file containing only a private key.
The DH parameters are unrelated to the cert, you’ll need to create them yourself.


#5

Alright, thanks for the explanation! Anywhere I can read up on how these files are related? I don’t like the idea of me using some service and not knowing exactly what’s being generated and why.

Cheers! I’ll try to get this all working later tonight!


#6

The documentation is here. But to summarize privkey.pem will always be needed, some servers need cert.pem and chain.pem while other just need fullchain.pem. (In this case IRCD-Hybrid needs fullchain.pem)


#7

Ah, alright. That link is very helpful! So I would assume, rather than using “cert.pem”, I would use “fullchain.pem” in its place, since that contains the certificate and other information required by IRCD-Hybrid?


#8

Yes, if you just use cert.pem then newer clients that check certs won’t be able to connect, (many older IRC clients just blindly accepted anything).


#9

Coming back just to say that it works fantastically! It was indeed a permissions issue, but I’m glad I now better understand what each file is for the future!

Thanks a ton!


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.