Ivan Tomica

ZNC with Let’sEncrypt

I’ve recently set up ZNC – an IRC bouncer, to help me stay logged in on IRC. Although I’m not yet done with the whole setup, I’ve decided to add a valid certificate. Of course, I use Let’s Encrypt for this purpose.

To issue a certificate you can use:

certbot certonly --standalone -d DOMAIN -n -m YOUREMAIL --agree-tos

Certificate for the ZNC service on FreeBSD is located at:

/usr/local/etc/znc/znc.pem

and it’s structured like:

---PRIVATEKEY---
---CERTIFICATE---
---DHParams---

So you probably need to use same structure in that file to have it working properly.

With Let’s Encrypt certificates you need to add full chain (with CA certificate) to that file in order to stop complaints from IRC clients connecting to the server because otherwise, IRC clients such as Konversation prints a warning that it can’t verify the certificate issuer.

Anyhow, to automate renewal process I’ve wrote a little script that replaces certificate when it’s renewed. I assume script is saved into:

/root/bin/le_znc.sh

file and that it has execute permissions. Full script is as follows:

#!/usr/bin/env sh

DOMAIN=irc.tomica.net
ZNC_CERT=/usr/local/etc/znc/znc.pem
LE_FULLCHAIN=/usr/local/etc/letsencrypt/live/"$DOMAIN"/fullchain.pem
LE_PRIVKEY=/usr/local/etc/letsencrypt/live/"$DOMAIN"/privkey.pem
DHPARAMS_PATH=/usr/local/etc/ssl
DHPARAMS="$DHPARAMS_PATH"/dhparams.pem
DATE=$(date +%Y%m%d)

# Check if DHParameters exist
if [ ! -f $DHPARAMS ] ; then
        mkdir -p "$DHPARAMS_PATH"
        openssl dhparam -out "$DHPARAMS" 2048
fi

mv "$ZNC_CERT" "$ZNC_CERT"-"$DATE"
cat "$LE_PRIVKEY" > "$ZNC_CERT"
cat "$LE_FULLCHAIN" >> "$ZNC_CERT"
cat "$DHPARAMS" >> "$ZNC_CERT"

service znc restart > /dev/null 2>&1

From there, you only need to add cron job to call the script periodically. I’ve set mine to once a week:

0 0 * * 1 /usr/local/bin/certbot renew --standalone --post-hook "/root/bin/le_znc.sh"

I probably don’t need to mention, but I’ll do it anyways. You can use this script after issuing the certificate for the first time as well in order to install that certificate in place of self-signed one that’s automatically generated by ZNC on install time.

2 Comments

  1. Eric Masser

    2019-08-13 - 10:54
    Reply

    Hey, thanks for this guide, just some notes, ZNC’s own wiki suggests that one can use certbot’s renewal hooks to run these kinds of scripts, instead of cron, https://wiki.znc.in/Signed_SSL_certificate#Automating_znc.pem_creation, another thing is that openssl recommends that DH parameters are generated using ‘openssl genpkey -genparam -algorithm DH -out dhp.pem -pkeyopt dh_paramgen_prime_len:2048’.

    • Ivan Tomica

      2019-08-13 - 12:03
      Reply

      Good point. Thank you for sharing the information! At the time I was writing this article, and was setting everything up, I think that page didn’t exist, so I made up my own solution :-) This was also done on the FreeBSD based system if I’m not mistaken. But everything, except paths, should be the same.

Leave a Reply

Your email address will not be published. Required fields are marked *