Ivan Tomica

ZNC with Let’sEncrypt

I’ve recently set up ZNC – an IRC bouncer, to help me stay logged in on IRC. Although I’m not yet done with the whole setup, I’ve decided to add a valid certificate. Of course, I use Let’s Encrypt for this purpose.

To issue a certificate you can use:

certbot certonly --standalone -d DOMAIN -n -m YOUREMAIL --agree-tos

Certificate for the ZNC service on FreeBSD is located at:

/usr/local/etc/znc/znc.pem

and it’s structured like:

---PRIVATEKEY---
---CERTIFICATE---
---DHParams---

So you probably need to use same structure in that file to have it working properly.

With Let’s Encrypt certificates you need to add full chain (with CA certificate) to that file in order to stop complaints from IRC clients connecting to the server because otherwise, IRC clients such as Konversation prints a warning that it can’t verify the certificate issuer.

Anyhow, to automate renewal process I’ve wrote a little script that replaces certificate when it’s renewed. I assume script is saved into:

/root/bin/le_znc.sh

file and that it has execute permissions. Full script is as follows:

#!/usr/bin/env sh

DOMAIN=irc.tomica.me
ZNC_CERT=/usr/local/etc/znc/znc.pem
LE_FULLCHAIN=/usr/local/etc/letsencrypt/live/"$DOMAIN"/fullchain.pem
LE_PRIVKEY=/usr/local/etc/letsencrypt/live/"$DOMAIN"/privkey.pem
DHPARAMS_PATH=/usr/local/etc/ssl
DHPARAMS="$DHPARAMS_PATH"/dhparams.pem
DATE=$(date +%Y%m%d)

# Check if DHParameters exist
if [ ! -f $DHPARAMS ] ; then
        mkdir -p "$DHPARAMS_PATH"
        openssl dhparam -out "$DHPARAMS" 2048
fi

mv "$ZNC_CERT" "$ZNC_CERT"-"$DATE"
cat "$LE_PRIVKEY" > "$ZNC_CERT"
cat "$LE_FULLCHAIN" >> "$ZNC_CERT"
cat "$DHPARAMS" >> "$ZNC_CERT"

service znc restart > /dev/null 2>&1

From there, you only need to add cron job to call the script periodically. I’ve set mine to once a week:

0 0 * * 1 /usr/local/bin/certbot renew --standalone --post-hook "/root/bin/le_znc.sh"

I probably don’t need to mention, but I’ll do it anyways. You can use this script after issuing the certificate for the first time as well in order to install that certificate in place of self-signed one that’s automatically generated by ZNC on install time.

About 
Sysadmin on the everlasting journey of learning. Always in search for an opportunity to prove myself and to learn something new. My addiction is learning and my main goal is to excel in every aspect of Linux/Unix system administration.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *