To create new wiki account, please join us on #znc at Libera.Chat and ask admins to create a wiki account for you. You can say thanks to spambots for this inconvenience.

Signed SSL certificate

From ZNC
Revision as of 15:18, 25 December 2012 by >Resistance (Added a general recommendation that if you're not the only person using the ZNC instance, you may want to consider using signed SSL certificates. Also added link to a few SSL certificate providers, including those which have instructions here.)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

If you're not going to be the only person using the ZNC instance, you may want to consider using signed SSL certificates. Signed SSL certificates are generated by third-party companies, such as StartSSL, PositiveSSL, VeriSign, or others, and will not cause "self-signed certificate" errors when used with an IRC client.

General advice

znc.pem must contain everything in order from the "most private" to the "most public" key.

E.g. it may be something like this, if CA provides only 1 root cert in the chain:

cat your-certificate-private.key > znc.pem
cat your-certificate.crt >> znc.pem
cat ca-root.crt >> znc.pem

Below you may find more specific instructions how to configure certs from few CAs, contributed by various people.

StartSSL

If you want to use your StartSSL web server certificate in ZNC, you need to put your private key and the your certificate into ~/.znc/znc.pem:

cat server.key znc.pem > znc.pem

Remember to replace server.key and znc.pem with the correct filenames and relevant paths.

The certificate now gets validated, but the validation fails, since the root certificate is properly not know on your machine (while most browser come built-in with the root certificate). So you either make the certificate known to your machine (and all your ZNC users) or your put the root cert into your znc.pem file like the following:

  1. cd ~/.znc/
  2. wget https://www.startssl.com/certs/sub.class1.server.ca.pem -O startssl.com.root.pem
  3. cat startssl.com.root.pem >> znc.pem

It seems the order in your znc.pem must be "key", "own cert" and "root cert". If you get connection errors, make sure you done it right. You can test your certificate without connecting to znc with the following command:

openssl s_client -showcerts -connect domain.tld:6667

Change the domain and port to your domain and znc's listening port.

PositiveSSL

This is how I created a Positive SSL certificate for znc.

  1. openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
  2. Submit server.csr to PositiveSSL
  3. Once you receive your SSL Bundle zip, uncompress
  4. cat myserver.key > ~/.znc/znc.pem
  5. cat host_domain_com.crt >> ~/.znc/znc.pem
  6. cat PositiveSSLCA.crt >> ~/.znc/znc.pem
  7. cat UTNAddTrustServerCA.crt >> ~/.znc/znc.pem

That should do it. Drop a note on my Wiki Page if you need any more help.

To use a PositiveSSL, this seemed to be the recipe