Installing a Let’s Encrypt certificate for ZNC

I’ve been running ZNC, an IRC bouncer that I use for maintaining a presence in channels while I’m offline and keeping logs so I don’t miss conversations. As it’s been using a self-signed certificate for a while, I thought I’d finally get around to creating a proper domain validated certificate using Let’s Encrypt.

As the system on which I was running ZNC was too old to run the official Let’s Encrypt client, I opted for a shell-script-only version. First, install acme.sh (and it’s generally good practice to audit it so that you know what it’s doing):

Now that’s done, create the account and domain keys:

Domain certificates? Account keys? What’s all this, then?

Let’s Encrypt “is a free, automated, and open certificate authority brought to you by the Internet Security Research Group (ISRG)”. The service and its clients provide an implementation of the ACME protocol (draft here), which describes an automated process for the verification and the issuance of domain certificates. The certificates issued are Domain Validated, so they can only say that you are in control of the domain, and can’t give you any more information such as the legal entity responsible for the domain, or any verification that the requester of the certificate was affiliated or representative of that legal entity. So basically, you control the domain, but no information on “you”.

Your account key, created with the –createAccountKey option, generates a private key that will be used to register an account and sign subsequent requests under that account. Using –createDomainKey generates a private key that is used to sign specific domain certificate requests. Running acme.sh –createCSR creates a certificate request, which is a request for a certificate that is signed by both the account private key and the domain private key. So far this has all been local preparatory stuff, with no communications with the issuing server.

Now that the preparations are complete, it’s time to contact the Let’s Encrypt service, register our account and make the request. When the request is made, the issuing service responds with a challenge to prove that you are in control of the domain, by requiring you to sign some challenge tokens and provide them as files over HTTP/HTTPS at the .well-known/acme-challenge/ url path of your domain. Run the issuing script with a standalone server to request the certificate and provide those challenge responses. Sudo is needed as it listens on port 80:

As you’ll note in the output, this will store your certificate in ~/.acme.sh/domain.example.com. Concatenate the certificate and domain key into a znc.pem file and copy to the .znc directory:

Visit your znc admin page in your browser and you can see it in action.

A good demonstration and explanation of what is happening, step by step, can be shown in the README.md of Daniel Roesler’s letsencrypt-nosudo. This script does the work of determining what steps need to be taken and displays the command commands that the user can manually execute in order to perform each step.

Edit: Added explanation of what’s happening under the hood.

This entry was posted in ops, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *