# UnrealIrcd + SSL / certs [SOLVED]

## HeXiLeD

After spending all night setting up unrealircd and reading the docs... everything went fine until ...  the ssl certificate.

It seems that in order to create another ssl certificate for the ircd the ebuild doesnt provide any "easy way"

In other  others  if we compile unrealircd manually we are asked about the details that we wish to put in the certificate.

welll i emerged it ..   :Confused: 

and later compiled manually in another box ...   :Sad: 

and now  i need some desperate  help   :Wink: 

I spent the whole night trying to use openssl  to manually create a certificate to work with the ebuild install. and things went almost perfect, until  the point that  to start the ircd i had to use " # unrealircd " and not "/etc/init.d/unrealircd start"

It seems that my effort to create a certificate was unhappy as for some reason the init script never liked my work and never willing  to start  the ircd with my certs.

So i am now requesting some help in something that later can and should be added to the ebuild.

a script to generate the certificate as it needs to be generated.

Details of what the ebuild does by default:

```
 * Generating 1024 bit RSA key for CA ...                                                                                            

 * Generating Certificate Signing Request for CA ...                                                                                   

 * Generating self-signed X.509 Certificate for CA ...                                                                                  

 * Generating 1024 bit RSA key ...                                                                                                    

 * Generating Certificate Signing Request ...                                                                                          

 * Generating authority-signed X.509 Certificate ...                                                                          

 * Generating PEM Certificate ...
```

and this creates these files:

server.cert.crt

server.cert.csr

server.cert.key

server.cert.pem

server.key.pem

If it helps  i checked  the code  from the manual install that  i got here:

http://unrealircd.alert-net.com/Unreal3.2.4.tar.gz

```
pem:    src/ssl.cnf

        @echo "Generating certificate request .. "

        $(OPENSSLPATH) req -new \

              -config src/ssl.cnf -out server.req.pem \

              -keyout server.key.pem -nodes

        @echo "Generating self-signed certificate .. "

        $(OPENSSLPATH) req -x509 -days 365 -in server.req.pem \

               -key server.key.pem -out server.cert.pem

        @echo "Generating fingerprint .."

        $(OPENSSLPATH) x509 -subject -dates -fingerprint -noout \

                -in server.cert.pem

        @echo "Setting o-rwx & g-rwx for files... "

        chmod o-rwx server.req.pem server.key.pem server.cert.pem

        chmod g-rwx server.req.pem server.key.pem server.cert.pem

        @echo "Done!. If you want to encrypt the private key, run"

        @echo "make encpem"

encpem: server.key.pem

        @echo "Encrypting server key .."

        $(OPENSSLPATH) rsa -in server.key.pem -out server.key.c.pem -des3

        -@if [ -f server.key.c.pem ] ; then \

                echo "Replacing unencrypted with encrypted .." ; \

                cp server.key.c.pem server.key.pem ; \

                rm -f server.key.c.pem ; \

fi

```

If anyone could make some auto script to create the certificates would be very usefull.

some thing like ./create_ssl_cert

----------

## HeXiLeD

so far ....

```
/usr/bin/openssl req -new -out server.req.pem -keyout server.key.pem -nodes

/usr/bin/openssl req -x509 -days 365 -in server.req.pem -key server.key.pem -out server.cert.pem 

/usr/bin/openssl x509 -subject -dates -fingerprint -noout -in server.cert.pem

chmod o-rwx server.req.pem server.key.pem server.cert.pem

chmod g-rwx server.req.pem server.key.pem server.cert.pem
```

however .. the init.script fails to start the ircd if i generate the certs like this. It works but without being able to use the init scrip.

 :Confused: 

----------

## HeXiLeD

Conclusions:

If one is using the unrealircd ebuild package ONE will be somehow limited in a few things.

to start the unrealircd  will be installed in / and the confs  in /etc

I guess if one is runing it for some fun and not  in a production server, one can get away with some security concerns. (but they dont go away)

Plus by default it wil lrun as root and ( this is a no ! no ! )

If one doesnt change the default ssl certs , everything will work perfect.

However if one creates  their one certs, the problem that  i posted above will happen and the init scripts will fail !

( this needs a fix )

Then to create own ssl certs after the install; one needs to run this:

```

/usr/bin/openssl req -new -out server.req.pem -keyout server.key.pem -nodes

/usr/bin/openssl req -x509 -days 365 -in server.req.pem -key server.key.pem -out server.cert.pem

/usr/bin/openssl x509 -subject -dates -fingerprint -noout -in server.cert.pem

chmod o-rwx server.req.pem server.key.pem server.cert.pem

chmod g-rwx server.req.pem server.key.pem server.cert.pem

```

this happens because the ebuild doesnt provide something like  the manual install package provides.

ie: $ make pem

```

 $ make pem

Generating certificate request ..

/usr/bin/openssl req -new \

              -config src/ssl.cnf -out server.req.pem \

              -keyout server.key.pem -nodes

Generating a 1024 bit RSA private key

.........++++++

..++++++

writing new private key to 'server.key.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name [US]: 
```

Overview:

Its way better to install unrealircd manually than using the ebuild. 

Manual compilation of this ircd will allow a better and more costum install as well as less security concerns

ie: 

create a specifc group, create a specifc user and put it in that group chmod 'him' to 700 and install the ircd in its /home

```

# groupadd unreal

# useradd -m -g unreal -s /bin/bash unreal

# passwd unreal

# su unreal 

$ cd /home/unreal 

$ wget [url]http://unrealircd.alert-net.com/Unreal3.2.4.tar.gz[/url]

$ gzip -d Unreal3.2.4.tar.gz && tar -xvf Unreal3.2.4.tar 

$ cd Unreal3.2

$ ./Config

```

follow :www.vulnscan.org/UnrealIrcd/unreal32docs.html

and www.vulnscan.org/UnrealIRCd/faq/

and  you are good to go.

as for something to replace the  init.d scripts, just  type ./unreal in the unreal /dir  :Wink: 

As to make it work as 'service' an simple crontab entry like this should do just fine.

```
@reboot ircd cd /home/unreal/unreal3.2 && ./unreal start
```

The ebuild will be ok for lazy or unexperienced users; however i completely recommend manual compilation/install

In my point of view the ebuild needs a 'fix' or at least something like $ make pem  to help generating the ssl certs

I have solved  this ' topic issue' by choosing manual compilation of the package

----------

