I’ve recently set up ZNC - an IRC bouncer, to help me stay logged in on IRC. Although I’m not yet done with the whole setup, I’ve decided to add a valid certificate. Of course, I use Let’s Encrypt for this purpose.
To issue a certificate you can use:
certbot certonly --standalone -d DOMAIN -n -m YOUREMAIL --agree-tos
Certificate for the ZNC service on FreeBSD is located at:
/usr/local/etc/znc/znc.pem
and it’s structured like:
---PRIVATEKEY---
---CERTIFICATE---
---DHParams---
So you probably need to use same structure in that file to have it working properly.
With Let’s Encrypt certificates you need to add full chain (with CA certificate) to that file in order to stop complaints from IRC clients connecting to the server because otherwise, IRC clients such as Konversation prints a warning that it can’t verify the certificate issuer.
Anyhow, to automate renewal process I’ve wrote a little script that replaces certificate when it’s renewed. I assume script is saved into:
/root/bin/le_znc.sh
file and that it has execute permissions. Full script is as follows:
#!/usr/bin/env sh
DOMAIN=irc.tomica.net
ZNC_CERT=/usr/local/etc/znc/znc.pem
LE_FULLCHAIN=/usr/local/etc/letsencrypt/live/"$DOMAIN"/fullchain.pem
LE_PRIVKEY=/usr/local/etc/letsencrypt/live/"$DOMAIN"/privkey.pem
DHPARAMS_PATH=/usr/local/etc/ssl
DHPARAMS="$DHPARAMS_PATH"/dhparams.pem
DATE=$(date +%Y%m%d)
# Check if DHParameters exist
if [ ! -f $DHPARAMS ] ; then
mkdir -p "$DHPARAMS_PATH"
openssl dhparam -out "$DHPARAMS" 2048
fi
mv "$ZNC_CERT" "$ZNC_CERT"-"$DATE"
cat "$LE_PRIVKEY" > "$ZNC_CERT"
cat "$LE_FULLCHAIN" >> "$ZNC_CERT"
cat "$DHPARAMS" >> "$ZNC_CERT"
service znc restart > /dev/null 2>&1
From there, you only need to add cron job to call the script periodically. I’ve set mine to once a week:
0 0 * * 1 /usr/local/bin/certbot renew --standalone --post-hook "/root/bin/le_znc.sh"
I probably don’t need to mention, but I’ll do it anyways. You can use this script after issuing the certificate for the first time as well in order to install that certificate in place of self-signed one that’s automatically generated by ZNC on install time.