From 982325fc825aa9a8cdb8a07c16c723024c651448 Mon Sep 17 00:00:00 2001 From: Bram Matthys Date: Fri, 5 Jun 2026 16:06:47 +0200 Subject: [PATCH] Move "make pem" to "./unrealircd makecert" and make tools use this and refer to this as well. Suggested by PeGaSuS in https://bugs.unrealircd.org/view.php?id=6610 This also moves extras/tls.cnf to doc/conf/tls/tls.cnf which also gets installed in ~/unrealircd/conf/tls/ (or whatever CONFDIR is) And just to be clear: this means you can run "./unrealircd makecert" without needing to go into BUILDDIR (or even having it at all). At the same time, the generation commands have been modified slightly so two warnings during certificate generation are no longer there. --- Config | 2 +- Makefile.in | 22 ++------- {extras => doc/conf/tls}/tls.cnf | 4 -- src/tls.c | 6 +-- src/windows/makecert.bat | 3 +- src/windows/unrealinst.iss | 2 +- unrealircd.in | 76 +++++++++++++++++++++++++++++++- 7 files changed, 85 insertions(+), 30 deletions(-) rename {extras => doc/conf/tls}/tls.cnf (92%) diff --git a/Config b/Config index b0ab1887c..a8ba37d5e 100755 --- a/Config +++ b/Config @@ -188,7 +188,7 @@ if [ "$QUICK" != "1" ] ; then echo "*******************************************************************************" echo "Press ENTER to continue" read cc - $MAKE pem + ./unrealircd makecert echo "Certificate created successfully." sleep 1 else diff --git a/Makefile.in b/Makefile.in index 25083ef0b..5316f0b18 100644 --- a/Makefile.in +++ b/Makefile.in @@ -224,6 +224,7 @@ install: all fi $(INSTALL) -m 0700 -d $(DESTDIR)@CONFDIR@/tls $(INSTALL) -m 0600 doc/conf/tls/curl-ca-bundle.crt $(DESTDIR)@CONFDIR@/tls + $(INSTALL) -m 0600 doc/conf/tls/tls.cnf $(DESTDIR)@CONFDIR@/tls @# delete modules/cap directory, to avoid confusing with U4 to U5 upgrades: rm -rf $(DESTDIR)@MODULESDIR@/cap $(INSTALL) -m 0700 -d $(DESTDIR)@MODULESDIR@/third @@ -234,11 +235,6 @@ install: all $(INSTALL) -m 0700 -d $(DESTDIR)@CACHEDIR@ $(INSTALL) -m 0700 -d $(DESTDIR)@PERMDATADIR@ $(INSTALL) -m 0700 -d $(DESTDIR)@LOGDIR@ - -@if [ ! -f "$(DESTDIR)@CONFDIR@/tls/server.cert.pem" ] ; then \ - $(INSTALL) -m 0600 server.req.pem $(DESTDIR)@CONFDIR@/tls ; \ - $(INSTALL) -m 0600 server.key.pem $(DESTDIR)@CONFDIR@/tls ; \ - $(INSTALL) -m 0600 server.cert.pem $(DESTDIR)@CONFDIR@/tls ; \ - fi @rm -f $(DESTDIR)@SCRIPTDIR@/source ln -s @BUILDDIR@ $(DESTDIR)@SCRIPTDIR@/source @echo '' @@ -268,19 +264,9 @@ install: all echo 'Again, be sure to change to the @SCRIPTDIR@ directory!' ; \ fi -pem: extras/tls.cnf - @echo "Generating server key..." - $(OPENSSLPATH) ecparam -out server.key.pem -name secp384r1 -genkey - @echo "Generating certificate request..." - $(OPENSSLPATH) req -new \ - -config extras/tls.cnf -sha256 -out server.req.pem \ - -key server.key.pem -nodes - @echo "Generating self-signed certificate..." - $(OPENSSLPATH) req -x509 -days 3650 -sha256 -nodes -in server.req.pem \ - -key server.key.pem -out server.cert.pem - @echo "Setting permissions on server.*.pem files..." - chmod o-rwx server.req.pem server.key.pem server.cert.pem - chmod g-rwx server.req.pem server.key.pem server.cert.pem +pem: + @echo "The command 'make pem' is no longer used to generate the TLS certificate." + @echo "Please run './unrealircd makecert' instead." Makefile: config.status Makefile.in ./config.status diff --git a/extras/tls.cnf b/doc/conf/tls/tls.cnf similarity index 92% rename from extras/tls.cnf rename to doc/conf/tls/tls.cnf index 46a961159..d768febe8 100644 --- a/extras/tls.cnf +++ b/doc/conf/tls/tls.cnf @@ -4,7 +4,6 @@ # Note: RSA bits is ignored, as we use ECC now default_bits = 2048 distinguished_name = req_dn -x509_extensions = cert_type [ req_dn ] countryName = Country Name @@ -26,6 +25,3 @@ organizationalUnitName_default = IRCd 0.commonName = Common Name (Full domain of your server) 1.commonName_value = localhost -[ cert_type ] -nsCertType = server - diff --git a/src/tls.c b/src/tls.c index a6812900d..6d409c338 100644 --- a/src/tls.c +++ b/src/tls.c @@ -358,7 +358,7 @@ SSL_CTX *init_ctx(TLSOptions *tlsoptions, int server) { unreal_log(ULOG_ERROR, "config", "TLS_LOAD_FAILED_DEFAULT_CERT", NULL, "It seems the default certificate is missing. " - "Run 'make pem && make install' in the UnrealIRCd source directory " + "Run './unrealircd makecert' " "to generate a self-signed cert."); } goto fail; @@ -457,8 +457,8 @@ SSL_CTX *init_ctx(TLSOptions *tlsoptions, int server) { unreal_log(ULOG_ERROR, "config", "TLS_CERTIFICATE_CHECK_FAILED", NULL, "There is a problem with your TLS certificate: $quality_check_error\n" - "If you use the standard UnrealIRCd certificates then you can simply run 'make pem' and 'make install' " - "from your UnrealIRCd source directory (eg: ~/unrealircd-6.X.Y/) to create and install new certificates", + "If you use the standard UnrealIRCd certificates then you can simply run './unrealircd makecert' " + "to create and install new certificates", log_data_string("quality_check_error", errstr)); goto fail; } diff --git a/src/windows/makecert.bat b/src/windows/makecert.bat index 572626267..64ff6ca18 100755 --- a/src/windows/makecert.bat +++ b/src/windows/makecert.bat @@ -1,6 +1,5 @@ @title Certificate Generation SET OPENSSL_CONF=tls.cnf openssl ecparam -out ../conf/tls/server.key.pem -name secp384r1 -genkey -openssl req -new -config tls.cnf -out ../conf/tls/server.req.pem -key ../conf/tls/server.key.pem -nodes -openssl req -x509 -config tls.cnf -days 3650 -sha256 -in ../conf/tls/server.req.pem -key ../conf/tls/server.key.pem -out ../conf/tls/server.cert.pem +openssl req -new -x509 -config tls.cnf -key ../conf/tls/server.key.pem -days 3650 -sha256 -out ../conf/tls/server.cert.pem diff --git a/src/windows/unrealinst.iss b/src/windows/unrealinst.iss index 3b3e38ab2..a941220ee 100755 --- a/src/windows/unrealinst.iss +++ b/src/windows/unrealinst.iss @@ -50,7 +50,7 @@ Source: "unrealsvc.exe"; DestDir: "{app}\bin"; Flags: ignoreversion signonce ; TLS certificate generation helpers Source: "src\windows\makecert.bat"; DestDir: "{app}\bin"; Flags: ignoreversion -Source: "extras\tls.cnf"; DestDir: "{app}\bin"; Flags: ignoreversion +Source: "doc\conf\tls\tls.cnf"; DestDir: "{app}\bin"; Flags: ignoreversion ; UnrealIRCd modules Source: "src\modules\*.dll"; DestDir: "{app}\modules"; Flags: ignoreversion signonce diff --git a/unrealircd.in b/unrealircd.in index 76b1e54dd..32ec8cd6d 100644 --- a/unrealircd.in +++ b/unrealircd.in @@ -11,12 +11,13 @@ TMPDIR="@TMPDIR@" SCRIPTDIR="@SCRIPTDIR@" MODULESDIR="@MODULESDIR@" DOCDIR="@DOCDIR@" +OPENSSLPATH="@OPENSSLPATH@" # When built with --with-asan, ASan does not dump core by default because # older gcc/clang might dump a 16TB core file. We explicitly enable it here. export ASAN_OPTIONS="abort_on_error=1:disable_coredump=0:unmap_shadow_on_exit=1:log_path=$TMPDIR/unrealircd_asan:detect_leaks=0" -if [ ! -f $IRCD ]; then +if [ "$1" != "makecert" ] && [ ! -f $IRCD ]; then echo "ERROR: Could not find the IRCd binary ($IRCD)" echo "This could mean two things:" echo "1) You forgot to run 'make install' after running 'make'" @@ -268,6 +269,78 @@ __EOF__ echo "Thanks!" elif [ "$1" = "spki" -o "$1" = "spkifp" ] ; then $UNREALIRCDCTL $* +elif [ "$1" = "makecert" ] ; then + TLSDIR="$CONFDIR/tls" + KEY="$TLSDIR/server.key.pem" + CERT="$TLSDIR/server.cert.pem" + + # Locate the OpenSSL configuration template. After 'make install' it + # lives in the TLS directory. During initial setup (./Config), before + # 'make install' has run, we use the copy in the source directory. + if [ -f "$TLSDIR/tls.cnf" ]; then + CNF="$TLSDIR/tls.cnf" + elif [ -f "$BUILDDIR/doc/conf/tls/tls.cnf" ]; then + CNF="$BUILDDIR/doc/conf/tls/tls.cnf" + else + echo "ERROR: Could not find the OpenSSL template tls.cnf" + echo "(Neither $TLSDIR/tls.cnf nor $BUILDDIR/doc/conf/tls/tls.cnf exists)" + exit 1 + fi + + if [ ! -d "$TLSDIR" ]; then + mkdir -p "$TLSDIR" || exit 1 + chmod 0700 "$TLSDIR" + fi + + REPLACED=0 + if [ -f "$CERT" ] || [ -f "$KEY" ]; then + echo "This command will replace your existing server certificate and key." + echo "(in $TLSDIR)" + echo -n "Do you wish to proceed? [Y|N] " + read answer + case "$answer" in + [Yy]*) + ;; + *) + echo "Aborted." + exit 1 + ;; + esac + REPLACED=1 + fi + + # Keep a backup of the previous certificate and key, so it can be + # restored if the newly generated one turns out to be unsuitable. + if [ "$REPLACED" = 1 ]; then + for f in "$KEY" "$CERT"; do + if [ -f "$f" ]; then + cp -p "$f" "$f.old" + fi + done + fi + + # Make sure the private key is not briefly world/group readable while + # it is being generated. + umask 077 + + echo "Generating server key..." + "$OPENSSLPATH" ecparam -out "$KEY" -name secp384r1 -genkey || exit 1 + echo "Generating self-signed certificate..." + "$OPENSSLPATH" req -new -x509 -key "$KEY" -config "$CNF" -days 3650 -sha256 -out "$CERT" || exit 1 + + echo "Setting permissions on server.*.pem files..." + chmod o-rwx "$KEY" "$CERT" + chmod g-rwx "$KEY" "$CERT" + + echo "" + echo "A new self-signed certificate and key have been generated in $TLSDIR" + if [ "$REPLACED" = 1 ]; then + echo "Your previous certificate and key were backed up with a .old suffix." + fi + echo "Note: the SPKI fingerprint has changed. If other servers link to you and" + echo " verify a fingerprint, you need to update the link { } block on their side." + echo "If UnrealIRCd is currently running, load the new certificate with:" + echo " $0 reloadtls" elif [ "$1" = "hot-patch" -o "$1" = "cold-patch" ] ; then if [ ! -d "$BUILDDIR" ]; then echo "UnrealIRCd source not found. Sorry, it is not possible to patch." @@ -434,6 +507,7 @@ else echo "unrealircd stop Stop (kill) the IRC Server" echo "unrealircd rehash Reload the configuration file" echo "unrealircd reloadtls Reload the SSL/TLS certificates" + echo "unrealircd makecert Create or replace the self-signed TLS certificate" echo "unrealircd restart Restart the IRC Server (stop+start)" echo "unrealircd status Show current status of the IRC Server" echo "unrealircd module-status Show all currently loaded modules"