pegasus/unrealircd
1
0
Fork 0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-06-12 17:14:46 +02:00
Code Activity

Move "make pem" to "./unrealircd makecert" and make tools use this

Browse Source 
and refer to this as well.

Suggested by PeGaSuS in https://bugs.unrealircd.org/view.php?id=6610

This also moves extras/tls.cnf to doc/conf/tls/tls.cnf which
also gets installed in ~/unrealircd/conf/tls/ (or whatever CONFDIR is)

And just to be clear: this means you can run "./unrealircd makecert"
without needing to go into BUILDDIR (or even having it at all).

At the same time, the generation commands have been modified slightly
so two warnings during certificate generation are no longer there.
This commit is contained in:
Bram Matthys
2026-06-05 16:06:47 +02:00
parent cbc9213d5e
commit 982325fc82
7 changed files with 85 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Config
+1 -1
View File
@@ -188,7 +188,7 @@ if [ "$QUICK" != "1" ] ; then
echo "*******************************************************************************" echo "*******************************************************************************"
echo "Press ENTER to continue" echo "Press ENTER to continue"
read cc read cc
$MAKE pem ./unrealircd makecert
echo "Certificate created successfully." echo "Certificate created successfully."
sleep 1 sleep 1
else else
Makefile.in
+4 -18
View File
@@ -224,6 +224,7 @@ install: all
fi fi
$(INSTALL) -m 0700 -d $(DESTDIR)@CONFDIR@/tls $(INSTALL) -m 0700 -d $(DESTDIR)@CONFDIR@/tls
$(INSTALL) -m 0600 doc/conf/tls/curl-ca-bundle.crt $(DESTDIR)@CONFDIR@/tls $(INSTALL) -m 0600 doc/conf/tls/curl-ca-bundle.crt $(DESTDIR)@CONFDIR@/tls
$(INSTALL) -m 0600 doc/conf/tls/tls.cnf $(DESTDIR)@CONFDIR@/tls
@# delete modules/cap directory, to avoid confusing with U4 to U5 upgrades: @# delete modules/cap directory, to avoid confusing with U4 to U5 upgrades:
rm -rf $(DESTDIR)@MODULESDIR@/cap rm -rf $(DESTDIR)@MODULESDIR@/cap
$(INSTALL) -m 0700 -d $(DESTDIR)@MODULESDIR@/third $(INSTALL) -m 0700 -d $(DESTDIR)@MODULESDIR@/third
@@ -234,11 +235,6 @@ install: all
$(INSTALL) -m 0700 -d $(DESTDIR)@CACHEDIR@ $(INSTALL) -m 0700 -d $(DESTDIR)@CACHEDIR@
$(INSTALL) -m 0700 -d $(DESTDIR)@PERMDATADIR@ $(INSTALL) -m 0700 -d $(DESTDIR)@PERMDATADIR@
$(INSTALL) -m 0700 -d $(DESTDIR)@LOGDIR@ $(INSTALL) -m 0700 -d $(DESTDIR)@LOGDIR@
-@if [ ! -f "$(DESTDIR)@CONFDIR@/tls/server.cert.pem" ] ; then \
$(INSTALL) -m 0600 server.req.pem $(DESTDIR)@CONFDIR@/tls ; \
$(INSTALL) -m 0600 server.key.pem $(DESTDIR)@CONFDIR@/tls ; \
$(INSTALL) -m 0600 server.cert.pem $(DESTDIR)@CONFDIR@/tls ; \
fi
@rm -f $(DESTDIR)@SCRIPTDIR@/source @rm -f $(DESTDIR)@SCRIPTDIR@/source
ln -s @BUILDDIR@ $(DESTDIR)@SCRIPTDIR@/source ln -s @BUILDDIR@ $(DESTDIR)@SCRIPTDIR@/source
@echo '' @echo ''
@@ -268,19 +264,9 @@ install: all
echo 'Again, be sure to change to the @SCRIPTDIR@ directory!' ; \ echo 'Again, be sure to change to the @SCRIPTDIR@ directory!' ; \
fi fi
pem: extras/tls.cnf pem:
@echo "Generating server key..." @echo "The command 'make pem' is no longer used to generate the TLS certificate."
$(OPENSSLPATH) ecparam -out server.key.pem -name secp384r1 -genkey @echo "Please run './unrealircd makecert' instead."
@echo "Generating certificate request..."
$(OPENSSLPATH) req -new \
-config extras/tls.cnf -sha256 -out server.req.pem \
-key server.key.pem -nodes
@echo "Generating self-signed certificate..."
$(OPENSSLPATH) req -x509 -days 3650 -sha256 -nodes -in server.req.pem \
-key server.key.pem -out server.cert.pem
@echo "Setting permissions on server.*.pem files..."
chmod o-rwx server.req.pem server.key.pem server.cert.pem
chmod g-rwx server.req.pem server.key.pem server.cert.pem
Makefile: config.status Makefile.in Makefile: config.status Makefile.in
./config.status ./config.status
extras/tls.cnf → doc/conf/tls/tls.cnf
-4
View File
@@ -4,7 +4,6 @@
# Note: RSA bits is ignored, as we use ECC now # Note: RSA bits is ignored, as we use ECC now
default_bits = 2048 default_bits = 2048
distinguished_name = req_dn distinguished_name = req_dn
x509_extensions = cert_type
[ req_dn ] [ req_dn ]
countryName = Country Name countryName = Country Name
@@ -26,6 +25,3 @@ organizationalUnitName_default = IRCd
0.commonName = Common Name (Full domain of your server) 0.commonName = Common Name (Full domain of your server)
1.commonName_value = localhost 1.commonName_value = localhost
[ cert_type ]
nsCertType = server
src/tls.c
+3 -3
View File
@@ -358,7 +358,7 @@ SSL_CTX *init_ctx(TLSOptions *tlsoptions, int server)
{ {
unreal_log(ULOG_ERROR, "config", "TLS_LOAD_FAILED_DEFAULT_CERT", NULL, unreal_log(ULOG_ERROR, "config", "TLS_LOAD_FAILED_DEFAULT_CERT", NULL,
"It seems the default certificate is missing. " "It seems the default certificate is missing. "
"Run 'make pem && make install' in the UnrealIRCd source directory " "Run './unrealircd makecert' "
"to generate a self-signed cert."); "to generate a self-signed cert.");
} }
goto fail; goto fail;
@@ -457,8 +457,8 @@ SSL_CTX *init_ctx(TLSOptions *tlsoptions, int server)
{ {
unreal_log(ULOG_ERROR, "config", "TLS_CERTIFICATE_CHECK_FAILED", NULL, unreal_log(ULOG_ERROR, "config", "TLS_CERTIFICATE_CHECK_FAILED", NULL,
"There is a problem with your TLS certificate: $quality_check_error\n" "There is a problem with your TLS certificate: $quality_check_error\n"
"If you use the standard UnrealIRCd certificates then you can simply run 'make pem' and 'make install' " "If you use the standard UnrealIRCd certificates then you can simply run './unrealircd makecert' "
"from your UnrealIRCd source directory (eg: ~/unrealircd-6.X.Y/) to create and install new certificates", "to create and install new certificates",
log_data_string("quality_check_error", errstr)); log_data_string("quality_check_error", errstr));
goto fail; goto fail;
} }
src/windows/makecert.bat
+1 -2
View File
@@ -1,6 +1,5 @@
@title Certificate Generation @title Certificate Generation
SET OPENSSL_CONF=tls.cnf SET OPENSSL_CONF=tls.cnf
openssl ecparam -out ../conf/tls/server.key.pem -name secp384r1 -genkey openssl ecparam -out ../conf/tls/server.key.pem -name secp384r1 -genkey
openssl req -new -config tls.cnf -out ../conf/tls/server.req.pem -key ../conf/tls/server.key.pem -nodes openssl req -new -x509 -config tls.cnf -key ../conf/tls/server.key.pem -days 3650 -sha256 -out ../conf/tls/server.cert.pem
openssl req -x509 -config tls.cnf -days 3650 -sha256 -in ../conf/tls/server.req.pem -key ../conf/tls/server.key.pem -out ../conf/tls/server.cert.pem
src/windows/unrealinst.iss
+1 -1
View File
@@ -50,7 +50,7 @@ Source: "unrealsvc.exe"; DestDir: "{app}\bin"; Flags: ignoreversion signonce
; TLS certificate generation helpers ; TLS certificate generation helpers
Source: "src\windows\makecert.bat"; DestDir: "{app}\bin"; Flags: ignoreversion Source: "src\windows\makecert.bat"; DestDir: "{app}\bin"; Flags: ignoreversion
Source: "extras\tls.cnf"; DestDir: "{app}\bin"; Flags: ignoreversion Source: "doc\conf\tls\tls.cnf"; DestDir: "{app}\bin"; Flags: ignoreversion
; UnrealIRCd modules ; UnrealIRCd modules
Source: "src\modules\*.dll"; DestDir: "{app}\modules"; Flags: ignoreversion signonce Source: "src\modules\*.dll"; DestDir: "{app}\modules"; Flags: ignoreversion signonce
unrealircd.in
+75 -1
View File
@@ -11,12 +11,13 @@ TMPDIR="@TMPDIR@"
SCRIPTDIR="@SCRIPTDIR@" SCRIPTDIR="@SCRIPTDIR@"
MODULESDIR="@MODULESDIR@" MODULESDIR="@MODULESDIR@"
DOCDIR="@DOCDIR@" DOCDIR="@DOCDIR@"
OPENSSLPATH="@OPENSSLPATH@"
# When built with --with-asan, ASan does not dump core by default because # When built with --with-asan, ASan does not dump core by default because
# older gcc/clang might dump a 16TB core file. We explicitly enable it here. # older gcc/clang might dump a 16TB core file. We explicitly enable it here.
export ASAN_OPTIONS="abort_on_error=1:disable_coredump=0:unmap_shadow_on_exit=1:log_path=$TMPDIR/unrealircd_asan:detect_leaks=0" export ASAN_OPTIONS="abort_on_error=1:disable_coredump=0:unmap_shadow_on_exit=1:log_path=$TMPDIR/unrealircd_asan:detect_leaks=0"
if [ ! -f $IRCD ]; then if [ "$1" != "makecert" ] && [ ! -f $IRCD ]; then
echo "ERROR: Could not find the IRCd binary ($IRCD)" echo "ERROR: Could not find the IRCd binary ($IRCD)"
echo "This could mean two things:" echo "This could mean two things:"
echo "1) You forgot to run 'make install' after running 'make'" echo "1) You forgot to run 'make install' after running 'make'"
@@ -268,6 +269,78 @@ __EOF__
echo "Thanks!" echo "Thanks!"
elif [ "$1" = "spki" -o "$1" = "spkifp" ] ; then elif [ "$1" = "spki" -o "$1" = "spkifp" ] ; then
$UNREALIRCDCTL $* $UNREALIRCDCTL $*
elif [ "$1" = "makecert" ] ; then
TLSDIR="$CONFDIR/tls"
KEY="$TLSDIR/server.key.pem"
CERT="$TLSDIR/server.cert.pem"
# Locate the OpenSSL configuration template. After 'make install' it
# lives in the TLS directory. During initial setup (./Config), before
# 'make install' has run, we use the copy in the source directory.
if [ -f "$TLSDIR/tls.cnf" ]; then
CNF="$TLSDIR/tls.cnf"
elif [ -f "$BUILDDIR/doc/conf/tls/tls.cnf" ]; then
CNF="$BUILDDIR/doc/conf/tls/tls.cnf"
else
echo "ERROR: Could not find the OpenSSL template tls.cnf"
echo "(Neither $TLSDIR/tls.cnf nor $BUILDDIR/doc/conf/tls/tls.cnf exists)"
exit 1
fi
if [ ! -d "$TLSDIR" ]; then
mkdir -p "$TLSDIR" || exit 1
chmod 0700 "$TLSDIR"
fi
REPLACED=0
if [ -f "$CERT" ] || [ -f "$KEY" ]; then
echo "This command will replace your existing server certificate and key."
echo "(in $TLSDIR)"
echo -n "Do you wish to proceed? [Y|N] "
read answer
case "$answer" in
[Yy]*)
;;
*)
echo "Aborted."
exit 1
;;
esac
REPLACED=1
fi
# Keep a backup of the previous certificate and key, so it can be
# restored if the newly generated one turns out to be unsuitable.
if [ "$REPLACED" = 1 ]; then
for f in "$KEY" "$CERT"; do
if [ -f "$f" ]; then
cp -p "$f" "$f.old"
fi
done
fi
# Make sure the private key is not briefly world/group readable while
# it is being generated.
umask 077
echo "Generating server key..."
"$OPENSSLPATH" ecparam -out "$KEY" -name secp384r1 -genkey || exit 1
echo "Generating self-signed certificate..."
"$OPENSSLPATH" req -new -x509 -key "$KEY" -config "$CNF" -days 3650 -sha256 -out "$CERT" || exit 1
echo "Setting permissions on server.*.pem files..."
chmod o-rwx "$KEY" "$CERT"
chmod g-rwx "$KEY" "$CERT"
echo ""
echo "A new self-signed certificate and key have been generated in $TLSDIR"
if [ "$REPLACED" = 1 ]; then
echo "Your previous certificate and key were backed up with a .old suffix."
fi
echo "Note: the SPKI fingerprint has changed. If other servers link to you and"
echo " verify a fingerprint, you need to update the link { } block on their side."
echo "If UnrealIRCd is currently running, load the new certificate with:"
echo " $0 reloadtls"
elif [ "$1" = "hot-patch" -o "$1" = "cold-patch" ] ; then elif [ "$1" = "hot-patch" -o "$1" = "cold-patch" ] ; then
if [ ! -d "$BUILDDIR" ]; then if [ ! -d "$BUILDDIR" ]; then
echo "UnrealIRCd source not found. Sorry, it is not possible to patch." echo "UnrealIRCd source not found. Sorry, it is not possible to patch."
@@ -434,6 +507,7 @@ else
echo "unrealircd stop Stop (kill) the IRC Server" echo "unrealircd stop Stop (kill) the IRC Server"
echo "unrealircd rehash Reload the configuration file" echo "unrealircd rehash Reload the configuration file"
echo "unrealircd reloadtls Reload the SSL/TLS certificates" echo "unrealircd reloadtls Reload the SSL/TLS certificates"
echo "unrealircd makecert Create or replace the self-signed TLS certificate"
echo "unrealircd restart Restart the IRC Server (stop+start)" echo "unrealircd restart Restart the IRC Server (stop+start)"
echo "unrealircd status Show current status of the IRC Server" echo "unrealircd status Show current status of the IRC Server"
echo "unrealircd module-status Show all currently loaded modules" echo "unrealircd module-status Show all currently loaded modules"