Using Lets Encrypt with QuasselCore

I recently started using QuasselCore to allow me to seamlessly keep my connections to my IRC channels across devices. The chat logs, even when I'm "disconnected", remain in tact and I don't fill up the chat with a bunch of connects and disconnects.

One thing that has been bothering me is that every time I create a connection I get a self-sign certificate warning. I already have a valid certificate with Lets Encrypt, so there's no real reason I should have to rely on a self-signed certificate, and the risks that imposes. And if we are being real, we know we are not manually validating that certificate each time. This leaves us vulnerable and arguably defeats the purpose of the certificate.

This guide assumes that you have already successfully created certificates for your domain with Lets Encrypt. We'll also assume the name of your domain is your.domain for the purpose of this document.

On Debian based system QuasselCore stores this certicate at /var/lib/quassel/quasselCert.pem. To get started let's back up this file.

sudo mv /var/lib/quassel/quasselCert.pem /var/lib/quassel/quasselCert.pem.orig

Ideally we would just symlink our Lets Encrypt certificate here, but the Quassel cert contains both the public and private key in one file. There is no analogous file in the Lets Encrypt directories, so we will need to generate this file manually.

sudo bash -c 'cat /etc/letsencrypt/live/your.domain/{fullchain,privkey}.pem >> /var/lib/quassel/quasselCert.pem'

Restart QuasselCore

sudo service quasselcore restart

Now when you connect with a Quessal client you should connect with a valid certificate. We aren't done yet though. This will work until your Lets Encrypt certificates expire and you have to renew them. Now Quessal is serving up invalid certificates. We could manually repeat this process every time we renew our certificates, but that's fraught with problems and will quickly become a real pain. Fortunately, Lets Encrypt lets us automatically hook into a post renewal event.

Create a new file at /etc/letsencrypt/renewal-hooks/post/ with your favorite text editor using root with the following contents.

#!/usr/bin/env bash

cat /etc/letsencrypt/live/your.domain/{fullchain,privkey}.pem >> /var/lib/quassel/quasselCert.pem
service quasselcore restart

Now everything should seamlessly occur automatically without us having to worry about anything. It's worth noting that since I have set this up myself my certificates have not yet renewed. After a successful renewal I will update this paragraph as appropriate.