June 18, 2020

ZNC Configuration

I use ZNC to connect and stay connected to the IRC servers I frequent. It helps to provide a secure, consistent buffer accessible from multiple devices at the same time.

The first connection uses a self-signed certificate to connect to my linux server. Then, I use screen to keep a weechat instance in a constant buffer.

Weechat then connects to my ZNC server, which is secured with it's own SSL certificate from Let's Encrypt. This is the znc.pem file in ~/.znc.

This znc.pem will need to be updated whenever the Let's Encrypt certificate is renewed. Generate it with cat /etc/letsencrypt/live/incorrigible.me/{privkey,fullchain}.pem > znc.pem

You'll then need to export the fingerprint for use in Weechat. cat ~/.znc/znc.pem | openssl x509 -sha512 -fingerprint -noout | tr -d ':' | tr 'A-Z' 'a-z' | cut -d = -f 2

The fingerprint must be updated in Weechat, /set irc.server.freenode.ssl_fingerprint [fingerprint]

In my own case, I also have to update the trusted fingerprint within ZNC to connect to my IRC server, which now has an updated SSL certificate. /znc AddTrustedServerFingerprint <fingerprint>

ZNC has created SSL connections over port 6697 to configured IRC servers.

The local client, in my case Weechat, will use nick.pem in %h/certs/nick.pem to authenticate without plaintext password to ZNC.

Authenticate through ZNC via Cert, certificate placed in ~/.znc/users/<user>/networks/<network>/moddata/cert/user.pem.

I then use SASL to authenticate my nick within Freenode and Rizon, using the ZNC SASL module.

Update Process:

I still get confused when I do this, and I've not been able to properly configure certbot to perform all my renewals and posthooks. I've found a few articles to work with though:

https://blog.bryanroessler.com/2019-02-09-automatic-certbot-namecheap-acme-dns/

Source links: