Quassel and Let’s Encrypt

I love Let’s Encrypt. It is just the right way to secure our http communications.

And I love IRC, and chatting with people using it. Because is a well known and long lived protocol and because it is there a lot of tech geeks and nerds gather 🙂

Team Chat(from https://xkcd.com/1782/)

I also love Quassel (https://quassel-irc.org/), not because it is written in Java (I do not understand it), but because of its paradigm (a core that acts as a client to the IRC servers and to which many clients can connect). And because it is a good solution to use IRC on the smartphone (at least on Android), because connections to IRC servers are unstable via mobile connections.

What I disliked is the fact that I have to authenticate the client to the core at first connection. This is because Quassel core creates a self-signed certificate at installation. This is one of the problems of not having a widespread and accessible system to secure our communications via TLS…but we have it!

Let’s obtain a Let’s Encrypt certificate:

$ certbot certonly --standalone -d my.domain.tld

Following the procedure, we will obtain the certificate, the fullchain and the private key in a specific folder

$  ls /etc/letsencrypt/live/my.domain.tld 
cert.pem chain.pem fullchain.pem privkey.pem README

Now, let’s check where Quassel reads the configuration. On debian-based installations, Quassel creates a user quasselcore with a specific home directory

$ cat /etc/passwd|grep quassel
quasselcore:x:109:114::/var/lib/quassel:/bin/false

There it is

$ ls /var/lib/quassel 
quasselCert.pem quasselcore.conf quassel-storage.sqlite

Let’s backup the self-signed certificate

$ mv  /var/lib/quassel/quasselCert.pem /var/lib/quassel/quasselCert.pem.old

And now let’s use the Let’s Encrypt one

$ cat /etc/letsencrypt/live/my.domain.tdl/{fullchain,privkey}.pem >> /var/lib/quassel/quasselCert.pem
$ systemctl restart quasselcore

And now we can connect to my.domain.tdl with a Let’s Encrypt signed certificate!

If you want also to automate this procedure on certificate renewal, you can create a systemd unit like this

$ cat /lib/systemd/system/quasselcert.path
[Unit]
Description=Triggers the recreation of quassel certificate at certificate renewal 

[Path]
PathChanged=/etc/letsencrypt/live/my.domain.tld/privkey.pem

[Install]
WantedBy=multi-user.target
WantedBy=system-update.target
$ cat /lib/systemd/system/quasselcert.service
[Unit]
Description=Recreation of quassel certificate at certificate renewal

[Service]
Type=oneshot
ExecStartPre=/bin/rm -f /var/lib/quassel/quasselCert.pem
ExecStart=/bin/bash -c 'cat /etc/letsencrypt/live/my.domain.tld/{fullchain,privkey}.pem > /var/lib/quassel/quasselCert.pem'

This should opefully work (not tested!).