Quassel with SSL and private CA on FreeBSD
I spent some time improving the state of encyption on my domains (i.e. finally setting up https), and while I was at it, figured that I would switch from ssh+screen+irssi to Quassel. The FreeBSD packages for Quassel support SSL (TLS) by default, and there's some brief instructions for setting that up as part of the pkg-message. However, I have a slightly different setup: for my in-house network, I have my own little root CA for my SSL certificates, and I wanted to use that. So for my quasselcore running on quassel.local.net, I wanted to have a certificate issued for that host, and used by quasselcore.
For me, the main benefit of doing this is that all my machines already have the local.net root CA added to their trusted roots, so I don't get SSL errors on client startup.
In writing this up, I've collected a whole bunch of wishlist items for Quassel's SSL support, which I'll have to submit to the bug tracker there soon (or write patches). Maybe some of it is documentation-related.
Anyway, let's assume:
- A root CA created with, and managed by, CA.pl
- The root CA certificate is installed on all the client machines (e.g. in
/etc/ssl/certs/
) - A hostname of quassel.local.net, for the machine quasselcore is going to run on.
We'll install quasselcore, set it up for using SSL, then replace the certificate with one from the CA, and then setup the client too.
On the CA: Create a certificate with CA.pl -newreq
and fill in the right FQDN for the core machine (e.g. quasselcore.local.net
). Then sign the certificate with CA.pl -sign
. Remove the passphrase, if any, from the key file. Quasselcore doesn't like passphrase-protected private keys. Concatenate the certificate and the key to a file called quasselCert.pem
.
On quasselcore: Install (using pkg(8)) quassel-core
; the default configuration has SSL enabled. The pkg-message says you can run service quasselcore keygen
; if you want to do that, you'll need to do some manual steps first: create /var/db/quasselcore
by hand, and chown that to quasselcore:quasselcore
. Otherwise, just start, and then stop the core with service quasselcore start ; service quasselcore stop
.Now copy over the quasselCert.pem
file from the CA into /var/db/quasselcore/quasselCert.pem
. Take care with permissions and ownership.Then start the service again; you should get no warnings about SSL certificates.
On clients: When configuring the connection to the core, click use secure connection (SSL) in the core-account dialog (see the documentation).
If the private root CA is recognised by openssl, then you won't get an SSL warning on startup.