1

I have a single VPS running a few websites and also my ZNC IRC bouncer. I purchased a wildcard SSL certificate for all my subdomains (this was silly; it would've been much cheaper just to purchase several single-domain certs, but whatever).

I have nginx handling all TLS except the actual IRC connections. As far as I can see, there's no way to get nginx in front of ZNC for non-http/s connections. So I have a copy of my private key and certificate in a .pem that's readable by the znc user that runs ZNC.

I trust nginx not to have key-revealing flaws a lot more than I trust ZNC. It's not that I think ZNC are nefarious, I just assume the nginx devs are thinking about it more.

Am I worrying too much about this? To what risks am I exposing myself by giving a non-privileged account read access to my wildcard private key? Should I buy a separate certificate for IRC use? Am I wrong, and nginx can proxy non-http connections to an upstream?

Erin Call
  • 281
  • 1
  • 2
  • 5

1 Answers1

1

Perhaps you could use something like stud, stunnel to unwrap TLS at the TCP layer before passing traffic to your ZNC upstream. I suggest you try and get it working with the ZNC web traffic first (plenty of examples for unwrapping HTTPS) but the unwrapping should apply equally to other SSL/TLS-enabled protocols like irc.

That said, you're being paranoid. If you up against an attacker who compromises your cert via a znc exploit, what can they do with it? MITM services which share the same cert? That's three letter agency territory which could be largely mitigated with $10 for a single host cert.

notpeter
  • 3,505
  • 1
  • 24
  • 44