I have a single VPS running a few websites and also my ZNC IRC bouncer. I purchased a wildcard SSL certificate for all my subdomains (this was silly; it would've been much cheaper just to purchase several single-domain certs, but whatever).
I have nginx handling all TLS except the actual IRC connections. As far as I can see, there's no way to get nginx in front of ZNC for non-http/s connections. So I have a copy of my private key and certificate in a .pem
that's readable by the znc
user that runs ZNC.
I trust nginx not to have key-revealing flaws a lot more than I trust ZNC. It's not that I think ZNC are nefarious, I just assume the nginx devs are thinking about it more.
Am I worrying too much about this? To what risks am I exposing myself by giving a non-privileged account read access to my wildcard private key? Should I buy a separate certificate for IRC use? Am I wrong, and nginx can proxy non-http connections to an upstream?