Dear Maintainer, After upgrading from Debian bookworm to trixie, existing InspIRCd server-to-server links using self-signed TLS certificates fail. The error reported claims the link definition is malformed, but the configuration is unchanged and valid. This is a regression that occurs only after upgrading from bookworm to trixie; the same configuration worked correctly on bookworm and still works after downgrading. To reproduce 1. Configure two InspIRCd servers on Debian bookworm with a working TLS server link using self-signed certificates. 2. Upgrade the system(s) to Debian trixie. 3. Restart inspircd. Server link fails. Error message reports that the link definition is malformed. No useful certificate or TLS verification error is logged. Server link should continue to work, or a clear error should indicate certificate verification failure. Self-signed certificates are the standard configuration for IRC server linking. This regression breaks normal multi-server IRC deployments and can lead to persistent netsplits after upgrade. The misleading error message nearly led me to leave the servers permanently unlinked. Upstream InspIRCd 4.9.0 changelog documents fixes for incorrect rejection of self-signed certificates and improved diagnostics when server linking fails due to certificate issues, suggesting Debian’s 4.7.0 package lacks a known upstream fix. Downgrading back to bookworm version of inspircd restores correct operation. No configuration changes were required. Regards, Juha Kallio
Jan 14 13:19:05 psychedelic.fi systemd[1]: Started inspircd.service - InspIRCd - Internet Relay Chat Daemon. Jan 14 13:19:05 psychedelic.fi inspircd[3019177]: InspIRCd - Internet Relay Chat Daemon Jan 14 13:19:05 psychedelic.fi inspircd[3019177]: See /INFO for contributors & authors Jan 14 13:19:05 psychedelic.fi inspircd[3019177]: InspIRCd Process ID: 3019177 Jan 14 13:19:05 psychedelic.fi inspircd[3019177]: Loading core modules ..................... Jan 14 13:19:05 psychedelic.fi inspircd[3019177]: [*] Loading module: m_spanningtree.so Jan 14 13:19:05 psychedelic.fi inspircd[3019177]: [*] Loading module: m_sslinfo.so Jan 14 13:19:05 psychedelic.fi inspircd[3019177]: [*] Loading module: m_ssl_gnutls.so Jan 14 13:19:05 psychedelic.fi inspircd[3019177]: [*] Unable to read the configuration for m_ssl_gnutls.so: You have not specified any <sslprofile> tags that are usable by this module! Jan 14 13:19:05 psychedelic.fi systemd[1]: inspircd.service: Main process exited, code=exited, status=1/FAILURE Jan 14 13:19:05 psychedelic.fi systemd[1]: inspircd.service: Failed with result 'exit-code'.
Hello Juha, there is not an issue with debian's inspircd package. I use self-signed certificates to link servers on trixie just fine. There were VAST configuration changes from v3 to v4 of inspircd and you MUST adapt your configuration file. Looking at your log you posted, and your small configuration snippet, it's incorrect. Your log clearly states, Jan 14 13:19:05 psychedelic.fi inspircd[3019177]: [*] Unable to read the configuration for m_ssl_gnutls.so: You have not specified any <sslprofile> tags that are usable by this module! Your IP and port binding for the SSL port, commonly 6697, has to have an sslprofile defined to it. Like this, <bind address="7.8.9.9" port="6697" protocols="tcp" type="clients" sslprofile="client_ssl"> You then have a <connect block with the name of clients and port 6697. You then define an <sslprofile block that includes location to the cert and key, if not defined it defaults to /etc/inspircd/cert.pem and key.pem and they need chown irc:irc. I have a separate sslprofile for server linking specifically with it's own cert and keypair named linked-cert.pem and link-key.pem. That is where the self signed linking cert is at. Example: <sslprofile name="client_ssl" provider="gnutls" cafile="" # Keep this blank unless you are doing client cert auth against your own CA. crlfile="" # Same thing but this is the revocation list file for your CA. Keep blank unless you are doing cert auth. hash="sha256"> # Algo used to generate cert fingerprints. <sslprofile name="server_ssl" provider="gnutls" cafile="" crlfile="" certfile="link-cert.pem" keyfile="link-key.pem" hash="sha256"> If you need additional help, please reach out to InspIRCd support on IRC and also see the documentation before opening a "serious" bug against the Debian package. See: https://docs.inspircd.org/4/breaking-changes/ https://docs.inspircd.org/4/modules/ssl_gnutls/ Maintainer, please close this bug. There is no issue here. Regards, Victor Coss