Three years ago I set up SASL certificates for the Libera IRC network. At the time, the 1096 days till expiry seemed a long ways away and I forgot about them. Luckily for me, old me had put a reminder in my calendar to renew the certificates. Armed with the old post and two guides from Libera (1, 2) , I got to work. Everything in this post assumes a setup like what I described back then.

Check Out the Old

Go into ~/.weechat/certs/, at least, that is where I put mine in the previous post.

You can inspect the enddate of a cert.

openssl x509 -in libera.pem -noout -enddate

This returns a line like

notAfter=May 22 10:48:58 2024 GMT

You can also find out the fingerprint of the cert

openssl x509 -in libera.pem -noout -fingerprint -sha512 | awk -F= '{gsub(":",""); print tolower ($2)}'

This returns a long hexadecimal string for me.

New Cert for WeeChat

The command seems to have changed slightly compared to three years ago. Different algorithm I assume. Still a three year period during which the cert is valid. I run this not in ~/.weechat/certs since I had my current libera.pem file there. You can of course also change the output file.

openssl req -x509 -new -newkey ed25519 -sha256 -days 1096 -nodes -out libera.pem -keyout libera.pem

Then run the earlier command to get the fingerprint

openssl x509 -in libera.pem -noout -fingerprint -sha512 | awk -F= '{gsub(":",""); print tolower ($2)}'

Finally add the fingerprint to NickServ

/msg NickServ cert add YOURFINGERPRINT

Then I disconnected and closed weechat.

I backed up my old certificate and moved the new one into ~/.weechat/certs/libera.pem.

Open WeeChat again and you are good to go.

New Cert for Rust’s IRC Crate

So at the time of writing I had added two certs: one to connect to the bot account via WeeChat, as detailed above, another to have the bot connect programmatically. The first one is easy enough to bring up to date with the previous steps.

For the other, we will still need to do the extra steps. Generate key and cert. This one was more of a pain back in the day, partially because I could not follow easy existing steps from the libera website. Luckily this time I can just more or less repeat what I did back then.

openssl req -x509 -new -newkey ed25519 -keyout myPrivateKey.pem -out myCertificate.crt -days 1100 -sha256 -nodes

Combine into p12 file (which will ask you to choose a password).

openssl pkcs12 -export -out keyStore.p12 -inkey myPrivateKey.pem -in myCertificate.crt

Get the fingerprint of the cert

openssl x509 -in myCertificate.crt -outform der | sha512sum -b | cut -d' ' -f1

And add it to the bot account with

/msg NickServ cert add YOURFINGERPRINT

Then back up the bot’s cert folder and replace it with a folder with the files you just created. Also update the password in your bot’s settings.

Finally, restart the bot.

Cleaning Up

After testing that everything works (and maybe waiting a day or two if you are weary about it), remove the old certificates from your NickServ account with

/msg NickServ cert del OLDFINGERPRINT

Also remove the old files from your setup.

Get Ready for the Future

One very important step, that I am glad I did three years ago: set a reminder in your calendar three years from now to update the certificates again.