2024-07-19 Trusting a self-signed certificate
=============================================

@sarahjamielewis@mastodon.social recently announced an IRC server with
a self-signed certificate. What if you have an IRC client that keeps
complaining about this?

On a system like Debian, you can download the certificate and install
it such that all applications trust it.

    # Get certificate from the correct port
    openssl s_client -showcerts -connect resistant.tech:6697 \
      < /dev/null \
      2> /dev/null \
      | openssl x509 -outform PEM \
      > resistant-tech.pem
    
    # Compare fingerprint with
    # 63:B1:2E:A7:8A:BD:8A:33:B5:62:21:7C:42:71:75:66:43:BA:D2:78:21:09:8E:80:17:7E:28:D2:58:65:E6:48
    openssl x509 -in resistant-tech.pem -noout -sha256 -fingerprint
    
    # Install on Debian (the new extension is important)
    sudo mv --interactive resistant-tech.pem /usr/local/share/ca-certificates/resistant-tech.crt
    sudo dpkg-reconfigure ca-certificates
    
    # The output above should say "1 added, 0 removed; done" somewhere
    
    # Test it
    gnutls-cli resistant.tech:6697

If the output says "PKI verification of server certificate failed..."
then the installation didn't work.

If the output says "Handshake was completed" and seems to hang, that's
because you can now type raw IRC commands.

​#Administration

(I saw comments by myself on related Stack Exchange questions from
2014. 😑)