TZUTC: -0500   
   MSGID: 53892.sync@1:103/705 2c4d9c22   
   REPLY: 53882.sync@1:103/705 2c4bd510   
   PID: Synchronet 3.20d-Linux HEAD/500ef7050 Mar 04 2025 GCC 13.3.0   
   TID: SBBSecho 3.24-Linux master/ad9ab307f Mar 18 2025 GCC 12.2.0   
   BBSID: DREAMERS   
   CHRS: CP437 2   
   -=> Craig Daters wrote to All <=-   
      
    CD> ...but could not get Let's Encrypt to work either. So I then attempted   
    CD> to get a SSL cert installed like I would normally do when I set up a   
    CD> regular website, but I had issues there as well. I tried to follow the   
    CD> documentation found at:   
      
    CD> https://wiki.synchro.net/module:certtool   
      
    CD> ...so, through some trial and error I was able to get my cert   
    CD> installed, but I want to confirm whether or not this was proper or if   
    CD> there was a better way to set this up? So I came up with the following   
    CD> documation for myself in case I need to redo my setup at any time:   
      
   I just got my board up and running recently as well. I had purchased a   
   certificate with my domain before reading about the Let's Encrypt integration,   
   so didn't bother trying it myself.   
      
    CD> Step 1: Generate a Certificate Signing Request (CSR)   
      
    CD> I ran the following command to generate a CSR and private key using   
    CD> Synchronet's certtool.js:   
      
    CD> /sbbs/exec/jsexec /sbbs/exec/certtool.js --csr --domain   
    CD> mysticalrealmbbs.com --domain www.mysticalrealmbbs.com > /sbbs/csr.pem   
      
    CD> - This created a CSR at /sbbs/csr.pem. (perhaps I should have stuck it   
    CD> in /sbbs/ctrl/csr.pem?) - It also generated a private key saved as   
    CD> /sbbs/ctrl/cryptlib.key.   
      
   The server wouldn't care about the CSR, so no worries about where you save it.   
      
    CD> Step 2: Submit CSR to Namecheap   
      
    CD> 1. I then went into my Namecheap account, activated my SSL.   
    CD> 2. I was prompted to submit the contents of /sbbs/csr.pem to generate   
    CD> my PositiveSSL certificate. 3. After verification (using the cname   
    CD> method), Namecheap provided two files:   
    CD>     - mysticalrealmbbs_com.crt (your SSL certificate)   
    CD>     - mysticalrealmbbs_com.ca-bundle (intermediate certificate chain)   
      
   I also use Namecheap, and this looks about right.   
      
    CD> Step 3: Combine Certificate and CA Bundle   
      
    CD> I combined my certificate and bundle into a single file:   
      
    CD> cat mysticalrealmbbs_com.crt mysticalrealmbbs_com.ca-bundle >   
    CD> /sbbs/ctrl/bbs.crt   
      
    CD> This is the full certificate chain that I surmise Synchronet is   
    CD> expecting.   
      
   This also looks about right. The company I work for is still on a manual   
   process for renewing certificates, so it's basically riding a bike for me. I   
   normally do this in an editor, though, so not totally sure about the cat   
   command. The main thing is to make sure the server cert is at the top above CA   
   bundle in the new file.   
      
    CD> Step 4: Prepare the Private Key   
      
   I don't recall having to do anything with the private key. But, I didn't take   
   notes, either. :(   
      
    CD> - Why not use certtool.js --import?   
    CD>   - This method failed to create expected .crt or .cert files during   
    CD> testing.   
      
   Certtool worked for me. Since it worked, I didn't pay attention to how it   
   worked.   
      
    CD>   - The key format generated by Cryptlib may be incompatible with   
    CD> OpenSSL tools, but is accepted by Synchronet directly.   
      
   I'm sure Digital Man will have something to say on this. I suspect there's   
   probably a keystore at play.   
      
    CD> - Verifying key and cert match (optional):   
    CD>   If needed, you can check that your private key and cert match using   
    CD> OpenSSL (only works with compatible key formats):   
      
    CD>   openssl rsa -in /sbbs/ctrl/bbs.key -modulus -noout | sha256sum   
    CD>   openssl x509 -in /sbbs/ctrl/bbs.crt -modulus -noout | sha256sum   
      
    CD>   If the hashes match, the key and cert pair correctly. But I beleve   
    CD> that certtool.js is using a different format to generte the key.   
      
   I just checked the cryptlib.key, and it's likely not an RSA key file.   
      
   I should also mention, I didn't have to edit any INI files, so it sounds like   
   you went the long way 'round!   
      
       
   --- MultiMail/Linux v0.49   
    þ Synchronet þ Dreamer's Place   
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)   
   SEEN-BY: 103/705 105/81 106/201 124/5016 128/187 153/757 7715 154/10   
   SEEN-BY: 154/30 110 203/0 218/700 221/0 226/30 227/114 229/110 114   
   SEEN-BY: 229/206 317 400 426 428 470 550 700 705 240/1120 5832 266/512   
   SEEN-BY: 280/464 5003 5006 291/111 292/8125 301/1 310/31 320/219 322/757   
   SEEN-BY: 341/66 234 342/200 396/45 423/120 460/58 467/888 633/267   
   SEEN-BY: 633/280 281 384 410 418 420 2744 712/848 770/1 902/26 5020/400   
   SEEN-BY: 5075/35   
   PATH: 103/705 280/464 633/280 229/426