Craig Daters wrote to All <=-

...but could not get Let's Encrypt to work either. So I then attempted
to get a SSL cert installed like I would normally do when I set up a regular website, but I had issues there as well. I tried to follow the documentation found at:

https://wiki.synchro.net/module:certtool

...so, through some trial and error I was able to get my cert
installed, but I want to confirm whether or not this was proper or if there was a better way to set this up? So I came up with the following documation for myself in case I need to redo my setup at any time:

I just got my board up and running recently as well. I had purchased a certificate with my domain before reading about the Let's Encrypt integration, so didn't bother trying it myself.

Step 1: Generate a Certificate Signing Request (CSR)

I ran the following command to generate a CSR and private key using Synchronet's certtool.js:

/sbbs/exec/jsexec /sbbs/exec/certtool.js --csr --domain mysticalrealmbbs.com --domain www.mysticalrealmbbs.com > /sbbs/csr.pem

- This created a CSR at /sbbs/csr.pem. (perhaps I should have stuck it
in /sbbs/ctrl/csr.pem?) - It also generated a private key saved as /sbbs/ctrl/cryptlib.key.

The server wouldn't care about the CSR, so no worries about where you save it.

Step 2: Submit CSR to Namecheap

1. I then went into my Namecheap account, activated my SSL.
2. I was prompted to submit the contents of /sbbs/csr.pem to generate
my PositiveSSL certificate. 3. After verification (using the cname method), Namecheap provided two files:
- mysticalrealmbbs_com.crt (your SSL certificate)
- mysticalrealmbbs_com.ca-bundle (intermediate certificate chain)

I also use Namecheap, and this looks about right.

Step 3: Combine Certificate and CA Bundle

I combined my certificate and bundle into a single file:

cat mysticalrealmbbs_com.crt mysticalrealmbbs_com.ca-bundle > /sbbs/ctrl/bbs.crt

This is the full certificate chain that I surmise Synchronet is
expecting.

This also looks about right. The company I work for is still on a manual process for renewing certificates, so it's basically riding a bike for me. I normally do this in an editor, though, so not totally sure about the cat command. The main thing is to make sure the server cert is at the top above CA bundle in the new file.

Step 4: Prepare the Private Key

I don't recall having to do anything with the private key. But, I didn't take notes, either. :(

- Why not use certtool.js --import?
- This method failed to create expected .crt or .cert files during testing.

Certtool worked for me. Since it worked, I didn't pay attention to how it worked.

- The key format generated by Cryptlib may be incompatible with
OpenSSL tools, but is accepted by Synchronet directly.

I'm sure Digital Man will have something to say on this. I suspect there's probably a keystore at play.

- Verifying key and cert match (optional):
If needed, you can check that your private key and cert match using OpenSSL (only works with compatible key formats):

openssl rsa -in /sbbs/ctrl/bbs.key -modulus -noout | sha256sum
openssl x509 -in /sbbs/ctrl/bbs.crt -modulus -noout | sha256sum

If the hashes match, the key and cert pair correctly. But I beleve
that certtool.js is using a different format to generte the key.

I just checked the cryptlib.key, and it's likely not an RSA key file.

I should also mention, I didn't have to edit any INI files, so it sounds like you went the long way 'round!


--- MultiMail/Linux v0.49
þ Synchronet þ Dreamer's Place