Since letsyncrypt isn't working here and the irc is down, I decided to figure out how to get the cert on my own.

Let's Encrypt has a nice bit of software that installed easily and works just fine. I can apparently set it up with cron to run when I need it to. It created certificates without any issue. The problem now is that I cannot figure out where synchronet expects to find these certificates (aside from the self-signed one). There is some nice documentation on the wiki for importing these into Hiawatha, but not any on getting the synchronet webserver to find or import them.

There is an entry about using something called certtool but that utility is old and appears broken so I hope that isn't the answer.

./jsexec certtool --import /etc/letsencrypt/live/capitolcityonline.net/fullchain.pem

Throws a cryptlib error -43.

Thanks!
---
þ Synchronet þ CAPCITY2 * Capitol City Online

Re: Installing manually obtained let's encrypt certificate
By: Dumas Walker to Digital Man on Sat Feb 14 2026 02:55 pm

Since letsyncrypt isn't working here and the irc is down, I decided to figure out how to get the cert on my own.

IRC is working fine. I'm on it right now.
--
digital man (rob)

Rush quote #61:
He's a rebel and a runner, he's a signal turning green .. New World Man
Norco, CA WX: 56.4øF, 81.0% humidity, 3 mph WNW wind, 0.00 inches rain/24hrs ---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Re: Installing manually obtained let's encrypt certificate
By: Dumas Walker to Digital Man on Sat Feb 14 2026 02:55 pm

Since letsyncrypt isn't working here and the irc is down, I decided to figure out how to get the cert on my own.

Let's Encrypt has a nice bit of software that installed easily and works just fine. I can apparently set it up with cron to run when I need it to.
It created certificates without any issue. The problem now is that I cannot figure out where synchronet expects to find these certificates (aside from the self-signed one).

The filename and location is the same, whether it self-signed or signed by a CA (e.g. letsyncrypt), it's ctrl/ssl.cert: https://wiki.synchro.net/config:ssl.cert

There is an entry about using something called certtool but that utility is old and appears broken so I hope that isn't the answer.

./jsexec certtool --import /etc/letsencrypt/live/capitolcityonline.net/fullchain.pem

Throws a cryptlib error -43.

../../3rdp_src/cl/cryptlib.h:#define CRYPT_ERROR_NOTFOUND ( -43 ) /* Requested item not found in object */

Most likely, it just doesn't support the format of the .pem file.

I think the --import option expects a pkcs7 certificate, while
the --import-pkcs12 option expects a pkcs12 certificate.

The utility works for those that know how to work it.
--
digital man (rob)

Breaking Bad quote #25:
Now if I could only learn how to lick myself. - Hank Schrader
Norco, CA WX: 56.4øF, 81.0% humidity, 3 mph WNW wind, 0.00 inches rain/24hrs ---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

../../3rdp_src/cl/cryptlib.h:#define CRYPT_ERROR_NOTFOUND ( -43 ) /* Requested item not found in object */

Most likely, it just doesn't support the format of the .pem file.

I think the --import option expects a pkcs7 certificate, while
the --import-pkcs12 option expects a pkcs12 certificate.

The utility works for those that know how to work it.

I might know how to work it if the docs were more clear about what needs to
be done. I suspect that fullchain.pem and privkey.pem need to be cat/tee'd together, in that order, to make it work.

Back to the letsyncrypt bug... after reading up on how Let's Encrypt works, I can figure out the following:

(1) at some point, letsyncrypt hit an error that it either reported or
didn't know what to do with;
(2) after that, it kept reporting '0' even though it was *not* working
(BUG!);
(3) by the time the cert expired, evidence of whatever problem letsyncypt had (assuming it reported it to begin with) was long gone;
(4) the other two or three options on the wiki were getting errors because
they likely require a valid cert to already be in place on the web server
end. Since letsyncypt had stopped working a while back, there wasn't one.

While researching Let's Encrypt, I found a lot of good resources regarding using their certs with haproxy. As I am already using haproxy for something else so I put those good resources to use. I was able to install the cert into haproxy, set up new front and back ends for web traffic, and had a working website again in < 30 minutes.

I started seeing some SMTPS errors so I put the self-signed cert back into place in /ctrl and that seemed to fix those.


* SLMR 2.1a * Anything good is either illegal, immoral or fattening.
---
þ Synchronet þ CAPCITY2 * Capitol City Online

Re: Installing manually obtai
By: Dumas Walker to DIGITAL MAN on Sun Feb 15 2026 10:21 am

back ends for web traffic, and had a working website again in < 30
minutes.

I started seeing some SMTPS errors so I put the self-signed cert back
into place in /ctrl and that seemed to fix those.

Did this just break for no reason and normally it was working fine for you?
or are you just now setting it up?


--
"Before using Wildcat....This Company did not have a convenient way of
looking after some of the richest clients in the world...Now we do!"
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: Installing manually obtai
By: Dumas Walker to DIGITAL MAN on Sun Feb 15 2026 10:21 am

../../3rdp_src/cl/cryptlib.h:#define CRYPT_ERROR_NOTFOUND ( -43 ) /* Requested item not found in object */

Most likely, it just doesn't support the format of the .pem file.

I think the --import option expects a pkcs7 certificate, while
the --import-pkcs12 option expects a pkcs12 certificate.

The utility works for those that know how to work it.

I might know how to work it if the docs were more clear about what needs to be done. I suspect that fullchain.pem and privkey.pem need to be cat/tee'd together, in that order, to make it work.

Back to the letsyncrypt bug... after reading up on how Let's Encrypt works, I can figure out the following:

(1) at some point, letsyncrypt hit an error that it either reported or didn't know what to do with;
(2) after that, it kept reporting '0' even though it was *not* working (BUG!);

letsyncrypt doesn't re-request a signed-certificate every time you run it. It has built-in expiration for the cert and will do *nothing* if you just run it without any options, until the cert times out or you specify an option to force it do something. That's not a "BUG!".

(3) by the time the cert expired, evidence of whatever problem letsyncypt had (assuming it reported it to begin with) was long gone;

Did you check your web server log output like I already suggested? It should explain what's happening when it's requesting the challenge file that letsyncrypt.js creates (but couldn't be retreived by the Let's Encrypt ACME service or whatever it is)?
--
digital man (rob)

Breaking Bad quote #16:
Thinking Operation Breath Mint evertime you and me are on a stakeout together. Norco, CA WX: 59.8øF, 58.0% humidity, 6 mph WNW wind, 0.00 inches rain/24hrs ---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Back to the letsyncrypt bug... after reading up on how Let's Encrypt works,
I can figure out the following:

(1) at some point, letsyncrypt hit an error that it either reported or didn't know what to do with;
(2) after that, it kept reporting '0' even though it was *not* working (BUG!);

letsyncrypt doesn't re-request a signed-certificate every time you run it. It has built-in expiration for the cert and will do *nothing* if you just run it without any options, until the cert times out or you specify an option to forc
it do something. That's not a "BUG!".

What you are saying here assumes there was a signed cert in place with an expiration. The problem is that there wasn't one because letsyncrypt
at some point failed to get one.

No signed-certificate = no expiration date = "doing *nothing*" = BUG!

It should keep trying to get one until it is successful. If it isn't = BUG!

(3) by the time the cert expired, evidence of whatever problem letsyncypt had (assuming it reported it to begin with) was long gone;

Did you check your web server log output like I already suggested? It should explain what's happening when it's requesting the challenge file that letsyncrypt.js creates (but couldn't be retreived by the Let's Encrypt ACME service or whatever it is)?

See my "long gone" comment above. Whenever letsyncrypt dropped its deuce,
it wasn't initially noticed and whatever logs its oopsie got written in
are no longer here.

I provided the output of what some of the more recent attempts, with
command lines, did.

There is no reason for me to bother with it now. haproxy saved the day and, because it reads the pem files directly instead of requiring them to be converted into some nonsense format (that can only be generated by buggy letsyncrypt), it is easier to use and figure out.


* SLMR 2.1a * Docs? Why look at the Docs? Nurses are better.
---
þ Synchronet þ CAPCITY2 * Capitol City Online

Re: Installing manually obtai
By: Dumas Walker to DIGITAL MAN on Mon Feb 16 2026 09:27 am

Back to the letsyncrypt bug... after reading up on how Let's Encrypt works,
I can figure out the following:

(1) at some point, letsyncrypt hit an error that it either reported or didn't know what to do with;
(2) after that, it kept reporting '0' even though it was *not* working (BUG!);

letsyncrypt doesn't re-request a signed-certificate every time you run it. It has built-in expiration for the cert and will do *nothing* if you just run it without any options, until the cert times out or you specify an option to forc
it do something. That's not a "BUG!".

What you are saying here assumes there was a signed cert in place with an expiration. The problem is that there wasn't one because letsyncrypt
at some point failed to get one.

There was self-signed certificate.

No signed-certificate = no expiration date = "doing *nothing*" = BUG!

It should keep trying to get one until it is successful. If it isn't = BUG!

Perhaps. I wouldn't be so sure until the problem is actually root-cause. But you sure seem sure.

There is no reason for me to bother with it now. haproxy saved the day and, because it reads the pem files directly instead of requiring them to be converted into some nonsense format (that can only be generated by buggy letsyncrypt), it is easier to use and figure out.

So I guess we'll never know if there was a BUG! or not. Great. Thanks so much. --
digital man (rob)

Steven Wright quote #27:
Experience is something you don't get until just after you need it.
Norco, CA WX: 50.3øF, 92.0% humidity, 8 mph WSW wind, 0.12 inches rain/24hrs ---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Re: Installing manually obtai
By: Digital Man to Dumas Walker on Mon Feb 16 2026 01:43 pm

Steven Wright quote #27:
Experience is something you don't get until just after you need it.

Some time ago, I saw a quote that said "Good judgment comes from experience. And experience, well, that comes from bad judgment."

Nightfox

---
þ Synchronet þ Digital Distortion: digitaldistortionbbs.com

Re: Installing manually obtai
By: Dumas Walker to DIGITAL MAN on Mon Feb 16 2026 09:27 am

See my "long gone" comment above. Whenever letsyncrypt dropped
its deuce, it wasn't initially noticed and whatever logs its oopsie
got written in are no longer here.

if you backed up you could check your backups.
it's not that hard.

only be generated by buggy letsyncrypt), it is easier to use and
figure out.

setting up letsyncrypt with datastream was amazingly easy to do.
i was surprised.


--
"Before using Wildcat....This Company did not have a convenient way of
looking after some of the richest clients in the world...Now we do!"
---
þ Synchronet þ ::: BBSES.info - free BBS services :::