Subj : Re: Good afternoon and quick SSL Cert question... To : Craig Daters From : Dreamer Date : Fri Mar 28 2025 20:15:52 -=> Craig Daters wrote to All <=- CD> ...but could not get Let's Encrypt to work either. So I then attempted CD> to get a SSL cert installed like I would normally do when I set up a CD> regular website, but I had issues there as well. I tried to follow the CD> documentation found at: CD> https://wiki.synchro.net/module:certtool CD> ...so, through some trial and error I was able to get my cert CD> installed, but I want to confirm whether or not this was proper or if CD> there was a better way to set this up? So I came up with the following CD> documation for myself in case I need to redo my setup at any time: I just got my board up and running recently as well. I had purchased a certificate with my domain before reading about the Let's Encrypt integration, so didn't bother trying it myself. CD> Step 1: Generate a Certificate Signing Request (CSR) CD> I ran the following command to generate a CSR and private key using CD> Synchronet's certtool.js: CD> /sbbs/exec/jsexec /sbbs/exec/certtool.js --csr --domain CD> mysticalrealmbbs.com --domain www.mysticalrealmbbs.com > /sbbs/csr.pem CD> - This created a CSR at /sbbs/csr.pem. (perhaps I should have stuck it CD> in /sbbs/ctrl/csr.pem?) - It also generated a private key saved as CD> /sbbs/ctrl/cryptlib.key. The server wouldn't care about the CSR, so no worries about where you save it. CD> Step 2: Submit CSR to Namecheap CD> 1. I then went into my Namecheap account, activated my SSL. CD> 2. I was prompted to submit the contents of /sbbs/csr.pem to generate CD> my PositiveSSL certificate. 3. After verification (using the cname CD> method), Namecheap provided two files: CD> - mysticalrealmbbs_com.crt (your SSL certificate) CD> - mysticalrealmbbs_com.ca-bundle (intermediate certificate chain) I also use Namecheap, and this looks about right. CD> Step 3: Combine Certificate and CA Bundle CD> I combined my certificate and bundle into a single file: CD> cat mysticalrealmbbs_com.crt mysticalrealmbbs_com.ca-bundle > CD> /sbbs/ctrl/bbs.crt CD> This is the full certificate chain that I surmise Synchronet is CD> expecting. This also looks about right. The company I work for is still on a manual process for renewing certificates, so it's basically riding a bike for me. I normally do this in an editor, though, so not totally sure about the cat command. The main thing is to make sure the server cert is at the top above CA bundle in the new file. CD> Step 4: Prepare the Private Key I don't recall having to do anything with the private key. But, I didn't take notes, either. :( CD> - Why not use certtool.js --import? CD> - This method failed to create expected .crt or .cert files during CD> testing. Certtool worked for me. Since it worked, I didn't pay attention to how it worked. CD> - The key format generated by Cryptlib may be incompatible with CD> OpenSSL tools, but is accepted by Synchronet directly. I'm sure Digital Man will have something to say on this. I suspect there's probably a keystore at play. CD> - Verifying key and cert match (optional): CD> If needed, you can check that your private key and cert match using CD> OpenSSL (only works with compatible key formats): CD> openssl rsa -in /sbbs/ctrl/bbs.key -modulus -noout | sha256sum CD> openssl x509 -in /sbbs/ctrl/bbs.crt -modulus -noout | sha256sum CD> If the hashes match, the key and cert pair correctly. But I beleve CD> that certtool.js is using a different format to generte the key. I just checked the cryptlib.key, and it's likely not an RSA key file. I should also mention, I didn't have to edit any INI files, so it sounds like you went the long way 'round! --- MultiMail/Linux v0.49 þ Synchronet þ Dreamer's Place .