On Thu, 6 Nov 2025 16:36:13 -0800
"Digital Man" (VERT) <VERT!
Digital.Man@overfit.retrievo.xyz> wrote:
Re: How do I install an Lets Encrypt Certificate.
By: Mojo to DOVE-Net.Synchronet_Sysops on Thu Nov 06 2025 11:50 am
Hi all,
I am trying to install a lets encrypt certificate generated via
certbot that comes with debian/ubuntu.
It gives me the following files
cert.pem
chain.pem
fullchain.pem (a combination of the previous two it looks like) privkey.pam
I disabled the generate self-signed key in scfg. But I left both cryptlib.key and ssl.cert in place.
Things that i have tried.
1.
jsexec certtool --import ./fullchain.pem
result: "!JavaScript /home/synchronet/sbbs/exec/certtool.js line
70: Error: CryptLib error -43"
cryptlib.h:#define CRYPT_ERROR_NOTFOUND ( -43 ) /* Requested item not
found in object */
I'd try that again with a different/bogus path to the pem file to see
if the error changes (i.e. it's complaining about an object *within*
the file instead of the file itself).
Yes I tried that and it fails with bogus paths too.
```
if (argv.indexOf('--import') > -1) {
ks = new CryptKeyset(csr_fname,
CryptKeyset.KEYOPT.READONLY);
rsa = ks.get_private_key("ssl_cert", syspass);
ks.close();
i = argv.indexOf('--import') + 1;
if (i>=argc)
throw("No cert filename specified");
f = new File(argv[i]);
if (!f.open("rb"))
throw("Unable to open "+f.name);
cert = f.read();
f.close();
cert = ACMEv2.prototype.create_pkcs7(cert);
cert = new CryptCert(cert);
//cert.check();
for (i=0; i < 10; i++) {
if (file_remove(sks_fname))
break;
mswait(100);
}
if (i == 10)
throw("Unable to delete file "+sks_fname);
ks = new CryptKeyset(sks_fname, CryptKeyset.KEYOPT.CREATE);
ks.add_private_key(rsa, syspass);
ks.add_public_key(cert);
ks.close();
print("Certificate imported, delete "+csr_fname+" after
verifying.");
file_touch(recycle_sem);
}
```
see there? Its looking for a csr file in the ctrl dir. Not sure why it
is doing that for just importing a cert. Or maybe certtool isn't meant
to just import a plain pem file. I think the tool itself is not for
this use case. I was looking at the letsyncript and that to see if i
can hack something simple together that can genearte a ssl.cert in
the format that sbbs expects (from exiting fullchain.pem and
privkey.pem) to replae the self generated one in ctrl.
The fullchain.pem looks the same as the example here https://wiki.synchro.net/module:certtool
That's promising.
2.
I tried adding the folloing to the bottom of the [Mail] section in sbbs.ini:
Secure = true
CertificateFile = ./ssl_certs/fullchain.pem
KeyFile = ./cryptlib.key
Those keys don't seem to be supported or documented anywhere. How'd
you come up with that?
I saw them here so just tried them.
https://nettwerked.synchronetbbs.org/?page=001-forum.ssjs&sub=dove-syncdisc&thread=1575
result: cannot connenct to port 995
That just suggests that your TCP port 995 isn't open or sbbs isn't
listening on it. The [mail] Options TLS_POP3 option must be included
(which is by default) and the TLSPOP3Port option must be set to 995
(also the default) and your sbbs log output (e.g. syslog) would tell
if if it's in fact listening on that port or not. This is completely unrelated to any certificate or key file.
Its failing due to the keys I added to the [Mail] section.
*** SSL/TLShandshake failed ***
I was attempting to see if sbbs would accept a straight cert and key
---
* Synchronet * Overfit! Bringing back the golden era of BBS Networking. [
telnet://playmate.dynu
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)