1. Forum
  2. DOVE-Net
  3. Synchronet Sysops

  • Re: Letsencrypt work around?

    From Altere@VERT/ATHEL to Mortifis on Sat Dec 14 15:28:30 2019
    Re: Re: Letsencrypt work around?
    By: Mortifis to Digital Man on Sat Dec 14 2019 05:30 pm

    Woohoo, I finally got it working, on my Linuxbox, anyway, my windowsbox
    runs sbbs WE ON 81/4443 but my test SBBS is running on 80/443.

    1) shutdown the BBS
    2) deleted the letsyncrypt.key and sll.cert files.
    3) restarted sbsb
    4) Deleted the entries in letsyncrypt.ini [Key_id] and [State]
    5) re-ran jsexec letsyncrypt.js --force

    ... though it was showing as TLS error same as before it actually completed the script and created /sbbs/web/root/.well_known/acme-challenge and letsyncrypt.key, now when I connet via https it gives a secure connection!

    I know the wiki says "Do not modify the [Key_id] and [State] sections, but the letsyncrypt.ini file I grabbed a while ago had the [Key_id] already filled in ... please consider adding a note that if the [Key_id] and
    [State] is defined it will Error 400 JWS.

    I followed the wiki, ended up still getting an unsigned cert but I had listed a second domain which came up with a valid cert. Clearing browser cache resolved the primary domain problem.

    -altere

    ---
    þ Synchronet þ Athelstan BBS þ athelstan.org þ telnet:23 | ssh:2222
  • From Altere@VERT/ATHEL to HusTler on Sat Dec 14 15:41:11 2019
    Re: Re: Letsencrypt work around?
    By: HusTler to Gamgee on Fri Dec 13 2019 08:30 am

    There is no "workaround" required.
    It only requires correct configuration.
    You've been given MULTIPLE suggestions by MULTIPLE people, and
    don't even bother responding that you received them, much less
    tried them, and whether they worked or not. You don't even

    I didn't reply because none of the suggestions worked. When something works I'll let everyone know it worked. I've followed everyone's instructions to the tee. My site is still insecure.

    What's in your letsyncrypt.ini file?

    Do you have a letsyncrypt.key and ssl.cert file in your ctrl dir?

    -altere

    ---
    þ Synchronet þ Athelstan BBS þ athelstan.org þ telnet:23 | ssh:2222
  • From Razor@VERT/SILENT to Mortifis on Sat Dec 14 12:56:00 2019
    Re: Re: Letsencrypt work around?
    By: Mortifis to Digital Man on Sat Dec 14 2019 05:30 pm

    Woohoo, I finally got it working, on my Linuxbox, anyway, my windowsbox runs sbbs WE ON 81/4443 but my test SBBS is running on 80/443.
    1) shutdown the BBS
    2) deleted the letsyncrypt.key and sll.cert files.
    3) restarted sbsb
    4) Deleted the entries in letsyncrypt.ini [Key_id] and [State]
    5) re-ran jsexec letsyncrypt.js --force

    Does this now show as a real signed cert, not self-signed? Something that the documentation doesn't make clear is whether you should end up with a CA-signed cert. Mine is still showing self-signed at the moment.

    Razor

    ---
    þ Synchronet þ The Silent Strike - bbs.thesilentstrike.com
  • From Digital Man@VERT to Razor on Sun Dec 15 00:24:12 2019
    Re: Re: Letsencrypt work around?
    By: Razor to Mortifis on Sat Dec 14 2019 12:56 pm

    Re: Re: Letsencrypt work around?
    By: Mortifis to Digital Man on Sat Dec 14 2019 05:30 pm

    Woohoo, I finally got it working, on my Linuxbox, anyway, my windowsbox runs sbbs WE ON 81/4443 but my test SBBS is running on 80/443.
    1) shutdown the BBS
    2) deleted the letsyncrypt.key and sll.cert files.
    3) restarted sbsb
    4) Deleted the entries in letsyncrypt.ini [Key_id] and [State]
    5) re-ran jsexec letsyncrypt.js --force

    Does this now show as a real signed cert, not self-signed? Something that the documentation doesn't make clear is whether you should end up with a CA-signed cert. Mine is still showing self-signed at the moment.

    Let's Encrypt is a CA (certificate authority). The entire point of using letsyncrypt.js is get a certificate that is signed by Let's Encrypt. Without using Let's Encrypt (and letsyncrypt.js), you get an automatically generated self-signed certificate.

    digital man

    This Is Spinal Tap quote #16:
    David St. Hubbins: I believe virtually everything I read...
    Norco, CA WX: 50.1øF, 95.0% humidity, 0 mph SW wind, 0.00 inches rain/24hrs

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Mortifis@VERT/ALLEYCAT to Razor on Mon Dec 16 11:39:15 2019
    Re: Re: Letsencrypt work around?
    By: Mortifis to Digital Man on Sat Dec 14 2019 05:30 pm

    Woohoo, I finally got it working, on my Linuxbox, anyway, my
    windowsbox
    runs sbbs WE ON 81/4443 but my test SBBS is running on 80/443.
    1) shutdown the BBS
    2) deleted the letsyncrypt.key and sll.cert files.
    3) restarted sbsb
    4) Deleted the entries in letsyncrypt.ini [Key_id] and [State]
    5) re-ran jsexec letsyncrypt.js --force

    Does this now show as a real signed cert, not self-signed? Something
    that
    the documentation doesn't make clear is whether you should end up with
    a
    CA-signed cert. Mine is still showing self-signed at the moment.

    Razor

    The CA I received showed it was signed by letsyncrypt.org. I cannot get
    a valid certificate on my production SBBS server because it is not
    running on port 80/443, I ran that test on my production web server
    system. I have since shutdown sbbs on my linuxbox so
    alleycat.synchro.net has an invalid certificate again.

    ---
    þ Synchronet þ AlleyCat! BBS - http://alleycat.synchro.net:81
  • From Razor@VERT/SILENT to Digital Man on Fri Dec 20 16:49:55 2019
    That makes sense. I've figured out that my issue with not getting a cert that's signed by Let's Encrypt is likely related to my system not listening on port 80.
    Here's the log that Let's Encrypt generated https://acme-v02.api.letsencrypt.org/acme/authz-v3/1823799891
    It looks like it may be possible to tell the API to connect on an alternate port, possibly 9999 https://www.virtualmin.com/node/53385

    Razor

    ---
    ­ Synchronet ­ The Silent Strike - bbs.thesilentstrike.com
  • From Digital Man@VERT to Razor on Fri Dec 20 18:01:46 2019
    Re: Re: Letsencrypt work around?
    By: Razor to Digital Man on Fri Dec 20 2019 04:49 pm

    That makes sense. I've figured out that my issue with not getting a cert that's signed by Let's Encrypt is likely related to my system not listening on port 80.
    Here's the log that Let's Encrypt generated https://acme-v02.api.letsencrypt.org/acme/authz-v3/1823799891
    It looks like it may be possible to tell the API to connect on an alternate port, possibly 9999 https://www.virtualmin.com/node/53385

    Looks to me like they're just using a proxy. Unless you actually control the server already running on port 80, you can't do that. And if you do control the server on port 80, then can either change it to a different port temporarily so the Synchronet server can run on port 80 or better yet, just create a symlink to your Synchronet web server root dir where the challenge/response for Let's Encrypt will be placed.

    If you don't control the web server running on port 80, I don't know that there is any work-around.

    digital man

    Synchronet/BBS Terminology Definition #20:
    DOS = Disk Operating System (as in PC-DOS and MS-DOS)
    Norco, CA WX: 63.3øF, 26.0% humidity, 0 mph W wind, 0.00 inches rain/24hrs

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net