Since letsyncrypt isn't working here and the irc is down, I decided to figure out how to get the cert on my own.

Let's Encrypt has a nice bit of software that installed easily and works just fine. I can apparently set it up with cron to run when I need it to. It created certificates without any issue. The problem now is that I cannot figure out where synchronet expects to find these certificates (aside from the self-signed one). There is some nice documentation on the wiki for importing these into Hiawatha, but not any on getting the synchronet webserver to find or import them.

There is an entry about using something called certtool but that utility is old and appears broken so I hope that isn't the answer.

./jsexec certtool --import /etc/letsencrypt/live/capitolcityonline.net/fullchain.pem

Throws a cryptlib error -43.

Thanks!
---
­ Synchronet ­ CAPCITY2 * Capitol City Online

Re: Installing manually obtained let's encrypt certificate
By: Dumas Walker to Digital Man on Sat Feb 14 2026 02:55 pm

Since letsyncrypt isn't working here and the irc is down, I decided to figure out how to get the cert on my own.

IRC is working fine. I'm on it right now.
--
digital man (rob)

Rush quote #61:
He's a rebel and a runner, he's a signal turning green .. New World Man
Norco, CA WX: 56.4øF, 81.0% humidity, 3 mph WNW wind, 0.00 inches rain/24hrs ---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Re: Installing manually obtained let's encrypt certificate
By: Dumas Walker to Digital Man on Sat Feb 14 2026 02:55 pm

Since letsyncrypt isn't working here and the irc is down, I decided to figure out how to get the cert on my own.

Let's Encrypt has a nice bit of software that installed easily and works just fine. I can apparently set it up with cron to run when I need it to.
It created certificates without any issue. The problem now is that I cannot figure out where synchronet expects to find these certificates (aside from the self-signed one).

The filename and location is the same, whether it self-signed or signed by a CA (e.g. letsyncrypt), it's ctrl/ssl.cert: https://wiki.synchro.net/config:ssl.cert

There is an entry about using something called certtool but that utility is old and appears broken so I hope that isn't the answer.

./jsexec certtool --import /etc/letsencrypt/live/capitolcityonline.net/fullchain.pem

Throws a cryptlib error -43.

../../3rdp_src/cl/cryptlib.h:#define CRYPT_ERROR_NOTFOUND ( -43 ) /* Requested item not found in object */

Most likely, it just doesn't support the format of the .pem file.

I think the --import option expects a pkcs7 certificate, while
the --import-pkcs12 option expects a pkcs12 certificate.

The utility works for those that know how to work it.
--
digital man (rob)

Breaking Bad quote #25:
Now if I could only learn how to lick myself. - Hank Schrader
Norco, CA WX: 56.4øF, 81.0% humidity, 3 mph WNW wind, 0.00 inches rain/24hrs ---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

../../3rdp_src/cl/cryptlib.h:#define CRYPT_ERROR_NOTFOUND ( -43 ) /* Requested item not found in object */

Most likely, it just doesn't support the format of the .pem file.

I think the --import option expects a pkcs7 certificate, while
the --import-pkcs12 option expects a pkcs12 certificate.

The utility works for those that know how to work it.

I might know how to work it if the docs were more clear about what needs to
be done. I suspect that fullchain.pem and privkey.pem need to be cat/tee'd together, in that order, to make it work.

Back to the letsyncrypt bug... after reading up on how Let's Encrypt works, I can figure out the following:

(1) at some point, letsyncrypt hit an error that it either reported or
didn't know what to do with;
(2) after that, it kept reporting '0' even though it was *not* working
(BUG!);
(3) by the time the cert expired, evidence of whatever problem letsyncypt had (assuming it reported it to begin with) was long gone;
(4) the other two or three options on the wiki were getting errors because
they likely require a valid cert to already be in place on the web server
end. Since letsyncypt had stopped working a while back, there wasn't one.

While researching Let's Encrypt, I found a lot of good resources regarding using their certs with haproxy. As I am already using haproxy for something else so I put those good resources to use. I was able to install the cert into haproxy, set up new front and back ends for web traffic, and had a working website again in < 30 minutes.

I started seeing some SMTPS errors so I put the self-signed cert back into place in /ctrl and that seemed to fix those.


* SLMR 2.1a * Anything good is either illegal, immoral or fattening.
---
þ Synchronet þ CAPCITY2 * Capitol City Online

Re: Installing manually obtai
By: Dumas Walker to DIGITAL MAN on Sun Feb 15 2026 10:21 am

back ends for web traffic, and had a working website again in < 30
minutes.

I started seeing some SMTPS errors so I put the self-signed cert back
into place in /ctrl and that seemed to fix those.

Did this just break for no reason and normally it was working fine for you?
or are you just now setting it up?


--
"Before using Wildcat....This Company did not have a convenient way of
looking after some of the richest clients in the world...Now we do!"
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

Re: Installing manually obtai
By: Dumas Walker to DIGITAL MAN on Sun Feb 15 2026 10:21 am

../../3rdp_src/cl/cryptlib.h:#define CRYPT_ERROR_NOTFOUND ( -43 ) /* Requested item not found in object */

Most likely, it just doesn't support the format of the .pem file.

I think the --import option expects a pkcs7 certificate, while
the --import-pkcs12 option expects a pkcs12 certificate.

The utility works for those that know how to work it.

I might know how to work it if the docs were more clear about what needs to be done. I suspect that fullchain.pem and privkey.pem need to be cat/tee'd together, in that order, to make it work.

Back to the letsyncrypt bug... after reading up on how Let's Encrypt works, I can figure out the following:

(1) at some point, letsyncrypt hit an error that it either reported or didn't know what to do with;
(2) after that, it kept reporting '0' even though it was *not* working (BUG!);

letsyncrypt doesn't re-request a signed-certificate every time you run it. It has built-in expiration for the cert and will do *nothing* if you just run it without any options, until the cert times out or you specify an option to force it do something. That's not a "BUG!".

(3) by the time the cert expired, evidence of whatever problem letsyncypt had (assuming it reported it to begin with) was long gone;

Did you check your web server log output like I already suggested? It should explain what's happening when it's requesting the challenge file that letsyncrypt.js creates (but couldn't be retreived by the Let's Encrypt ACME service or whatever it is)?
--
digital man (rob)

Breaking Bad quote #16:
Thinking Operation Breath Mint evertime you and me are on a stakeout together. Norco, CA WX: 59.8øF, 58.0% humidity, 6 mph WNW wind, 0.00 inches rain/24hrs ---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net