Hi all,

I am trying to install a lets encrypt certificate generated via certbot
that comes with debian/ubuntu.

It gives me the following files
cert.pem
chain.pem
fullchain.pem (a combination of the previous two it looks like)
privkey.pam

I disabled the generate self-signed key in scfg. But I left both
cryptlib.key and ssl.cert in place.

Things that i have tried.
1.
jsexec certtool --import ./fullchain.pem
result: "!JavaScript /home/synchronet/sbbs/exec/certtool.js line 70:
Error: CryptLib error -43"

The fullchain.pem looks the same as the example here https://wiki.synchro.net/module:certtool

I copied the example there as a sanity check and that also fails with
the same error.

2.
I tried adding the folloing to the bottom of the [Mail] section in
sbbs.ini:
Secure = true
CertificateFile = ./ssl_certs/fullchain.pem
KeyFile = ./cryptlib.key

result: cannot connenct to port 995


Has anyone been succesful in using a LetsEncrypt cert in this manner
that they got directly from certbot?

Thanks in Advance.

---
* Synchronet * Overfit! Bringing back the golden era of BBS Networking. [telnet://playmate.dynu
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: How do I install an Lets Encrypt Certificate.
By: Mojo to DOVE-Net.Synchronet_Sysops on Thu Nov 06 2025 11:50 am

Hi all,

I am trying to install a lets encrypt certificate generated via certbot
that comes with debian/ubuntu.

It gives me the following files
cert.pem
chain.pem
fullchain.pem (a combination of the previous two it looks like)
privkey.pam

I disabled the generate self-signed key in scfg. But I left both cryptlib.key and ssl.cert in place.

Things that i have tried.
1.
jsexec certtool --import ./fullchain.pem
result: "!JavaScript /home/synchronet/sbbs/exec/certtool.js line 70:
Error: CryptLib error -43"

cryptlib.h:#define CRYPT_ERROR_NOTFOUND ( -43 ) /* Requested item not found in object */

I'd try that again with a different/bogus path to the pem file to see if the error changes (i.e. it's complaining about an object *within* the file instead of the file itself).

The fullchain.pem looks the same as the example here https://wiki.synchro.net/module:certtool

That's promising.

2.
I tried adding the folloing to the bottom of the [Mail] section in
sbbs.ini:
Secure = true
CertificateFile = ./ssl_certs/fullchain.pem
KeyFile = ./cryptlib.key

Those keys don't seem to be supported or documented anywhere. How'd you come up with that?

result: cannot connenct to port 995

That just suggests that your TCP port 995 isn't open or sbbs isn't listening on it. The [mail] Options TLS_POP3 option must be included (which is by default) and the TLSPOP3Port option must be set to 995 (also the default) and your sbbs log output (e.g. syslog) would tell if if it's in fact listening on that port or not. This is completely unrelated to any certificate or key file.
--
digital man (rob)

Synchronet "Real Fact" #129:
Vertrauen first started running Synchronet (switched from WWIV) in July of 1991 Norco, CA WX: 68.4øF, 65.0% humidity, 4 mph W wind, 0.00 inches rain/24hrs
--- SBBSecho 3.31-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

On Thu, 6 Nov 2025 16:36:13 -0800
"Digital Man" (VERT) <VERT!Digital.Man@overfit.retrievo.xyz> wrote:

Re: How do I install an Lets Encrypt Certificate.
By: Mojo to DOVE-Net.Synchronet_Sysops on Thu Nov 06 2025 11:50 am

Hi all,

I am trying to install a lets encrypt certificate generated via
certbot that comes with debian/ubuntu.

It gives me the following files
cert.pem
chain.pem
fullchain.pem (a combination of the previous two it looks like) privkey.pam

I disabled the generate self-signed key in scfg. But I left both cryptlib.key and ssl.cert in place.

Things that i have tried.
1.
jsexec certtool --import ./fullchain.pem
result: "!JavaScript /home/synchronet/sbbs/exec/certtool.js line
70: Error: CryptLib error -43"

cryptlib.h:#define CRYPT_ERROR_NOTFOUND ( -43 ) /* Requested item not
found in object */

I'd try that again with a different/bogus path to the pem file to see
if the error changes (i.e. it's complaining about an object *within*
the file instead of the file itself).

Yes I tried that and it fails with bogus paths too.
```
if (argv.indexOf('--import') > -1) {
ks = new CryptKeyset(csr_fname,
CryptKeyset.KEYOPT.READONLY);
rsa = ks.get_private_key("ssl_cert", syspass);
ks.close();

i = argv.indexOf('--import') + 1;
if (i>=argc)
throw("No cert filename specified");
f = new File(argv[i]);
if (!f.open("rb"))
throw("Unable to open "+f.name);
cert = f.read();
f.close();
cert = ACMEv2.prototype.create_pkcs7(cert);
cert = new CryptCert(cert);
//cert.check();

for (i=0; i < 10; i++) {
if (file_remove(sks_fname))
break;
mswait(100);
}
if (i == 10)
throw("Unable to delete file "+sks_fname);

ks = new CryptKeyset(sks_fname, CryptKeyset.KEYOPT.CREATE);
ks.add_private_key(rsa, syspass);
ks.add_public_key(cert);
ks.close();
print("Certificate imported, delete "+csr_fname+" after
verifying.");
file_touch(recycle_sem);
}
```

see there? Its looking for a csr file in the ctrl dir. Not sure why it
is doing that for just importing a cert. Or maybe certtool isn't meant
to just import a plain pem file. I think the tool itself is not for
this use case. I was looking at the letsyncript and that to see if i
can hack something simple together that can genearte a ssl.cert in
the format that sbbs expects (from exiting fullchain.pem and
privkey.pem) to replae the self generated one in ctrl.

The fullchain.pem looks the same as the example here https://wiki.synchro.net/module:certtool

That's promising.

2.
I tried adding the folloing to the bottom of the [Mail] section in sbbs.ini:
Secure = true
CertificateFile = ./ssl_certs/fullchain.pem
KeyFile = ./cryptlib.key

Those keys don't seem to be supported or documented anywhere. How'd
you come up with that?

I saw them here so just tried them. https://nettwerked.synchronetbbs.org/?page=001-forum.ssjs&sub=dove-syncdisc&thread=1575

result: cannot connenct to port 995

That just suggests that your TCP port 995 isn't open or sbbs isn't
listening on it. The [mail] Options TLS_POP3 option must be included
(which is by default) and the TLSPOP3Port option must be set to 995
(also the default) and your sbbs log output (e.g. syslog) would tell
if if it's in fact listening on that port or not. This is completely unrelated to any certificate or key file.

Its failing due to the keys I added to the [Mail] section.
*** SSL/TLShandshake failed ***
I was attempting to see if sbbs would accept a straight cert and key

---
* Synchronet * Overfit! Bringing back the golden era of BBS Networking. [telnet://playmate.dynu
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Re: How do I install an Lets Encrypt Certificate.
By: Mojo to All on Thu Nov 06 2025 10:59 pm

2.
I tried adding the folloing to the bottom of the [Mail] section in sbbs.ini:
Secure = true
CertificateFile = ./ssl_certs/fullchain.pem
KeyFile = ./cryptlib.key

Those keys don't seem to be supported or documented anywhere. How'd
you come up with that?

I saw them here so just tried them. https://nettwerked.synchronetbbs.org/?page= 001-forum.ssjs&sub=dove-syncdisc&thread=1575

I'm guessing that's just some AI slop. Those keys in sbbs.ini "CertificateFile" and "KeyFile" and "Secure" will do absolutely nothing.

Its failing due to the keys I added to the [Mail] section.
*** SSL/TLShandshake failed ***

No, those keys you added will be ignored and have no effect on the mail server. --
digital man (rob)

Breaking Bad quote #15:
Cheer up Gomey, your people still got J. Lo. - Hank Schrader
Norco, CA WX: 73.4øF, 55.0% humidity, 2 mph SSE wind, 0.00 inches rain/24hrs --- SBBSecho 3.31-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

On Fri, 7 Nov 2025 09:55:38 -0800
"Digital Man" (VERT) <VERT!Digital.Man@overfit.retrievo.xyz> wrote:

Re: Re: How do I install an Lets Encrypt Certificate.
By: Mojo to All on Thu Nov 06 2025 10:59 pm

2.
I tried adding the folloing to the bottom of the [Mail]
section in sbbs.ini:
Secure = true
CertificateFile = ./ssl_certs/fullchain.pem
KeyFile = ./cryptlib.key

Those keys don't seem to be supported or documented anywhere.
How'd you come up with that?

I saw them here so just tried them. https://nettwerked.synchronetbbs.org/?page= 001-forum.ssjs&sub=dove-syncdisc&thread=1575

I'm guessing that's just some AI slop. Those keys in sbbs.ini "CertificateFile" and "KeyFile" and "Secure" will do absolutely
nothing.

Its failing due to the keys I added to the [Mail] section.
*** SSL/TLShandshake failed ***

No, those keys you added will be ignored and have no effect on the
mail server.

So there is no way of using already existing key/cert pair from LE
other than thru the module or go with the self-generated cert that sbbs
does? That is getting them into ctrl/ssl.cert.

---
* Synchronet * Overfit! Bringing back the golden era of BBS Networking. [telnet://playmate.dynu
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Re: How do I install an Lets Encrypt Certificate.
By: Mojo to All on Fri Nov 07 2025 05:36 pm

So there is no way of using already existing key/cert pair from LE
other than thru the module or go with the self-generated cert that sbbs does? That is getting them into ctrl/ssl.cert.

Deuce's certtool.js is intended for that purpose, I think. You can catch Deuce in #synchronet at irc.synchro.net and ask him.
--
digital man (rob)

Synchronet "Real Fact" #110:
Weedpuller "Girl Upstairs" http://youtu.be/SVulVxkgNTo
Norco, CA WX: 68.1øF, 71.0% humidity, 2 mph NW wind, 0.00 inches rain/24hrs
--- SBBSecho 3.31-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)