-=> Craig Daters wrote to All <=-
CD> ...but could not get Let's Encrypt to work either. So I then attempted
CD> to get a SSL cert installed like I would normally do when I set up a
CD> regular website, but I had issues there as well. I tried to follow the
CD> documentation found at:
CD> https://wiki.synchro.net/module:certtool
CD> ...so, through some trial and error I was able to get my cert
CD> installed, but I want to confirm whether or not this was proper or if
CD> there was a better way to set this up? So I came up with the following
CD> documation for myself in case I need to redo my setup at any time:
I just got my board up and running recently as well. I had purchased a
certificate with my domain before reading about the Let's Encrypt integration,
so didn't bother trying it myself.
CD> Step 1: Generate a Certificate Signing Request (CSR)
CD> I ran the following command to generate a CSR and private key using
CD> Synchronet's certtool.js:
CD> /sbbs/exec/jsexec /sbbs/exec/certtool.js --csr --domain
CD> mysticalrealmbbs.com --domain www.mysticalrealmbbs.com > /sbbs/csr.pem
CD> - This created a CSR at /sbbs/csr.pem. (perhaps I should have stuck it
CD> in /sbbs/ctrl/csr.pem?) - It also generated a private key saved as
CD> /sbbs/ctrl/cryptlib.key.
The server wouldn't care about the CSR, so no worries about where you save it.
CD> Step 2: Submit CSR to Namecheap
CD> 1. I then went into my Namecheap account, activated my SSL.
CD> 2. I was prompted to submit the contents of /sbbs/csr.pem to generate
CD> my PositiveSSL certificate. 3. After verification (using the cname
CD> method), Namecheap provided two files:
CD> - mysticalrealmbbs_com.crt (your SSL certificate)
CD> - mysticalrealmbbs_com.ca-bundle (intermediate certificate chain)
I also use Namecheap, and this looks about right.
CD> Step 3: Combine Certificate and CA Bundle
CD> I combined my certificate and bundle into a single file:
CD> cat mysticalrealmbbs_com.crt mysticalrealmbbs_com.ca-bundle >
CD> /sbbs/ctrl/bbs.crt
CD> This is the full certificate chain that I surmise Synchronet is
CD> expecting.
This also looks about right. The company I work for is still on a manual
process for renewing certificates, so it's basically riding a bike for me. I
normally do this in an editor, though, so not totally sure about the cat
command. The main thing is to make sure the server cert is at the top above CA
bundle in the new file.
CD> Step 4: Prepare the Private Key
I don't recall having to do anything with the private key. But, I didn't take
notes, either. :(
CD> - Why not use certtool.js --import?
CD> - This method failed to create expected .crt or .cert files during
CD> testing.
Certtool worked for me. Since it worked, I didn't pay attention to how it
worked.
CD> - The key format generated by Cryptlib may be incompatible with
CD> OpenSSL tools, but is accepted by Synchronet directly.
I'm sure Digital Man will have something to say on this. I suspect there's
probably a keystore at play.
CD> - Verifying key and cert match (optional):
CD> If needed, you can check that your private key and cert match using
CD> OpenSSL (only works with compatible key formats):
CD> openssl rsa -in /sbbs/ctrl/bbs.key -modulus -noout | sha256sum
CD> openssl x509 -in /sbbs/ctrl/bbs.crt -modulus -noout | sha256sum
CD> If the hashes match, the key and cert pair correctly. But I beleve
CD> that certtool.js is using a different format to generte the key.
I just checked the cryptlib.key, and it's likely not an RSA key file.
I should also mention, I didn't have to edit any INI files, so it sounds like
you went the long way 'round!
--- MultiMail/Linux v0.49
■ Synchronet ■ Dreamer's Place
|
