This week, I have started having certificate issues. letsyncrypt is enabled, running, and I have not touched the configs for it.
Firefox users are getting a security warning which, on further inspection, is complaining about a self signed cert. Here is what appears on the BBS side during such a connection:
2/12 08:46:38 web 0062 TLS WARNING 'Received TLS alert message: Bad certificate' (-26) popping data
Chrome also throws a security warning. Locally:
2/12 08:48:49 web 0057 TLS WARNING 'Received TLS alert message: Certificate unknown' (-26) setting session active
Running the event, or running letsyncrypt from cli, don't offer any clues of a potential issue:
2/12 08:50:02 evnt BBS Events Semaphore signaled for Timed Event: SYNCRYPT 2/12 08:50:02 evnt SYNCRYPT Running native timed event: ?letsyncrypt.js
2/12 08:50:02 evnt SYNCRYPT Timed event: '?letsyncrypt.js' returned 0
Running from cli produces no clues:
$ ./jsexec letsyncrypt.js
The contents of my ini file:
; $Id: letsyncrypt.ini,v 1.1 2019/07/24 22:32:54 rswindell Exp $
; For use with exec/letsyncrypt.js
; See http://wiki.synchro.net/module:letsyncrypt for details
Host = acme-v02.api.letsencrypt.org
Directory = /directory
TOSAgreed = true
GroupReadableKeyFile = false
[Domains]
capitolcityonline.net = /sbbs/webv4/root
capcity2.synchro.net = /sbbs/webv4/root
classic.capitolcityonline.net = /sbbs/webv4/root/classic.capitolcityonline.net
[key_id] acme-v02.api.letsencrypt.org=https://acme-v02.api.letsencrypt.org/acme /acct/108002992
[State]
DomainHash= (redacted)
Host=acme-v02.api.letsencrypt.org
Is anyone else having issues?
I'm not having issues. When I check your domain with this tool: https://www.ssllabs.com/ssltest/analyze.html?d=capitolcityonline.net
it reports that you have a Certificate name mismatch, clicking ignore/continue
it then reports that it's self-signed.
If I try https://www.ssllabs.com/ssltest/analyze.html?d=capcity2.synchro.net i
also reports a self-signed cert. So it definitely seems like the certificate being sent out doesn't match your letsyncrypt.cfg.
One thing you can do is disable self-signed cert generation by setting SCFG->System->Security->Create Self-signed Certificate to "No".
Host = acme-v02.api.letsencrypt.org
Directory = /directory
TOSAgreed = true
GroupReadableKeyFile = false
[Domains]
capitolcityonline.net = /sbbs/webv4/root
capcity2.synchro.net = /sbbs/webv4/root
classic.capitolcityonline.net = /sbbs/webv4/root/classic.capitolcityonline.net
[key_id] acme-v02.api.letsencrypt.org=https://acme-v02.api.letsencrypt.org/acme /acct/108002992
[State]
DomainHash= (redacted)
Host=acme-v02.api.letsencrypt.org
; $Id: letsyncrypt.ini,v 1.1 2019/07/24 22:32:54 rswindell Exp $
; For use with exec/letsyncrypt.js
; See http://wiki.synchro.net/module:letsyncrypt for details
Host = acme-v02.api.letsencrypt.org
Directory = /directory
TOSAgreed = true
GroupReadableKeyFile = false
[Domains]
capitolcityonline.net = /sbbs/webv4/root
capcity2.synchro.net = /sbbs/webv4/root
classic.capitolcityonline.net = /sbbs/webv4/root/classic.capitolcityonline.net
[key_id] acme-v02.api.letsencrypt.org=https://acme-v02.api.letsencrypt.org/acme /acct/108002992
[State]
DomainHash= (redacted)
Host=acme-v02.api.letsencrypt.org
I'm not having issues. When I check your domain with this tool: https://www.ssllabs.com/ssltest/analyze.html?d=capitolcityonline.net
it reports that you have a Certificate name mismatch, clicking ignore/continue
it then reports that it's self-signed.
If I try https://www.ssllabs.com/ssltest/analyze.html?d=capcity2.synchro.net i
also reports a self-signed cert. So it definitely seems like the certificate being sent out doesn't match your letsyncrypt.cfg.
Based on my config (requoted below), do you see anything that would cause a name mismatch or a cert that doesn't match my config?
Update... trying some of the command lines do return errors:
$ ./jsexec letsyncrypt.js --revoke
!JavaScript /home/bbs/exec/load/acmev2.js line 360: Error: revokeCert did not return 200
And, of course, the irc is broken, too:
Looking up irc.synchro.net^^^^^^^^^^^^^^^
* * Subject: /CN=endofthelinebbs.com^^^^^^^^^^^^^^^^^^^
this will never work because the hosts don't match
And, of course, the irc is broken, too:
Looking up irc.synchro.net^^^^^^^^^^^^^^^
* * Subject: /CN=endofthelinebbs.com^^^^^^^^^^^^^^^^^^^
this will never work because the hosts don't match
I noticed that but that is what happend when I plugged irc.synchro.net into hexchat in the server name field and told it to connect. I did *not* put *any* info in there for endofthelinebbs.com.
I can only assume that came from the host end as I only saw that response the one time it connected. The other few times, when it got other errors
or timed-out, that erroneous address didn't show up.
I noticed that but that is what happend when I plugged
irc.synchro.net into hexchat in the server name field and told it to
connect. I did *not* put *any* info in there for
endofthelinebbs.com.
I can only assume that came from the host end as I only saw that response the one time it connected. The other few times, when it got other errors or timed-out, that erroneous address didn't show up.
Simple turn off TLS in the IRC client and it'll use TCP port 6667 (didn't I already explani this?) and work. Or heck, just use the IRC option from the cha
menu on your own BBS!
I noticed that but that is what happend when I plugged irc.synchro.net into hexchat in the server name field and told it to connect. I did *not* put *any* info in there for endofthelinebbs.com.
irc.synchro.net is a rotating hostname, it points to *all* of the IRC servers (and there's a lot of them). That can be seen using tools like nslookup, host, dig, etc.:
| Sysop: | Krueger |
|---|---|
| Location: | Verona, Italy |
| Users: | 741 |
| Nodes: | 10 (0 / 10) |
| Uptime: | 105:54:53 |
| Calls: | 110 |
| Files: | 153,639 |
| D/L today: |
67 files (5,829K bytes) |
| Messages: | 271,162 |