No matter what I do Thunderbird will not work with rslight ssl with
self-signed certificate. Manually adding the cert in Thunderbird does
not fix it.

I tried to fix it at the server level with letsencrypt.inc.php.

I enabled letsencrypt by renaming the .dist file. I entered the path to
the desired key directory.

When cron runs no keys are generated in the path.

Errors are output in syslog with full path <snippped>:

2024-02-07T00:52:41.940136-05:00 lamp php[6367]: PHP Fatal error:
Uncaught TypeError: openssl_pkey_get_details(): Argument #1 ($key) must
be of type OpenSSLAsymmetricKey, bool given in
<snip>/config/letsencrypt.inc.php:12

2024-02-07T00:52:41.940357-05:00 lamp php[6367]: #0
<snip>/config/letsencrypt.inc.php(12): openssl_pkey_get_details()

2024-02-07T00:52:41.940517-05:00 lamp php[6367]: thrown in
<snip>/config/letsencrypt.inc.php on line 12

Then I manually created the key directory and still got the same
errors. User has read and write permissions.

Then I changed the directory in letsencrypt.inc.php to use existing keys
for my domain and the cron returned the same errors.

What am I missing?

--
SugarBug <3883@sugar.bug> | sybershock.com

SugarBug wrote:

> No matter what I do Thunderbird will not work with rslight ssl with
> self-signed certificate. Manually adding the cert in Thunderbird does
> not fix it.

> I tried to fix it at the server level with letsencrypt.inc.php.

Not sure if you're using a self-signed cert or letsencrypt.

If you DO NOT have letsencrypt.inc.php (leave it with '.dist') rslight should create a self-signed cert. I just tried it on a test site and then tested it with (rslight.rtm is my local test site):
openssl s_client -connect rslight.rtm:563

<snip>
Verify return code: 18 (self-signed certificate)
Extended master secret: yes
---
200 Rocksolid Light NNTP Server ready (no posting)

> I enabled letsencrypt by renaming the .dist file. I entered the path to
> the desired key directory.

To use letsencrypt, first obtain a letsencrypt cert:
https://letsencrypt.org/

My sites use letsencrypt certs for the nntp server (novabbs.com, etc.)

Then configure letsencrypt.inc.php to point to the cert files, making sure your web user can read them. If it can not, you'll need to copy them somewhere else to read them (which is what I do for inn).

> When cron runs no keys are generated in the path.

The keys in $letsencrypt['path'] are not generated by rslight, they are generated when installing a letsencrypt cert.

Try testing with the openssl command above.

--
Retro Guy

On 2/7/24 10:38, Retro Guy wrote:
> SugarBug wrote:
>
>> No matter what I do Thunderbird will not work with rslight ssl with
>> self-signed certificate. Manually adding the cert in Thunderbird does
>> not fix it.
>
>> I tried to fix it at the server level with letsencrypt.inc.php.
>
> Not sure if you're using a self-signed cert or letsencrypt.
>
> If you DO NOT have letsencrypt.inc.php (leave it with '.dist') rslight
> should create a self-signed cert. I just tried it on a test site and
> then tested it with (rslight.rtm is my local test site):
> openssl s_client -connect rslight.rtm:563
>
> <snip>
>    Verify return code: 18 (self-signed certificate)
>    Extended master secret: yes
> ---
> 200 Rocksolid Light NNTP Server ready (no posting)

Yeah, the self-signed certs work. I originally assumed that the
letsencrypt function registered with letsencrypt API.

>> I enabled letsencrypt by renaming the .dist file. I entered the path to
>> the desired key directory.
>
> To use letsencrypt, first obtain a letsencrypt cert:
> https://letsencrypt.org/

I already have letsencrypt TLS certs for the domain.

> My sites use letsencrypt certs for the nntp server (novabbs.com, etc.)
>
> Then configure letsencrypt.inc.php to point to the cert files, making
> sure your web user can read them. If it can not, you'll need to copy
> them somewhere else to read them (which is what I do for inn).

Which of the cert files should I be using? Letsencrypt always generates
4 of them, and not in PEM format.

>> When cron runs no keys are generated in the path.
>
> The keys in $letsencrypt['path'] are not generated by rslight, they are
> generated when installing a letsencrypt cert.
>
> Try testing with the openssl command above.

Certbot, acme, and letsencrypt do not appear to generate certificates in
the PEM format usable by rslight. Also, openssl x509 -out does not
convert any of them to a proper RSA certificate recognized by rslight.
What are you using for generating the letsencrypt versions that work?

--
SugarBug <3883@sugar.bug> | sybershock.com

SugarBug wrote:

> On 2/7/24 10:38, Retro Guy wrote:
>> SugarBug wrote:
>>
>>> No matter what I do Thunderbird will not work with rslight ssl with
>>> self-signed certificate. Manually adding the cert in Thunderbird does
>>> not fix it.
>>
>>> I tried to fix it at the server level with letsencrypt.inc.php.
>>
>> Not sure if you're using a self-signed cert or letsencrypt.
>>
>> If you DO NOT have letsencrypt.inc.php (leave it with '.dist') rslight
>> should create a self-signed cert. I just tried it on a test site and
>> then tested it with (rslight.rtm is my local test site):
>> openssl s_client -connect rslight.rtm:563
>>
>> <snip>
>>    Verify return code: 18 (self-signed certificate)
>>    Extended master secret: yes
>> ---
>> 200 Rocksolid Light NNTP Server ready (no posting)

> Yeah, the self-signed certs work. I originally assumed that the
> letsencrypt function registered with letsencrypt API.

>>> I enabled letsencrypt by renaming the .dist file. I entered the path to
>>> the desired key directory.
>>
>> To use letsencrypt, first obtain a letsencrypt cert:
>> https://letsencrypt.org/

> I already have letsencrypt TLS certs for the domain.

>> My sites use letsencrypt certs for the nntp server (novabbs.com, etc.)
>>
>> Then configure letsencrypt.inc.php to point to the cert files, making
>> sure your web user can read them. If it can not, you'll need to copy
>> them somewhere else to read them (which is what I do for inn).

> Which of the cert files should I be using? Letsencrypt always generates
> 4 of them, and not in PEM format.

Strange. Here is what letsencrypt creates on my sites:
ls /etc/letsencrypt/live/<domain>/
cert.pem chain.pem fullchain.pem privkey.pem README

>>> When cron runs no keys are generated in the path.

Keys should end up in <spooldir>/ssl
$ssldir = $spooldir . '/ssl/';

>> The keys in $letsencrypt['path'] are not generated by rslight, they are
>> generated when installing a letsencrypt cert.
>>
>> Try testing with the openssl command above.

> Certbot, acme, and letsencrypt do not appear to generate certificates in
> the PEM format usable by rslight. Also, openssl x509 -out does not
> convert any of them to a proper RSA certificate recognized by rslight.
> What are you using for generating the letsencrypt versions that work?

The certs are generated in rslight-lib.php, and called from cron.php as:
$pemfile = $ssldir . '/server.pem';
create_node_ssl_cert($pemfile);

This requires a file to be created in <config_dir> temporarily by the web user. I suspect this may be an issue and we should change that.

Try manually creating the file:
<config_dir>/ssl.reload

as a test. (Delete it when you're done). This file would automatically be created in rslight-lib.php, but maybe that's not working. It tells rslight to re-create the ssl cert in <spooldir>/ssl

If your letsencrypt files are not .pem, are they still a format that can be used to create ssl cert?

Rslight wants to create the following three files from letsencrypt cert:
file_put_contents($pemfile, $letsencrypt['server.pem'] . $letsencrypt['privkey']);
file_put_contents($pubkeyfile, $letsencrypt['pubkey.pem']);
file_put_contents($pubkeytxtfile, $letsencrypt['pubkey.pem']);

--
Retro Guy

Retro Guy wrote:

> SugarBug wrote:

>> On 2/7/24 10:38, Retro Guy wrote:
>>> SugarBug wrote:

<snip>

>> Certbot, acme, and letsencrypt do not appear to generate certificates in
>> the PEM format usable by rslight. Also, openssl x509 -out does not
>> convert any of them to a proper RSA certificate recognized by rslight.
>> What are you using for generating the letsencrypt versions that work?

> The certs are generated in rslight-lib.php, and called from cron.php as:
> $pemfile = $ssldir . '/server.pem';
> create_node_ssl_cert($pemfile);

> This requires a file to be created in <config_dir> temporarily by the web user. I suspect this may be an issue and we should change that.

> Try manually creating the file:
> <config_dir>/ssl.reload

> as a test. (Delete it when you're done). This file would automatically be created in rslight-lib.php, but maybe that's not working. It tells rslight to re-create the ssl cert in <spooldir>/ssl

I've moved this file to <spooldir> instead of <config_dir> in the latest commit.

--
Retro Guy