open https://gitlab.synchro.net/main/sbbs/-/issues/1111

Hi,

I want to use certtool.js to import an external Letsencrypt certificate for funtopia.synchro.net into SynchronetBBS.

The letsencrypt certificate is created by Nginx Proxy Manager Plus.

To create an pkcs12 container that can be used with certtool.js i use openssl, but certtool.js only responds with Error -22 whenever i try to import the resulting p12 file.

Something with the certificate seems different or incompatible with cryptlib, because tests with self generated certificates of all kinds showed that imports with certtool.js do work in general.

here is the script that i use to import or try to import the certificate.

Best Regards,

Stepahn

```
#!/bin/bash

# Pfade definieren
SBBS_CTRL="/sbbs/ctrl"
SBBS_EXEC="/sbbs/exec"
CERT_DIR="/mnt/shared-certs"
P12_FILE="/tmp/ssl.p12"
MAIN_INI="$SBBS_CTRL/main.ini"

# 1. Passwort automatisch aus der main.ini extrahieren
# Wir suchen nach "Password=" im Abschnitt [Global] oder am Anfang #SYSPASS=$(grep -i "^Password=" "$MAIN_INI" | cut -d'=' -f2 | tr -d '\r\n') SYSPASS="XXXXXXXXXX"

if [ -z "$SYSPASS" ]; then
echo "FEHLER: Konnte System-Passwort nicht in $MAIN_INI finden!"
exit 1
fi

process_certs() {
echo "Zertifikats-Update gestartet: $(date)"

# 2. PKCS12 Datei erstellen
# Wir nutzen die Legacy-Flags, da die Cryptlib von Synchronet oft
# mit modernen OpenSSL 3.x Standard-Verschlüsselungen Probleme hat.
openssl pkcs12 \
-export -out "$P12_FILE" \
-inkey "$CERT_DIR/privkey.pem" \
-in "$CERT_DIR/cert.pem" \
-certfile "$CERT_DIR/chain.pem" \
-passout pass:"$SYSPASS" \
-name "ssl_cert" \
-keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES \
-nomaciter -noiter

if [ $? -eq 0 ]; then
echo "PKCS12 erfolgreich erstellt."

# 3. Import über certtool.js
# Wir wechseln ins exec-Verzeichnis, damit jsexec alle Abhängigkeiten findet
cd "$SBBS_EXEC"
./jsexec certtool.js --import-pkcs12 "$P12_FILE"

echo "Import-Vorgang abgeschlossen."

# 4. Cleanup (Optional: lösche die p12 nach dem Import für mehr Sicherheit)
rm "$P12_FILE"
else
echo "FEHLER: OpenSSL Konvertierung fehlgeschlagen!"
fi
}

# Initialer Lauf beim Start
process_certs

# Überwachung des Shared Mounts
echo "Überwachung von $CERT_DIR gestartet..."
inotifywait -m -e close_write,moved_to "$CERT_DIR" | while read path action file; do
if [[ "$file" == "privkey.pem" || "$file" == "fullchain.pem" ]]; then
# Kurze Pause, falls beide Dateien gleichzeitig kommen
sleep 2
process_certs
fi
done
```
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

https://gitlab.synchro.net/main/sbbs/-/issues/1111#note_8789

Ok, I just tried this with some Let's Encrypt certs I have laying around and it works. Hit me up on IRC and we'll figure out how to get me a copy of your certs for testing.
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

https://gitlab.synchro.net/main/sbbs/-/issues/1111#note_8792

Also, the full error message is always useful. I assume it's "Error -22 calling cryptGetPrivateKey()"
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

https://gitlab.synchro.net/main/sbbs/-/issues/1111#note_8793

I have shared the needed files in a DM (dropbox link) on synchronet IRC.

by default npm+ does create shortlived letsencrypt certificates.
--- SBBSecho 3.37-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)