This week, I have started having certificate issues. letsyncrypt is enabled, running, and I have not touched the configs for it.

Firefox users are getting a security warning which, on further inspection, is complaining about a self signed cert. Here is what appears on the BBS side during such a connection:

2/12 08:46:38 web 0062 TLS WARNING 'Received TLS alert message: Bad certificate' (-26) popping data

Chrome also throws a security warning. Locally:

2/12 08:48:49 web 0057 TLS WARNING 'Received TLS alert message: Certificate unknown' (-26) setting session active

Running the event, or running letsyncrypt from cli, don't offer any clues of a potential issue:

2/12 08:50:02 evnt BBS Events Semaphore signaled for Timed Event: SYNCRYPT
2/12 08:50:02 evnt SYNCRYPT Running native timed event: ?letsyncrypt.js
2/12 08:50:02 evnt SYNCRYPT Timed event: '?letsyncrypt.js' returned 0

Running from cli produces no clues:

$ ./jsexec letsyncrypt.js

JSexec v3.21a-Linux master/123f2d28a - Execute Synchronet JavaScript Module Compiled Jul 12 2025 20:59 with GCC 12.2.0

Loading configuration files from /home/bbs/ctrl
JavaScript-C 1.8.5 2011-03-31
JavaScript: Creating runtime: 8388608 bytes

Reading script from /home/bbs/repo/exec/letsyncrypt.js /home/bbs/repo/exec/letsyncrypt.js compiled in 0.00 seconds /home/bbs/repo/exec/letsyncrypt.js executed in 0.06 seconds

JavaScript: Destroying context
JavaScript: Destroying runtime

The contents of my ini file:

; $Id: letsyncrypt.ini,v 1.1 2019/07/24 22:32:54 rswindell Exp $
; For use with exec/letsyncrypt.js
; See http://wiki.synchro.net/module:letsyncrypt for details

Host = acme-v02.api.letsencrypt.org
Directory = /directory
TOSAgreed = true
GroupReadableKeyFile = false

[Domains]
capitolcityonline.net = /sbbs/webv4/root
capcity2.synchro.net = /sbbs/webv4/root
classic.capitolcityonline.net = /sbbs/webv4/root/classic.capitolcityonline.net

[key_id] acme-v02.api.letsencrypt.org=https://acme-v02.api.letsencrypt.org/acme /acct/108002992

[State]
DomainHash= (redacted)
Host=acme-v02.api.letsencrypt.org

Is anyone else having issues?

$$
---
þ Synchronet þ CAPCITY2 * Capitol City Online

Re: letsyncrypt issue
By: Dumas Walker to All on Thu Feb 12 2026 09:01 am

This week, I have started having certificate issues. letsyncrypt is enabled, running, and I have not touched the configs for it.

Firefox users are getting a security warning which, on further inspection, is complaining about a self signed cert. Here is what appears on the BBS side during such a connection:

2/12 08:46:38 web 0062 TLS WARNING 'Received TLS alert message: Bad certificate' (-26) popping data

Chrome also throws a security warning. Locally:

2/12 08:48:49 web 0057 TLS WARNING 'Received TLS alert message: Certificate unknown' (-26) setting session active

Running the event, or running letsyncrypt from cli, don't offer any clues of a potential issue:

2/12 08:50:02 evnt BBS Events Semaphore signaled for Timed Event: SYNCRYPT 2/12 08:50:02 evnt SYNCRYPT Running native timed event: ?letsyncrypt.js
2/12 08:50:02 evnt SYNCRYPT Timed event: '?letsyncrypt.js' returned 0

Running from cli produces no clues:

$ ./jsexec letsyncrypt.js

letencrypt.js support command-line options too: https://wiki.synchro.net/module:letsyncrypt

The contents of my ini file:

; $Id: letsyncrypt.ini,v 1.1 2019/07/24 22:32:54 rswindell Exp $
; For use with exec/letsyncrypt.js
; See http://wiki.synchro.net/module:letsyncrypt for details

Host = acme-v02.api.letsencrypt.org
Directory = /directory
TOSAgreed = true
GroupReadableKeyFile = false

[Domains]
capitolcityonline.net = /sbbs/webv4/root
capcity2.synchro.net = /sbbs/webv4/root
classic.capitolcityonline.net = /sbbs/webv4/root/classic.capitolcityonline.net

[key_id] acme-v02.api.letsencrypt.org=https://acme-v02.api.letsencrypt.org/acme /acct/108002992

[State]
DomainHash= (redacted)
Host=acme-v02.api.letsencrypt.org

Is anyone else having issues?

I'm not having issues. When I check your domain with this tool: https://www.ssllabs.com/ssltest/analyze.html?d=capitolcityonline.net
it reports that you have a Certificate name mismatch, clicking ignore/continue it then reports that it's self-signed.

If I try https://www.ssllabs.com/ssltest/analyze.html?d=capcity2.synchro.net it also reports a self-signed cert. So it definitely seems like the certificate being sent out doesn't match your letsyncrypt.cfg.

One thing you can do is disable self-signed cert generation by setting SCFG->System->Security->Create Self-signed Certificate to "No".
--
digital man (rob)

Synchronet "Real Fact" #130:
Synchronet v3.20b was released on January 3, 2025 (3 years after v3.19b)
Norco, CA WX: 65.7øF, 49.0% humidity, 6 mph WNW wind, 0.00 inches rain/24hrs ---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

I'm not having issues. When I check your domain with this tool: https://www.ssllabs.com/ssltest/analyze.html?d=capitolcityonline.net
it reports that you have a Certificate name mismatch, clicking ignore/continue
it then reports that it's self-signed.

If I try https://www.ssllabs.com/ssltest/analyze.html?d=capcity2.synchro.net i
also reports a self-signed cert. So it definitely seems like the certificate being sent out doesn't match your letsyncrypt.cfg.

Based on my config (requoted below), do you see anything that would cause a name mismatch or a cert that doesn't match my config?

One thing you can do is disable self-signed cert generation by setting SCFG->System->Security->Create Self-signed Certificate to "No".

OK I have changed that and will see what happens.

Config file contents:

Host = acme-v02.api.letsencrypt.org
Directory = /directory
TOSAgreed = true
GroupReadableKeyFile = false

[Domains]
capitolcityonline.net = /sbbs/webv4/root
capcity2.synchro.net = /sbbs/webv4/root
classic.capitolcityonline.net = /sbbs/webv4/root/classic.capitolcityonline.net

[key_id] acme-v02.api.letsencrypt.org=https://acme-v02.api.letsencrypt.org/acme /acct/108002992

[State]
DomainHash= (redacted)
Host=acme-v02.api.letsencrypt.org

* SLMR 2.1a * OS/2 VirusScan - "Windows found: Remove it? [Y/y]"
---
þ Synchronet þ moe's tavern * 1-5028758938 * moetiki.ddns.net:27

Update... trying some of the command lines do return errors:

$ ./jsexec letsyncrypt.js --revoke

JSexec v3.21a-Linux master/123f2d28a - Execute Synchronet JavaScript Module Compiled Jul 12 2025 20:59 with GCC 12.2.0

Loading configuration files from /home/bbs/ctrl
JavaScript-C 1.8.5 2011-03-31
JavaScript: Creating runtime: 8388608 bytes

Reading script from /home/bbs/repo/exec/letsyncrypt.js /home/bbs/repo/exec/letsyncrypt.js compiled in 0.00 seconds
!JavaScript /home/bbs/exec/load/acmev2.js line 360: Error: revokeCert did not return 200
/home/bbs/repo/exec/letsyncrypt.js executed in 1.67 seconds
!Module (letsyncrypt.js) set exit_code: 1

JavaScript: Destroying context
JavaScript: Destroying runtime

Returning error code: 1

$ ./jsexec letsyncrypt.js --force

JSexec v3.21a-Linux master/123f2d28a - Execute Synchronet JavaScript Module Compiled Jul 12 2025 20:59 with GCC 12.2.0

Loading configuration files from /home/bbs/ctrl
JavaScript-C 1.8.5 2011-03-31
JavaScript: Creating runtime: 8388608 bytes

Reading script from /home/bbs/repo/exec/letsyncrypt.js /home/bbs/repo/exec/letsyncrypt.js compiled in 0.00 seconds
!JavaScript : uncaught exception: Authorization failed... https://acme-v02.api.letsencrypt.org/acme/authz/108002992/658142411146 /home/bbs/repo/exec/letsyncrypt.js executed in 3.76 seconds
!Module (letsyncrypt.js) set exit_code: 1

JavaScript: Destroying context
JavaScript: Destroying runtime

Returning error code: 1

$ ./jsexec letsyncrypt.js --new-key

JSexec v3.21a-Linux master/123f2d28a - Execute Synchronet JavaScript Module Compiled Jul 12 2025 20:59 with GCC 12.2.0

Loading configuration files from /home/bbs/ctrl
JavaScript-C 1.8.5 2011-03-31
JavaScript: Creating runtime: 8388608 bytes

Reading script from /home/bbs/repo/exec/letsyncrypt.js /home/bbs/repo/exec/letsyncrypt.js compiled in 0.00 seconds
!JavaScript /home/bbs/exec/load/acmev2.js line 307: Error: keyChange did not return 200
/home/bbs/repo/exec/letsyncrypt.js executed in 1.50 seconds
!Module (letsyncrypt.js) set exit_code: 1

JavaScript: Destroying context
JavaScript: Destroying runtime

Returning error code: 1

Config:

; $Id: letsyncrypt.ini,v 1.1 2019/07/24 22:32:54 rswindell Exp $
; For use with exec/letsyncrypt.js
; See http://wiki.synchro.net/module:letsyncrypt for details

Host = acme-v02.api.letsencrypt.org
Directory = /directory
TOSAgreed = true
GroupReadableKeyFile = false

[Domains]
capitolcityonline.net = /sbbs/webv4/root
capcity2.synchro.net = /sbbs/webv4/root
classic.capitolcityonline.net = /sbbs/webv4/root/classic.capitolcityonline.net

[key_id] acme-v02.api.letsencrypt.org=https://acme-v02.api.letsencrypt.org/acme /acct/108002992

[State]
DomainHash= (redacted)
Host=acme-v02.api.letsencrypt.org

$$
---
þ Synchronet þ CAPCITY2 * Capitol City Online

Re: letsyncrypt issue
By: Dumas Walker to DIGITAL MAN on Fri Feb 13 2026 09:14 am

I'm not having issues. When I check your domain with this tool: https://www.ssllabs.com/ssltest/analyze.html?d=capitolcityonline.net
it reports that you have a Certificate name mismatch, clicking ignore/continue
it then reports that it's self-signed.

If I try https://www.ssllabs.com/ssltest/analyze.html?d=capcity2.synchro.net i
also reports a self-signed cert. So it definitely seems like the certificate being sent out doesn't match your letsyncrypt.cfg.

Based on my config (requoted below), do you see anything that would cause a name mismatch or a cert that doesn't match my config?

No, but I'd rerun letsyncrypt.js with some of the command-line options I pointed out (using jsexec) and see what it says.
--
digital man (rob)

Synchronet "Real Fact" #97:
Synchronet v3.13a was released in September of 2005 (9 months after v3.12a) Norco, CA WX: 67.3øF, 52.0% humidity, 13 mph WNW wind, 0.00 inches rain/24hrs ---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Re: Re: letsyncrypt issue
By: Dumas Walker to Digital Man on Fri Feb 13 2026 12:17 pm

Update... trying some of the command lines do return errors:

$ ./jsexec letsyncrypt.js --revoke

!JavaScript /home/bbs/exec/load/acmev2.js line 360: Error: revokeCert did not return 200

What about the other commands, do they return errors? Any change to your certificate?

Deuce is the author of letsyncrypt and you can find him #synchronet at irc.synchro.net.
--
digital man (rob)

This Is Spinal Tap quote #27:
As long as there's, y'know, sex and drugs, I can do without the rock and roll. Norco, CA WX: 67.3øF, 52.0% humidity, 13 mph WNW wind, 0.00 inches rain/24hrs ---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Update... trying some of the command lines do return errors:

$ ./jsexec letsyncrypt.js --revoke

!JavaScript /home/bbs/exec/load/acmev2.js line 360: Error: revokeCert did not return 200

What about the other commands, do they return errors? Any change to your certificate?

Those are the only commands. Yes, they all return errors.

Deuce is the author of letsyncrypt and you can find him #synchronet at irc.synchro.net.

Do you remember when you ranted about facebook? File this under the same
BS. If it was my project and a contributor decided they didn't want to
bother following along in the BBS support echo... you know, for a BBS
software project... they'd be off the project.

I wouldn't really care but thanks to the damn web browser writers, having a website where the cert is screwed pretty much makes it ususable. You can't turn the 443 port off because then most browers, instead of defaulting back to http on port 80, tell the user the site doesn't exist.

And, of course, the irc is broken, too:

Looking up irc.synchro.net
* Connecting to irc.synchro.net (192.138.210.158:6697)
* * Subject: /C=US/O=Internet Security Research Group/CN=ISRG Root X1
* * Issuer: /C=US/O=Internet Security Research Group/CN=ISRG Root X1
* * Subject: /C=US/O=Let's Encrypt/CN=R12
* * Issuer: /C=US/O=Internet Security Research Group/CN=ISRG Root X1
* * Subject: /CN=endofthelinebbs.com
* * Issuer: /C=US/O=Let's Encrypt/CN=R12
* * Certification info:
* Subject:
* CN=endofthelinebbs.com
* Issuer:
* C=US
* O=Let's Encrypt
* CN=R12
* Public key algorithm: rsaEncryption (2048 bits)
* Sign algorithm sha256WithRSAEncryption
* Valid since Jan 1 05:17:01 2026 GM to Apr 1 05:17:00 2026 GM
* * Cipher info:
* Version: TLSv1.2, cipher ECDHE-RSA-AES128-SHA256 (128 bits)
* Connection failed (* Verify E: Failed to validate hostname? (-1))


* SLMR 2.1a * "La Quinta." Spanish for "Next to Denny's."
---
þ Synchronet þ CAPCITY2 * Capitol City Online

Re: Re: letsyncrypt issue
By: Dumas Walker to DIGITAL MAN on Sat Feb 14 2026 09:28 am

Deuce is the author of letsyncrypt and you can find him #synchronet
at irc.synchro.net.

Do you remember when you ranted about facebook? File this under
the same BS. If it was my project and a contributor decided they
didn't want to bother following along in the BBS support echo...
you know, for a BBS software project... they'd be off the project.

I agree, irc is a stupid support channel for a serious issue. not everyone
is connected to it and the ourcome of the fix isn't being preserved like
it would be in a msg net. you could try emailing him but i don't think he does that either.

have you changed anything lately? was it working before?
I set it up with datastream and it was pretty painless.

I'm not running multiple sub domains on datastream, though.

I would suggest ripping out everything you did and redoing it. just to make sure you didn't forget something. I also see you dont have sysopemail in .ini
file. maybe it's optional, maybe it needs it. try putting it in.

Try just doing it with one domain and see if it works. maybe you found a bug, maybe you missed something.


--
"Before using Wildcat....This Company did not have a convenient way of
looking after some of the richest clients in the world...Now we do!"
---
þ Synchronet þ ::: BBSES.info - free BBS services :::

On 14 Feb 2026, Dumas Walker said the following...

And, of course, the irc is broken, too:

Looking up irc.synchro.net

^^^^^^^^^^^^^^^

* * Subject: /CN=endofthelinebbs.com

^^^^^^^^^^^^^^^^^^^
this will never work because the hosts don't match

--- Mystic BBS v1.12 A47 2021/12/25 (Windows/32)
* Origin: cold fusion - cfbbs.net - grand rapids, mi

Re: Re: letsyncrypt issue
By: Dumas Walker to DIGITAL MAN on Sat Feb 14 2026 09:28 am

And, of course, the irc is broken, too:

Looking up irc.synchro.net
* Connecting to irc.synchro.net (192.138.210.158:6697)

irc.synchro.net doesn't support TLS (port 6697) because it's a revolving hostname: use regular non-encrypted IRC on port 6667 or connect to a direct server hostname like cvs.synchro.net instead.
--
digital man (rob)

Steven Wright quote #22:
What happens if you get scared half to death twice?
Norco, CA WX: 67.1øF, 56.0% humidity, 2 mph W wind, 0.00 inches rain/24hrs
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Re: Re: letsyncrypt issue
By: Digital Man to Dumas Walker on Sat Feb 14 2026 02:33 pm

Re: Re: letsyncrypt issue
By: Dumas Walker to DIGITAL MAN on Sat Feb 14 2026 09:28 am

And, of course, the irc is broken, too:

Looking up irc.synchro.net
* Connecting to irc.synchro.net (192.138.210.158:6697)

irc.synchro.net doesn't support TLS (port 6697) because it's a revolving hostname: use regular non-encrypted IRC on port 6667 or connect to a direct server hostname like cvs.synchro.net instead.

You should also have this option on your Chat menu, which works, by default:
R Internet Relay Chat (IRC)
--
digital man (rob)

Steven Wright quote #35:
If your car could travel at the speed of light, would your headlights work Norco, CA WX: 67.1øF, 56.0% humidity, 2 mph W wind, 0.00 inches rain/24hrs
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

Re: Re: letsyncrypt issue
By: MRO to Dumas Walker on Sat Feb 14 2026 10:56 am

Re: Re: letsyncrypt issue
By: Dumas Walker to DIGITAL MAN on Sat Feb 14 2026 09:28 am

Deuce is the author of letsyncrypt and you can find him #synchronet
at irc.synchro.net.

Do you remember when you ranted about facebook? File this under the
same BS. If it was my project and a contributor decided they didn't
want to bother following along in the BBS support echo... you know,
for a BBS software project... they'd be off the project.

I agree, irc is a stupid support channel for a serious issue. not
everyone is connected to it and the ourcome of the fix isn't being
preserved like it would be in a msg net. you could try emailing
him but i don't think he does that either.

have you changed anything lately? was it working before? I set it up
with datastream and it was pretty painless.

I'm not running multiple sub domains on datastream, though.

I would suggest ripping out everything you did and redoing it. just
to make sure you didn't forget something. I also see you dont have sysopemail in .ini file. maybe it's optional, maybe it needs it. try
putting it in.

Try just doing it with one domain and see if it works. maybe you
found a bug, maybe you missed something.

another thing though is he's doing this for free and he isn't obligated.
but it would be nice if he answered emails or wrote better docs :D

did you CHANGE anything?

-- "Before using Wildcat....This Company did not have a convenient
way of looking after some of the richest clients in the world...Now
we do!"

--
"Before using Wildcat....This Company did not have a convenient way of
looking after some of the richest clients in the world...Now we do!"
---
þ Synchronet þ ::: BBSES.info - free BBS services :::