Hi All,

I've been trying to get fTelnet working in a fully self-hosted arrangement. I'm coming unstuck trying to work out how to configure the WSS certificate for the proxy.

The server is using LetsEncrypt certificates and I'm hoping to use that same certificate for the fTelnetProxy application, but thus far I've been unable to come up with a working configuration. It looks like .net/mono needs a PFX format certificate, which I can generate, but it does't work when I do. I either get "--Error loading cert file", or it throws an error in SSL.AuthenticateAsServer.

The proxy application definitely has permission to read the required files. I've tested my client config against a public proxy and it works fine, so I'm 99% sure the problem is with my own proxy config. The client host can reach the proxy on the WSS port (confirmed with telnet).

Has anyone else out there made this work, using a LetsEncrypt certificate (or a conversion from an LE certificate), on Linux? Ubuntu 22.04.5 LTS if it matters.

--- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
* Origin: TassieBob BBS, Hobart, Tasmania (21:3/169)

I receive the same error on my Linux Mystic BBS. **** I am going to follow this thread.

I ended up using fTelnet embedded on mine. https://embed-v2.ftelnet.ca/

-StingRay

A-Net Online BBS

a-net-online.lol
mystic.a-net-online.lol
https://a-net-online.lol
http://mystic.a-net-online.lol
--- SBBSecho 3.14-Win32
* Origin: A-NET ONLINE - a-net-online.lol (21:3/189)

On 10/17/24 4:13 PM, tassiebob wrote:

The server is using LetsEncrypt certificates and I'm hoping to use that same certificate for the fTelnetProxy application, but thus far I've been unable to come up with a working configuration. It looks like .net/mono needs a PFX format certificate, which I can generate, but it does't work when I do. I either get "--Error loading cert file", or it throws an error in SSL.AuthenticateAsServer.

It won't help much but I host fTelnet under Win32 and it's using a PFX
file from Lets Encrypt just fine. Didn't do anything special, and it
renews when necessary using WACS.

Here is the block of code throwing your error. Prob gonna look like crap through the wrapping.

https://github.com/rickparrish/fTelnetProxy/blob/master/fTelnetProxy/fTelnetProxy.cs
---
if (!string.IsNullOrWhiteSpace(Config.Default.CertificateFilename) && File.Exists(Config.Default.CertificateFilename)) {
try {
if (OSUtils.IsUnix)
{
Environment.SetEnvironmentVariable("MONO_TLS_PROVIDER", "btls");
}

// Try loading the certificate to ensure there are no problems
var testCert = Config.Default.Certificate;
} catch (Exception ex) {
// Loading cert failed, so wipe the filename to ensure we don't try
loading it again later
RMLog.Exception(ex, "--Error loading cert file"); Config.Default.CertificateFilename = null;
}
}
---

PFX File Info
---
certutil -dump bbs.archaicbinary.net.pfx

================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: 04b699dad2b616dfe9fa661b7c..........
Issuer: CN=R11, O=Let's Encrypt, C=US
NotBefore: 9/29/2024 8:39 AM
NotAfter: 12/28/2024 8:39 AM
Subject: CN=bbs.archaicbinary.net
Non-root Certificate
Cert Hash(sha1): c795908dd39c45a2392f71135d150a..........
---

On 17 Oct 2024, tassiebob said the following...

Hi All,

I've been trying to get fTelnet working in a fully self-hosted arrangement. I'm coming unstuck trying to work out how to configure the WSS certificate for the proxy.

The server is using LetsEncrypt certificates and I'm hoping to use that same certificate for the fTelnetProxy application, but thus far I've
been unable to come up with a working configuration. It looks like .net/mono needs a PFX format certificate, which I can generate, but it does't work when I do. I either get "--Error loading cert file", or it throws an error in SSL.AuthenticateAsServer.

The proxy application definitely has permission to read the required files. I've tested my client config against a public proxy and it works fine, so I'm 99% sure the problem is with my own proxy config. The
client host can reach the proxy on the WSS port (confirmed with telnet).

Has anyone else out there made this work, using a LetsEncrypt
certificate (or a conversion from an LE certificate), on Linux? Ubuntu 22.04.5 LTS if it matters.

Yep. This is the command I use in a bash script to get Websockify and Let's Encrypt working:

https://pastebin.com/7e2A3EDL

It's not the most secure way to do it, since it echoes the system password, but I'm literally the only person with access to that part of the server, so I don't usually care. Whatever works. =)

--- Mystic BBS v1.12 A49 2024/05/12 (Linux/64)
* Origin: throwbackbbs.com -\- meriden, ct -\- (21:1/114)

Hi All,

I've been trying to get fTelnet working in a fully self-hosted arrangement. I'm coming unstuck trying to work out how to configure the WSS certificate for the proxy.

The server is using LetsEncrypt certificates and I'm hoping to use that same certificate for the fTelnetProxy application, but thus far I've been unable to come up with a working configuration. It looks like .net/mono needs a PFX format certificate, which I can generate, but it does't work when I do. I either get "--Error loading cert file", or it throws an error in SSL.AuthenticateAsServer.

The proxy application definitely has permission to read the required files. I've tested my client config against a public proxy and it works fine, so I'm 99% sure the problem is with my own proxy config. The client host can reach the proxy on the WSS port (confirmed with telnet).

Has anyone else out there made this work, using a LetsEncrypt certificate (or a conversion from an LE certificate), on Linux? Ubuntu 22.04.5 LTS if it matters.

I use websockify; could never get the ftenetproxy app to work. You can
install it with pip (it requires python) 'pip install websockify', then I
use the command (this will turn it into mutiple lines, it's just one line):

websockify --cert=c:\apache24\conf\bundle.pem 192.168.0.4:8080 192.168.0.3:24

You can add an --ssl-only to it to only allow secure connections. The first
ip is the ip address and port number of the socket, the second is the ip address and port number of the bbs' telnet address. Use local IPs so that
the secure connection isn't leaked.

--
Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
,wss) (Ports 22,23,110,21,119,8080) (ssh login 'bbs' pass 'shsbbs').


*** THE READER V4.50 [freeware]
---
* Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (21:2/148)

Hi All,

I've been trying to get fTelnet working in a fully self-hosted arrangement. I'm coming unstuck trying to work out how to configure the WSS certificate for the proxy.

The server is using LetsEncrypt certificates and I'm hoping to use that same certificate for the fTelnetProxy application, but thus far I've been unable to come up with a working configuration. It looks like .net/mono needs a PFX format certificate, which I can generate, but it does't work when I do. I either get "--Error loading cert file", or it throws an error in SSL.AuthenticateAsServer.

The proxy application definitely has permission to read the required files. I've tested my client config against a public proxy and it works fine, so I'm 99% sure the problem is with my own proxy config. The client host can reach the proxy on the WSS port (confirmed with telnet).

Has anyone else out there made this work, using a LetsEncrypt certificate (or a conversion from an LE certificate), on Linux? Ubuntu 22.04.5 LTS if it matters.

--- Mystic BBS v1.12 A49 2024/05/29 (Linux/64) * Origin: TassieBob
BBS, Hobart, Tasmania (21:3/169)

websockify --cert=c:\apache24\conf\bundle.pem 192.168.0.4:8080 192.168.0.3:24

Again, point ftelnet to the hostname and socket port number, and don't supply proxy information.

--
Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
,wss) (Ports 22,23,110,21,119,8080) (ssh login 'bbs' pass 'shsbbs').


*** THE READER V4.50 [freeware]
---
* Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (21:2/148)

I receive the same error on my Linux Mystic BBS. **** I am going to
follow this thread.

I ended up using fTelnet embedded on mine. https://embed-v2.ftelnet.ca/

I have a self-hosted client install - it's just the proxy I can't get working. Well, it works, but with the client on an https page, it wants to use wss: to talk to the proxy, which needs the certificates setup.

As per my previous post - my self-hosted client works fine with a public proxy, which I expect has appropriately setup certificates :-)

--- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
* Origin: TassieBob BBS, Hobart, Tasmania (21:3/169)

It won't help much but I host fTelnet under Win32 and it's using a PFX file from Lets Encrypt just fine. Didn't do anything special, and it renews when necessary using WACS.

I already have LE managing a cert for the hostname in question (the web client is hosted there) - I suspect the issue is working out how to convert it from PEM to PFX format such that fTelnetProxy is happy to use it. Once I work that out I can automate it...

I was typing this reply using fTelnet and a public proxy, but is seems a routing issue developed between my host and the proxy (can no longer reach it on 80/443) so the session died :-(

--- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
* Origin: TassieBob BBS, Hobart, Tasmania (21:3/169)

Yep. This is the command I use in a bash script to get Websockify and Let's Encrypt working:

https://pastebin.com/7e2A3EDL

Hmmm, so you're using Websockify instead of the fTelnetProxy? I will try this - thanks for the suggestion!

--- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
* Origin: TassieBob BBS, Hobart, Tasmania (21:3/169)

websockify --cert=c:\apache24\conf\bundle.pem 192.168.0.4:8080 192.168.0.3:24

Again, point ftelnet to the hostname and socket port number, and don't supply proxy information.

Thanks for the pointer - I have this working, but still have a couple of things to try and solve...

* websockify needs to access the private key for the certificate, but that by default requires root to access the file. Obviously I don't want to run websockify as root :-) I suspect I'll have to drop in a hook in certbot to either copy it somewhere websockify can access, or set the permissions so a group websockify is in has read access. The former is probably safer, in case something else checks the file mode and bails if it's too open.

* If I read the documentation correctly, websockify won't notice when the certificate is updated, so the certbot hook will probably have to restart wensockify as well, which will break existing sessions. Probably not too much of an issue - not like we're being buried with BBS users these days :-(

Thanks again for the pointer!

--- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
* Origin: TassieBob BBS, Hobart, Tasmania (21:3/169)

On 18 Oct 24 20:00:46, Tassiebob said the following to Zharvek:

I already have LE managing a cert for the hostname in question (the web clie is hosted there) - I suspect the issue is working out how to convert it from PEM to PFX format such that fTelnetProxy is happy to use it. Once I work th out I can automate it...

Have you tried OpenSSL to do the conversion?

Not really a Linux guy but have LE running here on Windows with Powershell for a few domains, works good. My SMTP server requires the cert converted.

Atreyu

--- Renegade vY2Ka2
* Origin: Joey, do you like movies about gladiators? (21:1/176)

On 18 Oct 2024, tassiebob said the following...

Yep. This is the command I use in a bash script to get Websockify and Let's Encrypt working:

https://pastebin.com/7e2A3EDL

Hmmm, so you're using Websockify instead of the fTelnetProxy? I will
try this - thanks for the suggestion!

Yep, 100% self hosted that way. If there's an issue with connection I know it's all on me and know where to look to address it. A little harder to set up and maintain, but ultimately easier in terms of troubleshooting.

--- Mystic BBS v1.12 A49 2024/05/12 (Linux/64)
* Origin: throwbackbbs.com -\- meriden, ct -\- (21:1/114)

websockify --cert=c:\apache24\conf\bundle.pem 192.168.0.4:8080 192.168.0.3:24

Again, point ftelnet to the hostname and socket port number, and

don't

supply proxy information.

Thanks for the pointer - I have this working, but still have a couple of things to try and solve...

* websockify needs to access the private key for the certificate, but that by default requires root to access the file. Obviously I don't want to run websockify as root :-) I suspect I'll have to drop in a hook in certbot to either copy it somewhere websockify can access, or set the permissions so a group websockify is in has read access. The former is probably safer, in case something else checks the file mode and bails if it's too open.

My bundle.pem file includes all certificates and the private key... You can use a --key=<pathtoprivatekeyfile> as well. You can put it somewhere you
have access to (I'm in Windows so I don't have file permission issues, plus
my solution is easy and doesn't seem to have any downfalls).

* If I read the documentation correctly, websockify won't notice when the certificate is updated, so the certbot hook will probably have to restart wensockify as well, which will break existing sessions. Probably not too much of an issue - not like we're being buried with BBS users these days :-(

I think that's correct. I use a yearly renewing cert, so again I don't have that problem.

Thanks again for the pointer!

No problem!

--
Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
,wss) (Ports 22,23,110,21,119,8080) (ssh login 'bbs' pass 'shsbbs').


*** THE READER V4.50 [freeware]
---
* Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (21:2/148)

Have you tried OpenSSL to do the conversion?

I did, but fTelnetProxy didn't like the result so I was obviously not doing it the way it wanted (and that was part of the problem - I didn't know precisely what it wanted).

I got there with Websockify though - using fTelnet via that to type this message :-)

--- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
* Origin: TassieBob BBS, Hobart, Tasmania (21:3/169)

Have you tried OpenSSL to do the conversion?

I did, but fTelnetProxy didn't like the result so I was obviously not doing it the way it wanted (and that was part of the problem - I didn't know precisely what it wanted).

I got there with Websockify though - using fTelnet via that to type this message :-)

Yay! I'm glad that was able to work for you!

--
Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
,wss) (Ports 22,23,110,21,119,8080) (ssh login 'bbs' pass 'shsbbs').


*** THE READER V4.50 [freeware]
---
* Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (21:2/148)

When you figure this out please do share! ^^

websockify --cert /etc/letsencrypt/live/xxx.com/fullchain.pem --key=/etc/letsencrypt/live/xxx.com/privkey.pem
--ssl-only --log-file=/var/log/websockify/websockify.log --daemon 192.46.220.211:2443 bbs.tassiebob.com:2323

This is basically what I'm using thanks to a previous poster.

--- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
* Origin: TassieBob BBS, Hobart, Tasmania (21:3/169)

When you figure this out please do share! ^^

websockify --cert /etc/letsencrypt/live/xxx.com/fullchain.pem --key=/etc/letsencrypt/live/xxx.com/privkey.pem
--ssl-only --log-file=/var/log/websockify/websockify.log --daemon 192.46.220.211:2443 bbs.tassiebob.com:2323

This is basically what I'm using thanks to a previous poster.

Awesome, thanks! Was looking forward getting rid of the fTelnet proxy.

oP!

... Documentation: The worst part of programming.

--- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
* Origin: TheForze - bbs.theforze.eu:23 (21:3/126)

This is basically what I'm using thanks to a previous poster.

Awesome, I run a websockify docker now, which also doubles as the webserver for the fTelnet script. So basically everything runs in one docker now.

Thanks!

For anybody interested, this is the docker command I used:

docker run -it -p 2443:443 -v /volume1/docker/websockify:/data jwnmulder/websockify :443 bbs.theforze.eu:23 --log-file=/data/data/logfile.log --web /data/web
--cert /data/data/xxx.cer --key=/data/data/xxx.key --ssl-only --ssl-version tlsv1_2

oP!

... A book misplaced is a book lost

--- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
* Origin: TheForze - bbs.theforze.eu:23 (21:3/126)

When you figure this out please do share! ^^

websockify --cert /etc/letsencrypt/live/xxx.com/fullchain.pem --key=/etc/letsencrypt/live/xxx.com/privkey.pem --ssl-only --log-file=/var/log/websockify/websockify.log --daemon
192.46.220.211:2443 bbs.tassiebob.com:2323

This is basically what I'm using thanks to a previous poster.

I would suggest that your target ip is internal to avoid leaking the
security.

--- Mystic BBS v1.12 A49 2024/05/29 (Linux/64) * Origin: TassieBob
BBS, Hobart, Tasmania (21:3/169)

--
Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
,wss) (Ports 22,23,110,21,119,8080) (ssh login 'bbs' pass 'shsbbs').


*** THE READER V4.50 [freeware]
---
* Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (21:2/148)

websockify --cert /etc/letsencrypt/live/xxx.com/fullchain.pem --key=/etc/letsencrypt/live/xxx.com/privkey.pem --ssl-only --log-file=/var/log/websockify/websockify.log --daemon 192.46.220.211:2443 bbs.tassiebob.com:2323

This is basically what I'm using thanks to a previous poster.

I would suggest that your target ip is internal to avoid leaking the security.

I'm not sure I see the point?

The 192.46.220.211:2443 can be found in the web page that fTelnet is embedded in, and I believe needs to be a public IP so that the fTelnet client running in someone's browser can connect to it.

The bbs.tassiebob.com:2323 is just the regular host:port of the BBS that anyone would use if they used a native terminal.

In my case I can't use private addressing anyway as the BBS and the websockify proxy are on separate machines, on separate networks, in separate physical locations.

--- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
* Origin: TassieBob BBS, Hobart, Tasmania (21:3/169)