• fTelnet

    From tassiebob@21:3/169 to All on Thursday, October 17, 2024 20:13:58
    Hi All,

    I've been trying to get fTelnet working in a fully self-hosted arrangement. I'm coming unstuck trying to work out how to configure the WSS certificate for the proxy.

    The server is using LetsEncrypt certificates and I'm hoping to use that same certificate for the fTelnetProxy application, but thus far I've been unable to come up with a working configuration. It looks like .net/mono needs a PFX format certificate, which I can generate, but it does't work when I do. I either get "--Error loading cert file", or it throws an error in SSL.AuthenticateAsServer.

    The proxy application definitely has permission to read the required files. I've tested my client config against a public proxy and it works fine, so I'm 99% sure the problem is with my own proxy config. The client host can reach the proxy on the WSS port (confirmed with telnet).

    Has anyone else out there made this work, using a LetsEncrypt certificate (or a conversion from an LE certificate), on Linux? Ubuntu 22.04.5 LTS if it matters.

    --- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
    * Origin: TassieBob BBS, Hobart, Tasmania (21:3/169)
  • From StingRay@21:3/189 to tassiebob on Thursday, October 17, 2024 10:01:36

    I receive the same error on my Linux Mystic BBS. **** I am going to follow this thread.

    I ended up using fTelnet embedded on mine. https://embed-v2.ftelnet.ca/

    -StingRay

    A-Net Online BBS

    a-net-online.lol
    mystic.a-net-online.lol
    https://a-net-online.lol
    http://mystic.a-net-online.lol
    --- SBBSecho 3.14-Win32
    * Origin: A-NET ONLINE - a-net-online.lol (21:3/189)
  • From zharvek@21:2/132 to All on Thursday, October 17, 2024 12:13:05
    On 10/17/24 4:13 PM, tassiebob wrote:
    The server is using LetsEncrypt certificates and I'm hoping to use that same certificate for the fTelnetProxy application, but thus far I've been unable to come up with a working configuration. It looks like .net/mono needs a PFX format certificate, which I can generate, but it does't work when I do. I either get "--Error loading cert file", or it throws an error in SSL.AuthenticateAsServer.
    It won't help much but I host fTelnet under Win32 and it's using a PFX
    file from Lets Encrypt just fine. Didn't do anything special, and it
    renews when necessary using WACS.

    Here is the block of code throwing your error. Prob gonna look like crap through the wrapping.

    https://github.com/rickparrish/fTelnetProxy/blob/master/fTelnetProxy/fTelnetProxy.cs
    ---
    if (!string.IsNullOrWhiteSpace(Config.Default.CertificateFilename) && File.Exists(Config.Default.CertificateFilename)) {
    try {
    if (OSUtils.IsUnix)
    {
    Environment.SetEnvironmentVariable("MONO_TLS_PROVIDER", "btls");
    }

    // Try loading the certificate to ensure there are no problems
    var testCert = Config.Default.Certificate;
    } catch (Exception ex) {
    // Loading cert failed, so wipe the filename to ensure we don't try
    loading it again later
    RMLog.Exception(ex, "--Error loading cert file"); Config.Default.CertificateFilename = null;
    }
    }
    ---

    PFX File Info
    ---
    certutil -dump bbs.archaicbinary.net.pfx

    ================ Certificate 0 ================
    ================ Begin Nesting Level 1 ================
    Element 0:
    Serial Number: 04b699dad2b616dfe9fa661b7c..........
    Issuer: CN=R11, O=Let's Encrypt, C=US
    NotBefore: 9/29/2024 8:39 AM
    NotAfter: 12/28/2024 8:39 AM
    Subject: CN=bbs.archaicbinary.net
    Non-root Certificate
    Cert Hash(sha1): c795908dd39c45a2392f71135d150a..........
    ---
  • From maskreet@21:1/114 to tassiebob on Thursday, October 17, 2024 14:57:41
    On 17 Oct 2024, tassiebob said the following...

    Hi All,

    I've been trying to get fTelnet working in a fully self-hosted arrangement. I'm coming unstuck trying to work out how to configure the WSS certificate for the proxy.

    The server is using LetsEncrypt certificates and I'm hoping to use that same certificate for the fTelnetProxy application, but thus far I've
    been unable to come up with a working configuration. It looks like .net/mono needs a PFX format certificate, which I can generate, but it does't work when I do. I either get "--Error loading cert file", or it throws an error in SSL.AuthenticateAsServer.

    The proxy application definitely has permission to read the required files. I've tested my client config against a public proxy and it works fine, so I'm 99% sure the problem is with my own proxy config. The
    client host can reach the proxy on the WSS port (confirmed with telnet).

    Has anyone else out there made this work, using a LetsEncrypt
    certificate (or a conversion from an LE certificate), on Linux? Ubuntu 22.04.5 LTS if it matters.

    Yep. This is the command I use in a bash script to get Websockify and Let's Encrypt working:

    https://pastebin.com/7e2A3EDL

    It's not the most secure way to do it, since it echoes the system password, but I'm literally the only person with access to that part of the server, so I don't usually care. Whatever works. =)

    --- Mystic BBS v1.12 A49 2024/05/12 (Linux/64)
    * Origin: throwbackbbs.com -\- meriden, ct -\- (21:1/114)
  • From Shurato@21:2/148 to tassiebob on Thursday, October 17, 2024 12:27:00

    Hi All,

    I've been trying to get fTelnet working in a fully self-hosted arrangement. I'm coming unstuck trying to work out how to configure the WSS certificate for the proxy.

    The server is using LetsEncrypt certificates and I'm hoping to use that same certificate for the fTelnetProxy application, but thus far I've been unable to come up with a working configuration. It looks like .net/mono needs a PFX format certificate, which I can generate, but it does't work when I do. I either get "--Error loading cert file", or it throws an error in SSL.AuthenticateAsServer.

    The proxy application definitely has permission to read the required files. I've tested my client config against a public proxy and it works fine, so I'm 99% sure the problem is with my own proxy config. The client host can reach the proxy on the WSS port (confirmed with telnet).

    Has anyone else out there made this work, using a LetsEncrypt certificate (or a conversion from an LE certificate), on Linux? Ubuntu 22.04.5 LTS if it matters.

    I use websockify; could never get the ftenetproxy app to work. You can
    install it with pip (it requires python) 'pip install websockify', then I
    use the command (this will turn it into mutiple lines, it's just one line):

    websockify --cert=c:\apache24\conf\bundle.pem 192.168.0.4:8080 192.168.0.3:24

    You can add an --ssl-only to it to only allow secure connections. The first
    ip is the ip address and port number of the socket, the second is the ip address and port number of the bbs' telnet address. Use local IPs so that
    the secure connection isn't leaked.

    --
    Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
    ,wss) (Ports 22,23,110,21,119,8080) (ssh login 'bbs' pass 'shsbbs').


    *** THE READER V4.50 [freeware]
    ---
    * Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (21:2/148)
  • From Shurato@21:2/148 to tassiebob on Thursday, October 17, 2024 12:29:00

    Hi All,

    I've been trying to get fTelnet working in a fully self-hosted arrangement. I'm coming unstuck trying to work out how to configure the WSS certificate for the proxy.

    The server is using LetsEncrypt certificates and I'm hoping to use that same certificate for the fTelnetProxy application, but thus far I've been unable to come up with a working configuration. It looks like .net/mono needs a PFX format certificate, which I can generate, but it does't work when I do. I either get "--Error loading cert file", or it throws an error in SSL.AuthenticateAsServer.

    The proxy application definitely has permission to read the required files. I've tested my client config against a public proxy and it works fine, so I'm 99% sure the problem is with my own proxy config. The client host can reach the proxy on the WSS port (confirmed with telnet).

    Has anyone else out there made this work, using a LetsEncrypt certificate (or a conversion from an LE certificate), on Linux? Ubuntu 22.04.5 LTS if it matters.

    --- Mystic BBS v1.12 A49 2024/05/29 (Linux/64) * Origin: TassieBob
    BBS, Hobart, Tasmania (21:3/169)



    websockify --cert=c:\apache24\conf\bundle.pem 192.168.0.4:8080 192.168.0.3:24

    Again, point ftelnet to the hostname and socket port number, and don't supply proxy information.

    --
    Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
    ,wss) (Ports 22,23,110,21,119,8080) (ssh login 'bbs' pass 'shsbbs').


    *** THE READER V4.50 [freeware]
    ---
    * Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (21:2/148)
  • From tassiebob@21:3/169 to StingRay on Friday, October 18, 2024 19:42:38
    I receive the same error on my Linux Mystic BBS. **** I am going to
    follow this thread.

    I ended up using fTelnet embedded on mine. https://embed-v2.ftelnet.ca/

    I have a self-hosted client install - it's just the proxy I can't get working. Well, it works, but with the client on an https page, it wants to use wss: to talk to the proxy, which needs the certificates setup.

    As per my previous post - my self-hosted client works fine with a public proxy, which I expect has appropriately setup certificates :-)

    --- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
    * Origin: TassieBob BBS, Hobart, Tasmania (21:3/169)
  • From tassiebob@21:3/169 to zharvek on Friday, October 18, 2024 20:00:46
    It won't help much but I host fTelnet under Win32 and it's using a PFX file from Lets Encrypt just fine. Didn't do anything special, and it renews when necessary using WACS.

    I already have LE managing a cert for the hostname in question (the web client is hosted there) - I suspect the issue is working out how to convert it from PEM to PFX format such that fTelnetProxy is happy to use it. Once I work that out I can automate it...

    I was typing this reply using fTelnet and a public proxy, but is seems a routing issue developed between my host and the proxy (can no longer reach it on 80/443) so the session died :-(

    --- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
    * Origin: TassieBob BBS, Hobart, Tasmania (21:3/169)
  • From tassiebob@21:3/169 to maskreet on Friday, October 18, 2024 20:04:32
    Yep. This is the command I use in a bash script to get Websockify and Let's Encrypt working:

    https://pastebin.com/7e2A3EDL

    Hmmm, so you're using Websockify instead of the fTelnetProxy? I will try this - thanks for the suggestion!

    --- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
    * Origin: TassieBob BBS, Hobart, Tasmania (21:3/169)
  • From tassiebob@21:3/169 to Shurato on Friday, October 18, 2024 20:53:36
    websockify --cert=c:\apache24\conf\bundle.pem 192.168.0.4:8080 192.168.0.3:24

    Again, point ftelnet to the hostname and socket port number, and don't supply proxy information.

    Thanks for the pointer - I have this working, but still have a couple of things to try and solve...

    * websockify needs to access the private key for the certificate, but that by default requires root to access the file. Obviously I don't want to run websockify as root :-) I suspect I'll have to drop in a hook in certbot to either copy it somewhere websockify can access, or set the permissions so a group websockify is in has read access. The former is probably safer, in case something else checks the file mode and bails if it's too open.

    * If I read the documentation correctly, websockify won't notice when the certificate is updated, so the certbot hook will probably have to restart wensockify as well, which will break existing sessions. Probably not too much of an issue - not like we're being buried with BBS users these days :-(

    Thanks again for the pointer!

    --- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
    * Origin: TassieBob BBS, Hobart, Tasmania (21:3/169)
  • From Atreyu@21:1/176 to Tassiebob on Friday, October 18, 2024 07:18:03
    On 18 Oct 24 20:00:46, Tassiebob said the following to Zharvek:

    I already have LE managing a cert for the hostname in question (the web clie is hosted there) - I suspect the issue is working out how to convert it from PEM to PFX format such that fTelnetProxy is happy to use it. Once I work th out I can automate it...

    Have you tried OpenSSL to do the conversion?

    Not really a Linux guy but have LE running here on Windows with Powershell for a few domains, works good. My SMTP server requires the cert converted.

    Atreyu

    --- Renegade vY2Ka2
    * Origin: Joey, do you like movies about gladiators? (21:1/176)
  • From maskreet@21:1/114 to tassiebob on Friday, October 18, 2024 12:15:56
    On 18 Oct 2024, tassiebob said the following...

    Yep. This is the command I use in a bash script to get Websockify and Let's Encrypt working:

    https://pastebin.com/7e2A3EDL

    Hmmm, so you're using Websockify instead of the fTelnetProxy? I will
    try this - thanks for the suggestion!

    Yep, 100% self hosted that way. If there's an issue with connection I know it's all on me and know where to look to address it. A little harder to set up and maintain, but ultimately easier in terms of troubleshooting.

    --- Mystic BBS v1.12 A49 2024/05/12 (Linux/64)
    * Origin: throwbackbbs.com -\- meriden, ct -\- (21:1/114)
  • From Shurato@21:2/148 to tassiebob on Friday, October 18, 2024 10:22:00

    websockify --cert=c:\apache24\conf\bundle.pem 192.168.0.4:8080 192.168.0.3:24

    Again, point ftelnet to the hostname and socket port number, and
    don't
    supply proxy information.

    Thanks for the pointer - I have this working, but still have a couple of things to try and solve...

    * websockify needs to access the private key for the certificate, but that by default requires root to access the file. Obviously I don't want to run websockify as root :-) I suspect I'll have to drop in a hook in certbot to either copy it somewhere websockify can access, or set the permissions so a group websockify is in has read access. The former is probably safer, in case something else checks the file mode and bails if it's too open.

    My bundle.pem file includes all certificates and the private key... You can use a --key=<pathtoprivatekeyfile> as well. You can put it somewhere you
    have access to (I'm in Windows so I don't have file permission issues, plus
    my solution is easy and doesn't seem to have any downfalls).

    * If I read the documentation correctly, websockify won't notice when the certificate is updated, so the certbot hook will probably have to restart wensockify as well, which will break existing sessions. Probably not too much of an issue - not like we're being buried with BBS users these days :-(

    I think that's correct. I use a yearly renewing cert, so again I don't have that problem.

    Thanks again for the pointer!

    No problem!

    --
    Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
    ,wss) (Ports 22,23,110,21,119,8080) (ssh login 'bbs' pass 'shsbbs').


    *** THE READER V4.50 [freeware]
    ---
    * Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (21:2/148)
  • From tassiebob@21:3/169 to Atreyu on Saturday, October 19, 2024 10:03:04
    Have you tried OpenSSL to do the conversion?

    I did, but fTelnetProxy didn't like the result so I was obviously not doing it the way it wanted (and that was part of the problem - I didn't know precisely what it wanted).

    I got there with Websockify though - using fTelnet via that to type this message :-)

    --- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
    * Origin: TassieBob BBS, Hobart, Tasmania (21:3/169)
  • From Shurato@21:2/148 to tassiebob on Saturday, October 19, 2024 03:05:00

    Have you tried OpenSSL to do the conversion?

    I did, but fTelnetProxy didn't like the result so I was obviously not doing it the way it wanted (and that was part of the problem - I didn't know precisely what it wanted).

    I got there with Websockify though - using fTelnet via that to type this message :-)

    Yay! I'm glad that was able to work for you!

    --
    Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
    ,wss) (Ports 22,23,110,21,119,8080) (ssh login 'bbs' pass 'shsbbs').


    *** THE READER V4.50 [freeware]
    ---
    * Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (21:2/148)
  • From tassiebob@21:3/169 to opicron on Sunday, October 20, 2024 17:38:08
    When you figure this out please do share! ^^

    websockify --cert /etc/letsencrypt/live/xxx.com/fullchain.pem --key=/etc/letsencrypt/live/xxx.com/privkey.pem
    --ssl-only --log-file=/var/log/websockify/websockify.log --daemon 192.46.220.211:2443 bbs.tassiebob.com:2323

    This is basically what I'm using thanks to a previous poster.

    --- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
    * Origin: TassieBob BBS, Hobart, Tasmania (21:3/169)
  • From opicron@21:3/126 to tassiebob on Sunday, October 20, 2024 12:33:31
    When you figure this out please do share! ^^

    websockify --cert /etc/letsencrypt/live/xxx.com/fullchain.pem --key=/etc/letsencrypt/live/xxx.com/privkey.pem
    --ssl-only --log-file=/var/log/websockify/websockify.log --daemon 192.46.220.211:2443 bbs.tassiebob.com:2323

    This is basically what I'm using thanks to a previous poster.

    Awesome, thanks! Was looking forward getting rid of the fTelnet proxy.

    oP!

    ... Documentation: The worst part of programming.

    --- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
    * Origin: TheForze - bbs.theforze.eu:23 (21:3/126)
  • From opicron@21:3/126 to tassiebob on Sunday, October 20, 2024 14:28:06
    This is basically what I'm using thanks to a previous poster.

    Awesome, I run a websockify docker now, which also doubles as the webserver for the fTelnet script. So basically everything runs in one docker now.

    Thanks!

    For anybody interested, this is the docker command I used:

    docker run -it -p 2443:443 -v /volume1/docker/websockify:/data jwnmulder/websockify :443 bbs.theforze.eu:23 --log-file=/data/data/logfile.log --web /data/web
    --cert /data/data/xxx.cer --key=/data/data/xxx.key --ssl-only --ssl-version tlsv1_2

    oP!

    ... A book misplaced is a book lost

    --- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
    * Origin: TheForze - bbs.theforze.eu:23 (21:3/126)
  • From Shurato@21:2/148 to tassiebob on Sunday, October 20, 2024 09:26:00

    When you figure this out please do share! ^^

    websockify --cert /etc/letsencrypt/live/xxx.com/fullchain.pem --key=/etc/letsencrypt/live/xxx.com/privkey.pem --ssl-only --log-file=/var/log/websockify/websockify.log --daemon
    192.46.220.211:2443 bbs.tassiebob.com:2323

    This is basically what I'm using thanks to a previous poster.

    I would suggest that your target ip is internal to avoid leaking the
    security.


    --- Mystic BBS v1.12 A49 2024/05/29 (Linux/64) * Origin: TassieBob
    BBS, Hobart, Tasmania (21:3/169)

    --
    Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
    ,wss) (Ports 22,23,110,21,119,8080) (ssh login 'bbs' pass 'shsbbs').


    *** THE READER V4.50 [freeware]
    ---
    * Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (21:2/148)
  • From tassiebob@21:3/169 to Shurato on Monday, October 21, 2024 18:45:30
    websockify --cert /etc/letsencrypt/live/xxx.com/fullchain.pem --key=/etc/letsencrypt/live/xxx.com/privkey.pem --ssl-only --log-file=/var/log/websockify/websockify.log --daemon 192.46.220.211:2443 bbs.tassiebob.com:2323

    This is basically what I'm using thanks to a previous poster.

    I would suggest that your target ip is internal to avoid leaking the security.

    I'm not sure I see the point?

    The 192.46.220.211:2443 can be found in the web page that fTelnet is embedded in, and I believe needs to be a public IP so that the fTelnet client running in someone's browser can connect to it.

    The bbs.tassiebob.com:2323 is just the regular host:port of the BBS that anyone would use if they used a native terminal.

    In my case I can't use private addressing anyway as the BBS and the websockify proxy are on separate machines, on separate networks, in separate physical locations.

    --- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
    * Origin: TassieBob BBS, Hobart, Tasmania (21:3/169)