What files are given to Syncplay for TLS when acme.sh is used instead of certbot?

[Mikaela]

With certbot I just copied all files and pointed Syncplay to the directory, but acme.sh gives me a separate set of files.

• certbot gave me: README cert.pem chain.pem fullchain.pem privkey.pem
• acme.sh gives me: ca.cer relpda.mikaela.info.cer relpda.mikaela.info.csr relpda.mikaela.info.key fullchain.cer relpda.mikaela.info.conf relpda.mikaela.info.csr.conf

Which of them do I give to Syncplay and will it understand them directly or do I have to rename them?

[Et0h]

I haven't used acme. The only guidance we have is https://github.com/Syncplay/syncplay/wiki/TLS-support

[Mikaela]

The furtherst I got was:

cp $CERTDIR/fullchain.cer /opt/syncplay/ssl/chain.pem
cp $CERTDIR/relpda.mikaela.info.key /opt/syncplay/ssl/privkey.pem
cp $CERTDIR/relpda.mikaela.info.cer /opt/syncplay/ssl/cert.pem

Which results to:

ERROR:  Secure connection failed. The server uses an invalid security certificate. This communication could be intercepted by a third party. For f
urther details and troubleshooting see <a href="https://syncplay.pl/trouble">here</a>.
ERROR:  Disconnected from server

If I replace $CERTDIR/relpda.mikaela.info.cer with $CERTDIR/relpda.mikaela.info.csr I get ERROR: This server does not support TLS

[albertosottile]

Did you check if the .cer files are actually in the PEM format? Maybe they need to be converted instead of just renamed...

[daniel-123]

Looking through readme at https://github.com/Neilpang/acme.sh/blob/master/README.md#3-install-the-cert-to-apachenginx-etc there is explanation how to install certificates with formats and paths similar to what Syncplay expects. At very least this should be a serviceable workaround.

Personally I'm thinking that some way of specifying arbitrary names for PEM files in Syncplay might be worth exploring after all.

[Mikaela]

I should read documentations better. However even with those instructions, Syncplay stays unhappy.

My script now says:

DOMAINNAME=relpda.mikaela.info
/root/.acme.sh/acme.sh --install-cert -d $DOMAINNAME --cert-file /opt/syncplay/ssl/cert.pem --key-file /opt/syncplay/ssl/privkey.pem --fullchain-file /opt/syncplay/ssl/chain.pem --reloadcmd "systemctl restart syncplay-server --quiet"

It outputs me:

[Fri Aug  9 15:36:14 EEST 2019] Installing cert to:/opt/syncplay/ssl/cert.pem
[Fri Aug  9 15:36:14 EEST 2019] Installing key to:/opt/syncplay/ssl/privkey.pem
[Fri Aug  9 15:36:14 EEST 2019] Installing full chain to:/opt/syncplay/ssl/chain.pem
[Fri Aug  9 15:36:14 EEST 2019] Run reload cmd: systemctl restart syncplay-server --quiet
[Fri Aug  9 15:36:14 EEST 2019] Reload success

The directory looks like this:

syncplay@relpda ~/ssl % ls -l
total 12
-rwx------ 1 syncplay root 2021 Aug  9 15:36 cert.pem
-rwx------ 1 syncplay root 3669 Aug  9 15:36 chain.pem
-rwx------ 1 syncplay root 1679 Aug  9 15:36 privkey.pem

and Syncplay tells me:

[15:37:24] Successfully reached y.relpda.mikaela.info (201:ef0c:cebe:f000:183c:9326:cbba:8fe1)
ERROR:  Secure connection failed. The server uses an invalid security certificate. This communication could be intercepted by a third party. For f
urther details and troubleshooting see <a href="https://syncplay.pl/trouble">here</a>.

I have git pulled both client and server to 0f284e7.

[daniel-123]

Running the following command should give detailed info about what exactly is going on:
openssl s_client -connect relpda.mikaela.info:8999 <<< "Q"

Edit: from the looks of it y.relpda.mikaela.info you connect to is a different domain name than relpda.mikaela.info your certificate is for. Maybe the problem is here?

[Mikaela]

I changed the command to openssl s_client -connect y.relpda.mikaela.info:14404 and it only says CONNECTED(00000003) and hangs.

The certificate is valid for relpda.mikaela.info, ds.relpda.mikaela.info, nat.relpda.mikaela.info, y.relpda.mikaela.info.

relpda.mikaela.info is the main domain, but it's IPv6-only, so I also have ds. and nat., y. is for Yggdrasil and requires special software for accessing, and I don't have this issue with Mumble or ZNC connected to the same domain.

I also have another Mumble user whom I think to connect to ds.relpda.mikaela.info.

[Mikaela]

I tried connecting directly to relpda.mikaela.info:14404 without anything being different. Are you on freenode or something else where I could give you the password in case you can see something more useful?

[Mikaela]

On IRC @daniel-123 figured that I was passing the wrong arguments to acme.sh.

My script now says:

$ACMESH --cert-file $SYNCPLAYDIR/cert.pem --key-file $SYNCPLAYDIR/privkey.pem --ca-file $SYNCPLAYDIR/chain.pem

expanded:

/root/.acme.sh/acme.sh --install-cert -d relpda.mikaela.info --cert-file /opt/syncplay/ssl/cert.pem --key-file /opt/syncplay/ssl/privkey.pem --ca-file/opt/syncplay/ssl/chain.pem

The issue was that Syncplay expected acme.sh's --ca-file instead of --fullchain-file.

[albertosottile]

@daniel-123

Personally I'm thinking that some way of specifying arbitrary names for PEM files in Syncplay might be worth exploring after all.

I tend to agree with you, but I believe this is just not feasible in our CLI-based current configuration system. I am in favor of @alxpettit idea of using a config file (perhaps an INI file) for our server in the future.

[kidburglar]

Some other application use --key --cert --ca arguments to pass the path directly ?
Will that not be a good way to do it ?

[Et0h]

Thanks for your work in helping us understand these issues. We are trying to avoid further complicating the Syncplay codebase, especially when it comes to TLS-related features. As such, while we will link to this issue from https://syncplay.pl/guide/server/ so that those with similar issues can understand what is happening, no changes to the Syncplay code are currently anticipated. In the future more information on this topic might be integrated into the guide at: https://github.com/Syncplay/syncplay/wiki/TLS-support at which point the reference to this issue could become redundant.

[tacerus]

Hello,

I am using Lego for requesting certificates from Let's Encrypt.
Could you clarify what PEM data the three files needed by Syncplay should contain?
From my personal understanding:

• chain.pem -> CA intermediate + root certificate
• cert.pem -> single level server certificate
• privkey.pem -> private key

I tried:

• server certificate in cert.pem and intermediate+root certificate in chain.pem
• server certificate in cert.pem server+intermediate+root certificate in chain.pem
• server+intermediate+root certificate in cert.pem and root certificate in chain.pem
• server+intermediate+root certificate in cert.pem and server+intermediate+root certificate in chain.pem

All combinations result in the server printing "TLS support is enabled." and in the client printing "Secure connection failed. The server uses an invalid security certificate. This communication could be intercepted by a third party. For further details and troubleshooting see here." - unfortunately neither of these messages indicate what the issue is. Of course, my certificate is valid (not expired, matching SAN and trusted by the client system's root CA store).

Trying to connect using OpenSSL makes it seem like there is no TLS certificate being sent at all:

$ openssl s_client -connect lysergic.media:8999
CONNECTED(00000003)

If I put Syncplay behind stunnel, above query presents me with a certificate immediately.

Would appreciate any input.

[Et0h]

@tacerus Hopefully you will find https://github.com/Syncplay/syncplay/wiki/TLS-support of assistance.

[Et0h]

Also be aware that if you are connecting to yourself as localhost then that might cause the TLS to fail. Test with a remote connection.

[tacerus]

Thanks for your reply! I checked the article you linked, and attempted one more combination:

• server certificate in cert.pem and only intermediate certificate in chain.pem

Unfortunately it did not change the behavior of the program either.

Of course, I am connecting using the external domain name which is included in the SAN's of the certificate.

[Et0h]

Even if connecting to the external domain, if you are connecting to yourself then there can be problems because your router might end up just making it a loopback which then means it has the wrong IP to the external one and fails, but this isn't my specialty so I could be wrong. If you are connecting via a loopback then you shouldn't need TLS. You ideally want someone who is on a completely different network to the server to connect to your server for testing purpose.

[tacerus]

This is over the internet, so TLS is necessary.

As said, if I proxy it through a separate application like stunnel the TLS handshake is established.

[daniel-123]

@tacerus Exact files and their contents that Syncplay expects are the same as old certbot produces by default:

• privkey.pem containing the private key
• cert.pem containing the signed leaf certificate (the one with CN/SAN equal to domain name you use)
• chain.pem containing the intermediate certificate and after it, the root certificate.

In case of current Let's Encrypt certificates, the intermediate certificate will be the R3 and the root is ISRG Root X1. This is how current public servers are set up, so this should also work for you.

[tacerus]

Thank you very much for the insight, @daniel-123!
This is very useful if using different ACME clients.