Per Deon (ALTERANT) via DOVE-Net:

Oct  7 09:47:16 d-11-1 synchronet: srvc 0060 BINKPS connection accepted from:
2402:1f00:8101:b3c:1000::2 port 55338
Oct  7 09:47:16 d-11-1 synchronet: srvc 0060 BINKPS TLS ERROR 'Server
certificate has expired' (-3) setting private key
Oct  7 09:47:16 d-11-1 synchronet: srvc 0060 BINKPS TLS ERROR 'Data has not
been initialised' (-11) setting session active

Which was odd, because my cert was renewed.

I forced renewed it, and confirmed it was valid, but they were still failing.

I noticed that letsyncrypt only recycles the web, which is probably the issue.
Once I recycled everything, binkps connections started working again.

Reported by Compctech via DOVE-Net:

"On a side note,  I had to modify the letsyncrypt.js file to get letsencrypt to
work.  I had to add a / before .well-known on lines 86 - 89 & 96."

I'm guessing this is because his sbbs.ini [Web] RootDirectory wasn't terminated with a slash.

Just delete the old private key and create a new one for the new
host.

Get both the webroot and web hostname from sbbs.ini rather than use
system.inet_addr.  system.inet_addr is configured in the messages
section, so it's implied that it's for email addresses.

Also, allow configuring the sysop email address with the SysopEmail
global key in the ini file.

This is a cleanup and duplicate of !82

When set to true, enables group read permissions on the ssl.cert file
(using the new file_chmod() global function).

with Synchronet.

certificate is generated.

it's true.  Log an error with the URL if it's not true and account creation
fails.

have a third of their total lifetime left".  Do that.

Fixes bug where the key ID would be taken from the staging server.

Basically, prepare to split the script into various functions and stuff...
that var list is silly.

with a CSR.

an update of the Host has changed. Delete Staging value since it's not
used anymore.

Give the certchain a different name from the private key so we can safely delete
it without losing the private key too.
Don't hold the keyset open while waiting for a CSR to be renewed.

isn't going to happen.

Also, add more errors, especially when a certificate is installed, but the
state data can't be updated.  That (very unlikely - some would say impossible)
situation will result in a new cert being requested every time the script is
ran (ideally every day), and likely running into throttling issues.

an error.

If LetSyncrypt does create it, add a webctrl.ini file that removes access
restrictions so that the file can be validated.

when they're 30 days old.

ssl.cert and generate a new key.

The defl-signed certificates are 1536 bits, so cannot be reused for Let's
Encrypt.

Modify ctrl/letsyncrypt.ini and in the Domains section, add the web root
for each domain in the format:
example.com=/sbbs/web/root

If the list of domains changes, a new certificate will be generated next
time letsyncrypt runs.

You DO NOT need to specify the domains if you only need to support the single
host system.inet_addr.

run this as a daily event.