Import of external Letsencrypt Certificates from NPM+ as pkcs12 container via certtool.js

Hi,

I want to use certtool.js to import an external Letsencrypt certificate for funtopia.synchro.net into SynchronetBBS.

The letsencrypt certificate is created by Nginx Proxy Manager Plus.

To create an pkcs12 container that can be used with certtool.js i use openssl, but certtool.js only responds with Error -22 whenever i try to import the resulting p12 file.

Something with the certificate seems different or incompatible with cryptlib, because tests with self generated certificates of all kinds showed that imports with certtool.js do work in general.

here is the script that i use to import or try to import the certificate.

Best Regards,

Stephan /Mindsurfer

#!/bin/bash

# Pfade definieren
SBBS_CTRL="/sbbs/ctrl"
SBBS_EXEC="/sbbs/exec"
CERT_DIR="/mnt/shared-certs"
P12_FILE="/tmp/ssl.p12"
MAIN_INI="$SBBS_CTRL/main.ini"

# 1. Passwort automatisch aus der main.ini extrahieren
# Wir suchen nach "Password=" im Abschnitt [Global] oder am Anfang
#SYSPASS=$(grep -i "^Password=" "$MAIN_INI" | cut -d'=' -f2 | tr -d '\r\n')
SYSPASS="XXXXXXXXXX"

if [ -z "$SYSPASS" ]; then
    echo "FEHLER: Konnte System-Passwort nicht in $MAIN_INI finden!"
    exit 1
fi

process_certs() {
    echo "Zertifikats-Update gestartet: $(date)"

    # 2. PKCS12 Datei erstellen
    # Wir nutzen die Legacy-Flags, da die Cryptlib von Synchronet oft
    # mit modernen OpenSSL 3.x Standard-Verschlüsselungen Probleme hat.
    openssl pkcs12 \
     -export -out "$P12_FILE" \
     -inkey "$CERT_DIR/privkey.pem" \
     -in "$CERT_DIR/cert.pem" \
     -certfile "$CERT_DIR/chain.pem" \
     -passout pass:"$SYSPASS" \
     -name "ssl_cert" \
     -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES \
     -nomaciter -noiter

    if [ $? -eq 0 ]; then
        echo "PKCS12 erfolgreich erstellt."

        # 3. Import über certtool.js
        # Wir wechseln ins exec-Verzeichnis, damit jsexec alle Abhängigkeiten findet
        cd "$SBBS_EXEC"
        ./jsexec certtool.js --import-pkcs12 "$P12_FILE"

        echo "Import-Vorgang abgeschlossen."

        # 4. Cleanup (Optional: lösche die p12 nach dem Import für mehr Sicherheit)
        rm "$P12_FILE"
    else
        echo "FEHLER: OpenSSL Konvertierung fehlgeschlagen!"
    fi
}

# Initialer Lauf beim Start
process_certs

# Überwachung des Shared Mounts
echo "Überwachung von $CERT_DIR gestartet..."
inotifywait -m -e close_write,moved_to "$CERT_DIR" | while read path action file; do
    if [[ "$file" == "privkey.pem" || "$file" == "fullchain.pem" ]]; then
        # Kurze Pause, falls beide Dateien gleichzeitig kommen
        sleep 2
        process_certs
    fi
done

Edited Apr 04, 2026 by Stephan Gebbers