I'm having trouble enabling port 563 TLS with letsencrypt certificates,
any help is welcome. Thanks!

Gabx
--
https://yamn.virebent.art/contatti.html

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

"Gabx" wrote:


,----[ Quote m4jf8vF4jjqU1@mid.individual.net ]
| I'm having trouble enabling port 563 TLS with letsencrypt certificates,
| any help is welcome. Thanks!
`----

Configuration TLS on my system:

"""
grep "tls" *
inn.conf:tlscapath: /etc/inn/cert
inn.conf:tlscafile: /etc/inn/cert/corradoroberto.it.ca inn.conf:tlscertfile: /etc/inn/cert/corradoroberto.it.crt inn.conf:tlskeyfile: /etc/inn/cert/corradoroberto.it.key inn.conf:#tlscompression: false
inn.conf:tlspreferserverciphers: true
inn.conf:tlsprotocols: [ TLSv1.2 TLSv1.3 ]
"""

Before restart check permision of crets files and after restart daemon, try to run:
"""
news$ /usr/inn/nnrpd -D -4 $IPv4 -p 563 -S
"""

and try to connect to port TCP 563...

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Roberto CORRADO wrote:

Before restart check permision of crets files and after restart daemon, try to run:
"""
news$ /usr/inn/nnrpd -D -4 $IPv4 -p 563 -S
"""

and try to connect to port TCP 563...

Following your indications,

$ openssl s_client -connect news.tcpreset.net:563
Connecting to 94.130.76.71
CONNECTED(00000003)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=R11
verify return:1
depth=0 CN=news.tcpreset.net
verify return:1
---
Certificate chain
0 s:CN=news.tcpreset.net
.....
79 5f ca 4e e9 ...=..]..P.y_.N.

Start Time: 1743106068
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
200 news.tcpreset.net InterNetNews NNRP server INN 2.6.4 ready (posting ok)

Thanks for your help!

Gabx


--
https://yamn.virebent.art/contatti.html

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

"Gabx" wrote:


,----[ Quote m4lpnsFg0jmU1@mid.individual.net ]
| ,----[ Quote unknown MSG_ID ]
| | 200 news.tcpreset.net InterNetNews NNRP server INN 2.6.4 ready (posting ok) | `----
| Thanks for your help!
`----

IMHO, you have a configuration problem...
please...

"""
$ cat /etc/systemd/system/inn-nnrpd.service | curl -F 'nopaste=<-' https://nopaste.corradoroberto.it
"""

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Roberto CORRADO wrote:

"Gabx" wrote:

,----[ Quote m4lpnsFg0jmU1@mid.individual.net ]
| ,----[ Quote unknown MSG_ID ]
| | 200 news.tcpreset.net InterNetNews NNRP server INN 2.6.4 ready (posting ok)
| `----
| Thanks for your help!
`----

IMHO, you have a configuration problem...
please...

"""
$ cat /etc/systemd/system/inn-nnrpd.service | curl -F 'nopaste=<-' https://nopaste.corradoroberto.it
"""

I haven't launched nnrpd by a systemd script.
I have set in inn.conf -S flag in nnrpdflags: directive.

tlscafile: /etc/news/ssl/chain.pem
tlscertfile: /etc/news/ssl/cert.pem
tlskeyfile: /etc/news/ssl/privkey.pem
tlsprotocols: [ TLSv1.2 TLSv1.3 ]

Than, as you see above, i have copied copied letsencryppt certificates
in /etc/news/ssl to make certificates and key owned by news user.

By the way i run Ubuntu22.04.
I've stopped implementing nnrpd for now.
I've decided to start with at least one peer first, understand all the
other config files well and ultimately adopt nnrpd and tls.

Gabx
--
https://yamn.virebent.art/contatti.html

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Gabx <dogfromhell666@mail2tor.com> ha scritto:

I have set in inn.conf -S flag in nnrpdflags

If you knew why didn't you write so right away? :-)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

roby wrote:

If you knew why didn't you write so right away? :-)

?
--
https://yamn.virebent.art/contatti.html

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Gabx,

I haven't launched nnrpd by a systemd script.
I have set in inn.conf -S flag in nnrpdflags: directive.

nnrpdflags
When nnrpd(8) is spawned from innd(8), these flags are passed
as arguments to the nnrpd process.

innd usually listens on port 119 so it spawns nnrpd on the same port.
It is meant for unencrypted reader connections. You should not use "-S"
for nnrpdflags.

You need running nnrpd as a daemon on port 563. See the last point in CHECKLIST:
https://www.eyrie.org/~eagle/software/inn/docs/checklist.html

And naturally more details in the "TLS Support" section of nnrpd manual
page:
https://www.eyrie.org/~eagle/software/inn/docs/nnrpd.html

--
Julien ÉLIE

« À bas la légion ménagère ! » (Astérix)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Julien ÉLIE wrote:
as arguments to the nnrpd process.

innd usually listens on port 119 so it spawns nnrpd on the same port. It
is meant for unencrypted reader connections. You should not use "-S"
for nnrpdflags.

You need running nnrpd as a daemon on port 563. See the last point in CHECKLIST:
https://www.eyrie.org/~eagle/software/inn/docs/checklist.html

And naturally more details in the "TLS Support" section of nnrpd manual
page:
https://www.eyrie.org/~eagle/software/inn/docs/nnrpd.html

Yes you are right,
i noticed it:

openssl s_client news.tcpreset.net:119
Connecting to 94.130.76.71
CONNECTED(00000003)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1 .....................................

I don't want this on port 119, thanks.

Gabx

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)