• If you need help or want to discuss things, you now can also join us on our Discord Server!
  • A first preview of the unlimited version of SinusBot can be found in the Upcoming Changes thread. A version for Windows will follow, but we don't have a release date, yet.

SSL for the bot

Status
Not open for further replies.

kanalumaddela

Insider
Insider
So I'm setting up full SSL for all of my sites, it uses a cert generated by Let's Encrypt and works flawlessly for the sites. As for sinusbot there had to be a work around

config.ini
Code:
UseSSL = true
SSLKeyFile = "/etc/letsencrypt/live/<domain>/privkey.pem"
SSLCertFile = "/etc/letsencrypt/live/<domain>/fullchain.pem"
Hostname = "bot.domain.com"
bot log
Code:
2016/02/22 12:34:23 Error initializing HTTP-Server (SSL): open /etc/letsencrypt/live/<domain>/fullchain.pem: permission denied

So the /etc/letsencrypt/live directory is in fact protected so that's why the account sinusbot is running under can't access the cert.

So under root I copied the certificate and key and placed it in the sinusbot folder preferably in /opt/<sinusbot directory>/ssl, and it worked when I connected using https://bot.<domain>.com:8087. I haven't seen anyone do this before/post about it and I'd thought I'd share what I did. Sure there's cloudflare, but that wouldnt work since the origin ip would be different unless of course you used a reverse proxy (which btw I did try and failed since reverse proxy+cloudflare https=stuck at sinusbot loading).

New config.ini
Code:
UseSSL = true
SSLKeyFile = "/opt/ts3bot/ssl/privkey.pem"
SSLCertFile = "/opt/ts3bot/ssl/fullchain.pem"
Hostname = "bot.domain.com"
 

iTaskmanager

Well-Known Member
Tier II
Tier III
Tier I
Insider
You can't read the certs with the ts3-user. LetsEncrypt is only intended for root.

So you can add your ts3-user-group to root/LE or you can copy certs and move it to your own ts3-folder (e.g. "/opt/ts3soundboard/ssl/" or "/home/$ts3username/ts3soundboard/ssl/).

After this, restart the bot and enjoy your crypted connection.
 

kanalumaddela

Insider
Insider
You can't read the certs with the ts3-user. LetsEncrypt is only intended for root.

So you can add your ts3-user-group to root/LE or you can copy certs and move it to your own ts3-folder (e.g. "/opt/ts3soundboard/ssl/" or "/home/$ts3username/ts3soundboard/ssl/).

After this, restart the bot and enjoy your crypted connection.
If you read what was there I already did so...., but maybe if you can explain why I can't access the bot locally that would be great.

I had accessed it locally using "https://bot.<domain>.com:8087" (it works perfectly fine out of home), but it wouldn't load. The bot log is as such.
Code:
2016/02/24 01:30:43 http: TLS handshake error from 192.168.1.254:8087: tls: first record does not look like a TLS handshake
As for accessing it using the local ip of the computer it would download a file named literally "download". I added a .txt so it can be uploaded and if you look at it with a program like Notepad++ it shows random characters
download.PNG
This issue only occurs locally
 

Attachments

  • download.txt
    7 bytes · Views: 53

Xuxe

Containerholic
Staff member
is awesome!
V.I.P.
Contributor
Insider
If you read what was there I already did so...., but maybe if you can explain why I can't access the bot locally that would be great.

I had accessed it locally using "https://bot.<domain>.com:8087" (it works perfectly fine out of home), but it wouldn't load. The bot log is as such.

"looks not like a ssl handshake"

Make sure you use https://YOURIP:PORT ....
Not http:// ;)
If you run the Bot behind a Reverse Proxy make sure the Proxy also uses SSL.
 

Xuxe

Containerholic
Staff member
is awesome!
V.I.P.
Contributor
Insider
Code:
2016/02/24 01:30:43 http: TLS handshake error from 192.168.1.254:8087: tls: first record does not look like a TLS handshake
The Message means clear that it isn't a SSL Connection, then try a other Browser.
 

kanalumaddela

Insider
Insider
I'm running sinusbot on windows and I haven't been able to locate the config file you're referencing. Does anyone know where this should be located? Any help is appreciated, I feel naked without ssl
when you first run the bot it'll change the config.ini and add in the new parameters, make sure it exists first though. (it's in the root directory of the sinusbot installation)
Code:
cp config.ini.dist config.ini
Then run the bot
Code:
./sinusbot
Shut it down with:
crtl + C
Then edit the config.ini. If that doesn't work (but trust me it should), here's the full config
Code:
TS3Path = "/opt/ts3bot/TeamSpeak3-Client-linux_amd64/ts3client_linux_amd64"
ListenHost = "0.0.0.0"
DataDir = "/opt/ts3bot/data"
ListenPort = 8087
LocalPlayback = false
EnableLocalFS = false
MaxBulkOperations = 300
LogLevel = 3
EnableProfiler = false
YoutubeDLPath = "/usr/local/bin/youtube-dl"
EnableDebugConsole = false
UploadLimit = 83886080
RunAsUser = 0
RunAsGroup = 0
InstanceActionLimit = 6
UseSSL = true
SSLKeyFile = ""
SSLCertFile = ""
Hostname = ""
MTU = 1500
SampleInterval = 40
StartVNC = false
EnableWebStream = false
LogFile = ""
LicenseKey = ""
DisableLocalXServer = false
DebugLocalXServer = false
IsProxied = false
DenyStreamURLs = []

[YoutubeDL]
  BufferSize = 524288
  MaxDownloadSize = 419430400
  MaxDownloadRate = 104857600

[TS3]
  AvatarMaxWidth = 0
  AvatarMaxHeight = 0

[StreamRewrites]

[Scripts]
  AllowReload = true

[SpeechRecognition]
  Enable = false
 

Moe

Member
I also use a Certificate from LetsEncrypt (on Nginx as Webserver)
My Configuration works fine, i think you should point to cert.pem instead of fullchain.pem

Code:
UseSSL = true
SSLKeyFile = "/opt/ts3bot/ssl/privkey.pem"
SSLCertFile = "/opt/ts3bot/ssl/cert.pem"
 

kanalumaddela

Insider
Insider
I also use a Certificate from LetsEncrypt (on Nginx as Webserver)
My Configuration works fine, i think you should point to cert.pem instead of fullchain.pem

Code:
UseSSL = true
SSLKeyFile = "/opt/ts3bot/ssl/privkey.pem"
SSLCertFile = "/opt/ts3bot/ssl/cert.pem"
I should've marked this as solved, but this also serves as a guide to setup SSL :p. Why should I use cert.pem instead of fullchain.pem?
 

Moe

Member
Oh sry I thought your problem still exists
The difference is that fullchain consists of cert.pem and chain.pem instead of just the certificate as needed by Sinusbot
Yeah both files should work just fine
 

JunTVDE

Member
Hi,
I set my bot on SSL a few months ago and all worked fine, until now.
Now I get a HSTS, because Chrome dosen't linke HSTS. How can I fix this?
 
Status
Not open for further replies.
Top