Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

Blog Certificate updated and Let’s Encrypt Update

Daniel Nashed  8 August 2017 11:30:13
My certificate expired after 90 days because I did not track it. And the Let's Encrypt original client configuration did not work any more when I was looking into renewal today.
The client was Python based and there is a newer client --> https://certbot.eff.org/ which is officially recommended by Let's Encrypt.

It's still complicated to use and you need to have Python installed.
But since I first implemented it there are many other ACME clients that properly integrate with Let's Encrypt -> https://letsencrypt.org/docs/client-options/.
There are even two simple shell script based clients which both do not require root permission and work in combination with Domino.

I have installed the "getssl" script (https://github.com/srvrco/getssl) and it was quite easy to implement, even for a server with multiple certificates (SAN cert).

And I also updated my shell script to automatically generate a Domino keyring file now with the getssl script.
But it still needs a manual restart of all servertasks that use the certificate. So it is not a completely automated process yet.

The gettssl script works with the Domino html root and port 80.  
With some additional checks I could potentially automate certificate updates on my server completely.
For now there is a manual step required.

Is anyone using Let's Encrypt Certificates with Domino? Which ACME client are you using?

Let's Encrypt Certificates are a good alternative if certificate updates would be automatically installed.
Right now it's a simple shell script. I could polish it and make it available if there is demand for it.

What do you think? Any feedback is welcome!

-- Daniel



Comments

1Bernd Steidele  08.08.2017 13:23:56  Blog Certificate updated and Let’s Encrypt Update

Hi Daniel,

I saw a discussion here -> https://atnotes.de/index.php/topic,61007.0.html

2Oliver Busse  08.08.2017 13:25:19  Blog Certificate updated and Let’s Encrypt Update

I have 16 days left to update my LE cert, so I 'd greatl appreciate a script that does the work for me - to do it manually is not efficient and I always have to look up the tutorial I always used: https://blogs.gwbasics.be/blog.nsf/dx/lets-encrypt-tls-certificate-in-domino.htm?opendocument&comments

3Detlev Poettgen  08.08.2017 14:57:52  Blog Certificate updated and Let’s Encrypt Update

Hi Daniel,

I am just working on a simple Notes App, which will include a simple UI to configure the hostnames, pathes and so on needed for LetsEncrypt.

The App will include an periodic agent which will do the renew and http-task restart automatically.

Plan is to support Linux and Windows.

I hope to have it ready end of this week.

4Ursus Schneider  08.08.2017 16:22:08  Blog Certificate updated and Let’s Encrypt Update

Hi Daniel

I too have installed a LE cert and would love a script to automatically update for me. I did everything by hand - setting up the keyring file was a pain... am not looking forward to doing that again in 2 months :o(

5Mike Ipkendanz  08.08.2017 16:40:23  Blog Certificate updated and Let’s Encrypt Update

Hello, a finished script or a Notes app sounds fantastic. I'm looking forward to being a beta tester.

6Daniel Nashed  08.08.2017 19:15:06  Blog Certificate updated and Let’s Encrypt Update

Just emailed with Detlev. I think his application is a good idea.

Meanwhile there are libs for different languages like Java.

When I started to look into it on my server it was almost Python only.

The Java implementation gives a lot of flexibility configuring it in an application.

Using a Notes app for the UI makes a lot of sense.

My script is a simple approach that still needs to configure the ACME client for each domain.

So we should wait for Detlev's application :-)

We should ask IBM again if we can get keyring files refreshed without restarting the processes like HTTP and SMTP.

I had a discussion about it a while ago at IBM Connect.

That would make it even more seamless.

Invoking the kyrtool is quite easy by the way. For curiousity I can still post my script and explain what it does.

And I could also post a sample getssl script configuration based on my configuration for everyone who want to get started with a script based solution.

But now that Detlev implements it as a Notes database it does not make much sense to spend much time on polishing my script for general use.

-- Daniel

-- Daniel

7Stephan Wissel  09.08.2017 7:36:32  Blog Certificate updated and Let’s Encrypt Update

With an app as a front-end, you could entertain a scheduled agent to run the upgrade and then use that to restart the tasks by sending console commands. Should lead to full automation

8Karsten Lehmann  09.08.2017 8:35:46  Blog Certificate updated and Let’s Encrypt Update

I created a Java based solution to renew the certificate as an OSGi plugin a while ago, but that had certificate issues (I think an intermediate cert was missing) and I was struggling to make it work on Linux. Never got production quality to share it.

We are now using nginx as http/mail proxy in front of Domino and LE's standard shell script in a cron job. An additional benefit is load balancing / failover for the website between two Domino cluster servers.

Mail was a bit hard to configure since Domino does not support the XCLIENT directive in order to forward the connecting mail server from the proxy server to Domino, but Daniel added support for XCLIENT to Spamgeek which we have been using for years. Now Spamgeek is able to detect spam servers even when running behind nginx.

Another thing required is a servlet on the Domino servers that can be used for the nginx auth check.

I published the one we are using here:

https://github.com/klehmann/domino-nginx-auth

It basically implements the nginx auth protocol which lets nginx validate user credentials when clients send emails via SMTP auth or use IMAP.

9John Dalsgaard  15.08.2017 12:48:07  Blog Certificate updated and Let’s Encrypt Update

Hi Daniel

I have just secured all my Domino (and Wordpress) based sites using Let's Encrypt :-)

I have a proxy server (NginX) in front of all the sites that handles all the SSL. I used certbot to set up the new certs and have created a scheduled cron job to renew the certs (test indicates that it will work when they become more than 2 months old).

With the slugishness from IBM of implementing modern webserver technologies on Domino I have decided to handle all the important things in NginX.

/John

10Friedhelm Klein  17.08.2017 17:20:58  Blog Certificate updated and Let’s Encrypt Update

Hi Daniel,

I use certbot with two simple scripts. first ist run as root, second one will then be dispatched in the notes user context:

---letsencryptauto.sh---

#!/bin/sh

if [ -z "$1" ]; then

echo "Usage: letencrypt-auto <DomainName>"

exit 1

fi

/root/certbot-auto renew

cp -f /etc/letsencrypt/live/$1/*.pem /home/notes

chown notes:notes /home/notes/*.pem

chmod 660 /home/notes/*.pem

cd /home/notes

su - notes -c "/home/notes/makekyrfile.sh $1"

---letsencryptauto.sh---

---makekyrfile.sh---

#!/bin/sh

/opt/ibm/domino/bin/tools/startup kyrtool =/local/notesdata/notes.ini create -k /home/notes/$1.kyr -p mypassword

/opt/ibm/domino/bin/tools/startup kyrtool =/local/notesdata/notes.ini import keys -k /home/notes/$1.kyr -i /home/notes/privkey.pem -n $1

/opt/ibm/domino/bin/tools/startup kyrtool =/local/notesdata/notes.ini import roots -k /home/notes/$1.kyr -i /home/notes/chain.pem

/opt/ibm/domino/bin/tools/startup kyrtool =/local/notesdata/notes.ini import certs -k /home/notes/$1.kyr -i /home/notes/cert.pem

rm -f /home/notes/*.pem

rm -f /local/notesdata/$1.*

mv $1.* /local/notesdata/

cd /local/notesdata

/opt/ibm/domino/bin/server -c "restart task http"

---makekyrfile.sh---


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]