Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

Let’s Encrypt Domino Early Access V12 in production

Daniel Nashed  10 October 2020 23:03:49

We got the first two code drops for the early access program.
The October code drop show be available soon. With new features ..
This is a great opportunity for an early look and to provide feedback.

And you can leverage the Let's Encrypt functionality on an internal test server connected to your production server today!
Let me show you how it just did it on my existing production server running.
The scenario is supported and documented as one of the current preview deployment scenarios.
Your existing server just needs the DSAPI filter copied from your Domino V12 server.
If you are working with Windows on your existing servers, HCL could provide a Windows version as well.


Here are the basic steps and I added a simple agent for automatically remote deploying the kyr/sth file.

The DSAPI intercepts the Challenge requests and replies with the challenge stored in certstore.nsf.
So your CertMgr Server running Domino V12 does not need to be exposed to the internet).
This will work on any machine that can connect to your existing server over NRPC.


Copy DSAPI from Container to local disk

docker cp domino12:/opt/hcl/domino/notes/latest/linux/libcertmgrdsapi.so .

Transfer DSAPI to existing machine
  • upload file via ssh/winscp/MobaXterm etc
  • cp /home/notes/libcertmgrdsapi.so /opt/ibm/domino/notes/latest/linux
  • chmod 755 /opt/ibm/domino/notes/latest/linux/libcertmgrdsapi.so

Add DSAPI to internet sites/server doc and restart HTTP

You should see the following line when it is loads:

29.08.2020 08:24:58   CertMgr: CertMgr / ACME & Let's Encrypt DSAPI

Point certmgr to your existing server
  • Create a certstore.nsf replica on your existing server
  • Set notes.ini on your Domino V12 server e.g. certmgr_server=notes.nashcom.de to point to your existing server.
    (don't be confused this is really the CN of my Server --> notes.nashcom.de/Srv/NashCom-Net.  -- to avoid DNS issues)
  • Restart of the certmgr server task. From there on certmgr only looks into this database for requests/challenges etc

Create a new request for your existing server and let certmgr process it.


Image:Let’s Encrypt Domino Early Access V12 in production

Deploy the kyr file

Certmgr automatically deploys kyr files only on the CertMgr machine.
In future Domino V12 servers should not need a kyr file. So deployment would be reading certs from the keyfile document directly.

But for your convenience you could my small agent, with uploads the kyr file to the current server for now.
Actually it is one trigger agent and a small run on server agent to deploy the kyr/sth files (see below).

You just run it and restart your HTTP task to have your new certificate ready:

./check_cert.sh notes.nashcom.de

DNS-Names   : blog.nashcom.de mail.nashcom.de notes.nashcom.de www.nashcom.de
Common Name : notes.nashcom.de
Expiration  : 2020-11-27 05:35:05 UTC
Days valid  : 89
Subject     : /CN=notes.nashcom.de
Issuer      : /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
PubKeyAlg   : rsaEncryption
PubKeySize  : 4096 bit
Sign Alg    : sha256WithRSAEncryption
Curve       :
OCSP URI    : http://ocsp.int-x3.letsencrypt.org

StatusCode  : 0
StatusText  : ok



Archives


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]