Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

Domino 12.0.2 One Touch setup with Let’s Encrypt certificates

Daniel Nashed  14 September 2022 21:50:33

One Touch setup (OTS) is quite powerful tool. But sometimes you need to know exactly what happens and combine functionality to make best use of it.
With Domino 12.0.2 OTS creates certstore.nsf automatically and you can let it create a MicroCA for you.
That's a standard flow in Domino 12.0.2 and easy to configure. Below you find the minimum configuration, which generates a RSA 4096 key.
There are additional settings to use a ECDSA key instead for example.


   "security": {
      "ACL": {
        "prohibitAnonymousAccess": true,
        "addLocalDomainAdmins": true
      },
      "TLSSetup": {
        "method": "dominoMicroCA"
      }
    }
  },


When the server is configured OTS invokes CertMgr for you to create the MicroCA and the certificate with 1 year expiration.
This MicroCA cert is only intended for testing and to have a safe server configuration out of the box.

But what if you want to use a Let's Encrypt certificate instead?

There is a quite simple way to just find and update the existing document with a appConfiguration.
And if you specify notes.ini CertMgr_ACCEPT_TOU=1 the ACME account license agreement will be automatically accepted (already part of 12.0.0).
The following JSON takes the existing document and just updates it to use Let's Encrypt (in my case the Staging account) and submits the request.

CertMgr will handle the quest and the TLS Cache will be updated immediately when the certificate is stored in certstore.nsf.

In case the Let's Encrypt request fails, the TLS Cache still holds the MicroCA certificate. The request is in error state, but the certificate is still valid.
This is intended by design to prevent automatic certificate request updates to fail existing services. The status of the document is running into an error, but the existing certificate is still used.
Having Let's Encrypt a standard OTS configuration might not help in many customer environments. So having it configured this way, will help admins who really know that their environment is properly configured for inbound HTTP-01 ACME challenges.
Making it a general feature would probably cause a lot of support calls.
Even reading this living troubleshooting doc should already help to understand why HTTP-01 ACME challenges are sometimes failing -->
https://github.com/HCL-TECH-SOFTWARE/domino-cert-manager/blob/main/docs/troubleshooting_acme_challenges.md

I hope this gives you additional ideas for OTS in your deployments.
-- Daniel

 "notesINI": {
      "CertMgr_ACCEPT_TOU": "1",
...

  "appConfiguration": {

    "databases": [

      {
        "filePath": "certstore.nsf",
        "action": "update",
        "documents": [
          {
            "action": "update",
            "computeWithForm": true,
            "findDocument": {
              "Form": "KeyFile"
            },
            "items": {
              "Status"      : "O",
              "Provider"    : "A",
              "AcmeAccount" : "LetsEncryptStaging"
            }
          }
        ]
      },
...

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]