Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...


Daniel Nashed


Domino V12 Let’s Enrypt DNS-01 Challenges delegating a sub-domain to Digital Ocean

Daniel Nashed  24 January 2021 16:45:43

Domino V12 Beta 1 supports DNS-01 challenge validation for Let's Encrypt and other ACME providers.

The beta ships with two providers available in DXL file ready to import (the DXL file can be found in the Beta form).

The beta forum contains a DXL file with 1. Cloudflare Inc and 2. Hetzner GmbH (a German provider) API as reference implementations.

I took the configuration as a reference and implemented a Digital Ocean configuration.
This option turns out a free solution which is very convenient for testing.

Delegate a sub domain via NS records

For my tests I delegated a sub-domain of an existing domain at another provider to Digital Ocean.

To delegate a sub-domain I just created Name Server (NS) records pointing to Digital Ocean.



In the next step I just added the sub-domain to my Digital Ocean account.

Having this in place, I can now use the Digital Ocean DNS API to write DNS TXT records to validate DNS-01 challenges for Let's Encrypt/ACME.

The DNS sub-domain delegation ensures the DNS servers at Digital Ocean are responsible for DNS requests for the sub-domain.

CertMgr DNS Provider Configuration

I have created a new configuration using the HTTP Request with @Formulas listed below.

Now I can define a registered domain leveraging my configuration.

The DNS Provider Configuration is pretty straightforward. You just need to configure a ADD and a DELETE operation in this case.

The authorization token you generate at the Digital Ocean account is the only parameter you have to set, beside the registered domain.

Having this configuration in place, you can immediately start registering certificates using any type of ACME provider.

TLS Credentials
Status: Issued  
Domino Server Names:
Status: Valid
Certificate Expiration: Sat 24.04.2021 17:41:26
Certificate Renew Date: Thu 25.03.2021 16:41:26
Certificate Provider: ACME
ACME Account: LetsEncryptStaging
Certificate Authority:
Key Type: ECDSA
Curve Name: NIST P-384


While developing a new provider configuration, there are 3 options, which are helpful.

1. The "Test Formula" action helps you to simulate the results

2. The "Insert Field" action allows to insert any of the standard fields without looking them up or typing them

3. The DNS Provider Trace option shows all input data and output results to help figuring out the right parameters.

For example in this case the "" field contains the DNS record ID returned by the ADD operation.

This field is used in the DELETE operation to identify the created DNS TXT record.

Here is my working Digital Ocean configuration at a glance showing both documents (config and account for my sub-domain).

-- Daniel

DNS Provider Account
Registered Domain:
Account Name: @ DigitalOcean
Status: Enabled  
DNS Provider Configuration: DigitalOcean  
Configuration Values
DNS Zone:
email Address:
Authorization Key:
Authorization Token: 77931d012b385ed4def25412981d33a33be65a553d373c65a61196e5c170xxx *)

*) No this is not my real token.


DNS Provider Configuration
Type: HTTP Request
Status Formula: @if ( != ""; 200; 400)
Request URL:
DnsProviderDelay 42
HTTP Request Tracing: Enabled  
HTTP Add Request
Request Type: POST
URL Formula: cfg_URL + "/" + param_RegisteredDomain +"/records"
Header Formula: ( "Content-Type: application/json" ) : ("Authorization: Bearer " + cfg_AuthToken )
Post Data Formula: '{"type":"TXT","name":"' + param_DnsTxtName+ '.","data":"' + param_DnsTxtValue + '","ttl":30}'
HTTP Delete Request
Request Type: DELETE
URL Formula: ID_TXT:@Text(; @if (ID_TXT= ""; ""; cfg_URL + "/" + param_RegisteredDomain + "/records/" + ID_TXT)
Header Formula: ( "Content-Type: application/json" ) : ("Authorization: Bearer " + cfg_AuthToken )
Post Data Formula:

No Comments Found



    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]