New Nomad Server features -- ACME HTTP-01 challenge support & HTTP redirects via port 9080
Daniel Nashed – 6 July 2024 09:34:50
There are two new features in the latest Nomad Server versions, introduced to Nomad Server without big notice.
I just got the question from a partner why Nomad Server now binds port 9080 in addition to port 9443 and the internal communication port (only loop back).
The port might be used by other applications like the IBM Spectrum Protect (TDP) -- which was the problem in this customer case.
It turns out the TDP Java based restore GUI and does not work in combination without changing or disabling the port.
Nomad Server listens on port 9080 by default for HTTP redirects
The port is intended to redirect HTTP requests to HTTPS and is an additional functionality not directly needed by Nomad Server.
I would have wished this configuration would be disabled by default and only enabled if needed.
It would need additional configuration, because it is mainly intended to be used behind a reverse proxy.
The port can be changed or completely differently setting the port to 0.
For details check this documentation link:
https://help.hcltechsw.com/nomad/1.0_admin/config_options.html
Nomad Server can respond to Domino CertMgr ACME HTTP-01 challenges
In a configuration, where CertMgr runs behind a Nomad Server and no HTTP or redirected HTTP to HTTPS requests are possible, the Nomad server can handle ACME HTTP-01 challenges directly.
This configuration does not even need the HTTP task running on the Domino server. The Nomad Server reads the challenge response directly from certstore.nsf.
Testing the configuration
There is an example using the CertMgr diagnostic challenge described here --> http://opensource.hcltechsw.com/domino-cert-manager/troubleshooting_acme_challenges/
After adding the challenge to certstore.nsf manually the challenge can be checked with a curl command or any other tool (e.g. web-browser).
curl -L -v http://127.0.0.1:9080/.well-known/acme-challenge/DOMINO-CertMgr-DiagChallenge-HTTP01
* Trying 127.0.0.1:9080...
* Connected to 127.0.0.1 (127.0.0.1) port 9080
> GET /.well-known/acme-challenge/DOMINO-CertMgr-DiagChallenge-HTTP01 HTTP/1.1
> Host: 127.0.0.1:9080
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Date: Fri, 05 Jul 2024 12:14:54 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
< Transfer-Encoding: chunked
<
DOMINO-ACME-PROTOCOL-CHALLENGE-DATA-OK* Connection #0 to host 127.0.0.1 left intact
- Comments [0]