Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

Using ACME HTTP-01 Challenges redirected to other servers

Daniel Nashed – 30 July 2021 21:13:31
The ACME protocol and Let's Encrypt are pretty flexible and follow rules of standard HTTP requests.

The following would help you if you are running a Domino V12 server which is not connected to the internet itself.
Or running on an OS where the DSAPI filter to confirm the HTTP-01 is not available like AIX or OS400.

You can let another server -- like the CertMgr server -- confirm the challenge for you.

CertMgr stores the challenge inside certstore.nsf. By design all servers receiving the challenge will lookup the challenge received in certstore.nsf on the CertMgr server.
This design is used to ensure all servers the requested HTTP-01 points to, need to be able to confirm the challenge (DNS entries or load balancers pointing to multiple servers).

Taking this concept you can let any server reply to the challenge by generating a redirect for the /.well-known/acme-challenge/* URL for your server.

If your are using internet sites this would work with a simple redirect rule as shown below.
I have just tested it with a HTTP-01 challenge with Let's Encrypt and it works like a charm.

Let's Encrypt will just follow the redirect and ask for the challenge in the new location.

-- Daniel

 
  Web Site Rule
 

Basics
Description: ACME Challenge redirect
Type of rule: Redirection
Incoming URL pattern: /.well-known/acme-challenge/*
Redirect to this URL: http://validation.acme.com/.well-known/acme-challenge/*
Send 301 Redirect:  



Administration
Owners: Daniel Nashed/NashCom/DE
Administrators: Daniel Nashed/NashCom/DE
Last updated: 30.07.2021 23:13:11 Daniel Nashed/NashCom/DE





Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]