fighting for truth, justice, and a kick-butt lotus notes experience.

Announcing - Lets Encrypt for Domino - Just Do SSL

 August 23 2017 02:16:43 PM
To enable HTTPS on your website, you need to get a certificate from a public Certificate Authority (CA). Let’s Encrypt is such a CA, which offers free trusted certificates. The only limit is that the certificates expire after 90 days. But you can renew them as often as you like.

There are several clients around to retrieve a certificate from Let’s Encrypt. But none of them offer a consistent way to automate the process, when using Domino as your HTTP-Server. Either the client tool is only available for Linux, or you have to install additional Perl/Python interpreter on your Domino server machine to run scripts. And then there is the Domino properitary keystore format :-(

We at midpoints were looking for a solution to get Let’s Encrypt certificates working together with Domino as close and automated as possible.
So we started the midpoints Let’s Encrypt 4 Domino project for internal use.

Let’s Encrypt for Domino == Let’s Encrypt 4 Domino == LE4D (spoken as lead)


After we got it working, we decided to make the tool available for free, because the Let's Encrypt certs are for free and so midpoints LE4D should be free, too. SSL is important and you should use it.

Yes, you can get  it for free!

Image:Announcing - Lets Encrypt for Domino - Just Do SSL

What midpoints LE4D will do in detail?

The short answer - A lot!

In more details:

- Creates a Let's Encrypt User and Domain Keys
- Creates and puts Let's Encrypt Challenge on your server
- Creates and sends the Signing Request CSR to Let's Encrypt
- Downloads the certificate
- Downloads the Key Chain
- Generates the Domino Key Ring files using the IBM KYRTOOL
- Merges the certificates and chain into the Key Ring
- Backups the generated certificates
- Restarts the HTTP Task
- Periodic Renewal of certificates, when needed

All you will need is our midpoints LE4D template.
Create a new application from the template, create a configuration for your domain and start an agent ( the agent can later be started on a scheduled basis using a program document to renew the certificates).


Interested? Then get your copy of midpoints LE4D today for FREE.

https://www.midpoints.de/LE4D


Ulrich Krause aka eknori and myself digged into the Let's Encrypt API to make LE4D possible. Thank you Ulrich that we together got it working!

And we would like to thank Let's Encrypt and the Let's Encrypt community to provide their great Let's Encrypt Cert service.

Kommentare

1Darren Duke  08/23/2017 8:03:48 PM  Announcing - Lets Encrypt for Domino - Just Do SSL

Great stuff. I'll now shelve my development of such a solution....and I'm pretty sure I'm not alone in this.

Again, great stuff.

2Detlev Poettgen  08/23/2017 8:08:39 PM  Announcing - Lets Encrypt for Domino - Just Do SSL

Thx Darren.

3Lars Berntrop-Bos  08/23/2017 10:47:45 PM  Announcing - Lets Encrypt for Domino - Just Do SSL

Thanks!!

4Fredrik Norling  08/24/2017 6:13:03 AM  Announcing - Lets Encrypt for Domino - Just Do SSL

Great work, thanks

5Bob Voith  08/24/2017 6:37:35 AM  Announcing - Lets Encrypt for Domino - Just Do SSL

Fantastic, generous, thanks!!

6Manfred Dillmann  08/24/2017 8:54:11 AM  Announcing - Lets Encrypt for Domino - Just Do SSL

Das ist klasse!

Vielen Dank Detlev und Ulrich!

Gruß

Manfred

7Henning Schmidt  08/24/2017 1:22:10 PM  Announcing - Lets Encrypt for Domino - Just Do SSL

Awesome stuff Detlev! Comes in handy since my certificates are about to expire and I was thinking about Let's Encrypt. Perfect timing :-)

8Rene Thorarinsson  08/25/2017 6:25:08 AM  Announcing - Lets Encrypt for Domino - Just Do SSL

Wow Awesome stuff.. The manual job of creating and merging keys into a keyring file og very troublesome - even when you follow Gaby's documentation, so this is GREAT.. Thanks..

9Ensar Yilmaz  08/28/2017 4:55:02 PM  Announcing - Lets Encrypt for Domino - Just Do SSL

Great Tool. Works perfect for me!

Thank you very much!

10Andy Brunner  09/10/2017 2:24:34 PM  Announcing - Lets Encrypt for Domino - Just Do SSL

Great tool. Thanks a lot for sharing it with us!

P.S. Works fine even on partitioned Domino servers.

Regards

Andy Brunner

11Per Christensen  09/21/2017 9:58:01 PM  Announcing - Lets Encrypt for Domino - Just Do SSL

Hi,

Nice LE4D application - all seems great, except when running the 'letsencrypt' agent, i get the following java error message:

Agent Manager: Agent error: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: IBMJSSE2, class: com.ibm.jsse2.ah)

Can you help to make the agent run.

Regards

Per Christensen

12Detlev Poettgen  09/22/2017 8:40:50 AM  Announcing - Lets Encrypt for Domino - Just Do SSL

Hello Per,

I just send you an email.

13Lutz Geschinsky  09/28/2017 6:34:59 PM  Announcing - Lets Encrypt for Domino - Just Do SSL

Hallo,

vielen Dank,

super Lösung!

14Djuro  12/11/2017 2:10:15 PM  Announcing - Lets Encrypt for Domino - Just Do SSL

Just what I needed.

vielen Dank!

But I get an java errors:

AMgr: Start executing agent 'letsencrypt' in 'le4d.nsf'

Agent Manager: Agent error: java.net.ConnectException: Connection timed out: connect

Agent Manager: Agent error: at java.net.DualStackPlainSocketImpl.connect0(Native Method)

Agent Manager: Agent error: at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.ja

etc

Any suggestion?

15Djuro  12/12/2017 1:57:57 PM  Announcing - Lets Encrypt for Domino - Just Do SSL

Thanks Ulrich for helping me with the java errors.

Weltklasse !

16Dietmar Dumke  01/16/2018 10:42:42 AM  Also timeout

I also experience the agent returns "timeout" after some time. What exactly is the agent trying to connect?

17Wim Savenberg  02/19/2018 8:45:41 PM  Announcing - Lets Encrypt for Domino - Just Do SSL

Does it work both on Windows & Linux ?

18Detlev Poettgen  02/20/2018 7:22:24 PM  Announcing - Lets Encrypt for Domino - Just Do SSL

Yes, LE4D supports Windows and Linux.

19Ensar Yilmaz  02/23/2018 4:28:05 PM  Announcing - Lets Encrypt for Domino - Just Do SSL

It worked for me but since a few days i see the following in log file:

Agent Manager: Agent error: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found

Do you have any idea how to solve this issue?

Thank you!

20Detlev Poettgen  02/23/2018 7:44:54 PM  Announcing - Lets Encrypt for Domino - Just Do SSL

you will have to import the Let's Encrypt Root certificates into the Domino JVM keystore.

Maybe the installation of the latest Fix/Feature Pack had overwritten the cacerts file.

Take a look at:

http://www-01.ibm.com/support/docview.wss?uid=swg21588966

Chapter B. Import the SSL certifier into the JVM.

https://letsencrypt.org/certificates/

21Dominique  03/31/2020 10:42:53 AM  Announcing - Lets Encrypt for Domino - Just Do SSL

I am trying your tool and may have missed some configuration. I received a PENDING status message.

Could point me where to check ?

2020-03-31 12:27:52 INFO LE4D - midpoints LE4D (c) 2017 - 2020, V 2.2.0_20190930

2020-03-31 12:27:52 INFO LE4D - Logging events and errors to: 'C:\Program Files\HCL\Domino\Data\MIDPOINTS_TECHNICAL_SUPPORT\le4d\le4d.log'

2020-03-31 12:27:52 INFO LE4D - Processing configuration document: 'F290C24E59939E5DC1258539005278BB'.

2020-03-31 12:27:52 INFO LE4D - Using Html directory: domino/html

2020-03-31 12:27:52 INFO LE4D - Running in staging mode

2020-03-31 12:27:52 INFO LE4D - Requesting certificates.

2020-03-31 12:27:52 INFO LE4D - Writing file: 'C:\Program Files\HCL\Domino\le4d-workdir\F290C24E59939E5DC1258539005278BB\user.key'

2020-03-31 12:27:52 INFO LE4D - Session URL: acme://letsencrypt.org/staging

2020-03-31 12:27:55 INFO LE4D - Writing file: 'C:\Program Files\HCL\Domino\le4d-workdir\F290C24E59939E5DC1258539005278BB\domain.key'

2020-03-31 12:27:55 INFO LE4D - Creating challenge file for domain 'stcommunity.lab.com'.

2020-03-31 12:27:56 INFO LE4D - ... challenge: C:\Program Files\HCL\Domino\Data\domino/html\.well-known\acme-challenge\8vIIK1YxVnU336cOYIYrsEWBKZ-IpuYMQBz3mUwtLS0

2020-03-31 12:29:04 INFO LE4D - auth.getStatus(): 'PENDING'

2020-03-31 12:29:04 INFO LE4D - Downloading certificate

2020-03-31 12:29:04 ERROR LE4D - org.shredzone.acme4j.exception.AcmeServerException: Order's status ("invalid") is not acceptable for finalization

2020-03-31 12:29:04 INFO LE4D - OUPS!! Something went wrong!

2020-03-31 12:29:04 INFO LE4D - midpoints LE4D finished!

22Henk  05/08/2021 4:58:14 PM  Announcing - Lets Encrypt for Domino - Just Do SSL

Hi all, I have the same issue as the latest comment in 2020.

getStatus is "PENDING" and after that i get the message "Order's status ("invalid")..."

Post 80 is open, the ./well-known directory with content is created.

Running Domino 11.0.1 on Linux and all certs available in "cacerts".

I'm stuck here... Appreciate the help :)

Full message below:

Last run: 8-mei-2021 18:52:04

midpoints LE4D (c) 2017 - 2021, V 2.2.0_20190930

Logging events and errors to: '/local/notesdata/MIDPOINTS_TECHNICAL_SUPPORT/le4d/le4d.log'

Processing configuration document: '6921C38E87707760C12586CF00528463'.

Using Html directory: domino/html/website

Running in staging mode

Requesting certificates.

Writing file: '/local/notesdata/le4d/workdir/6921C38E87707760C12586CF00528463/user.key'

Session URL: acme://letsencrypt.org/staging

Writing file: '/local/notesdata/le4d/workdir/6921C38E87707760C12586CF00528463/domain.key'

Creating challenge file for domain 'www.abbrevia.nl'.

... challenge: /local/notesdata/domino/html/website/.well-known/acme-challenge/vY_dwMgoezPlFFd5IwL9-ejBFKY8DZB61BieaY8LYXE

auth.getStatus(): 'PENDING'

Downloading certificate

Order's status ("invalid") is not acceptable for finalization

OUPS!! Something went wrong!

23Henk  05/09/2021 9:15:14 AM  Announcing - Lets Encrypt for Domino - Just Do SSL

Forget my last post, it works perfectly.

On server document, Internet ports -> web port 80 was redirecting to ssl. This is not correct when you create a certificate for the first time.

Thans again for this super tool.

  •  
  • Hinweis zum Datenschutz und Datennutzung:
    Bitte lesen Sie unseren Hinweis zum Datenschutz bevor Sie hier einen Kommentar erstellen.
    Zur Erstellung eines Kommentar werden folgende Daten benötigt:
    - Name
    - Mailadresse
    Der Name kann auch ein Nickname/Pseudonym sein und wird hier auf diesem Blog zu Ihrem Kommentar angezeigt. Die Email-Adresse dient im Fall einer inhaltlichen Unklarheit Ihres Kommentars für persönliche Rückfragen durch mich, Detlev Pöttgen.
    Sowohl Ihr Name als auch Ihre Mailadresse werden nicht für andere Zwecke (Stichwort: Werbung) verwendet und auch nicht an Dritte übermittelt.
    Ihr Kommentar inkl. Ihrer übermittelten Kontaktdaten kann jederzeit auf Ihren Wunsch hin wieder gelöscht werden. Senden Sie in diesem Fall bitte eine Mail an blog(a)poettgen(punkt)eu

  • Note on data protection and data usage:
    Please read our Notes on Data Protection before posting a comment here.
    The following data is required to create a comment:
    - Name
    - Mail address
    The name can also be a nickname/pseudonym and will be displayed here on this blog with your comment. The email address will be used for personal questions by me, Detlev Pöttgen, in the event that the content of your comment is unclear.
    Neither your name nor your e-mail address will be used for any other purposes (like advertising) and will not be passed on to third parties.
    Your comment including your transmitted contact data can be deleted at any time on your request. In this case please send an email to blog(a)poettgen(dot)eu

Archive