Skip to Main Content
HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

212 VOTE
Status Shipped
Workspace Domino
Created by Guest
Created on Jul 14, 2018

Include Support for Let‘s Encrypt

see https://midpoints.de/de-solutions-LE4D

  • Attach files
  • Guest
    Reply
    |
    Mar 16, 2021

    Let's Encrypt integration is available since the first code drop of Domino V12.

    And in Beta2 DNS-01 challenges have been added.


    CertMgr is the new task in Domino V12 for certificate management.

    And certstore.nsf is the domain wide database to stored them encrypted for servers with access.


    The DNS-01 challenges come with options to integrate with DNS providers.

    Out of the box there are two reference implementation for Cloudflare (US) and Hetzner (DE).


    I have personally build a couple of integrations using the REST approach with @Formulas and integrated HTTP requests. And I have my own ACME DNS server running as well.


    If you are looking for current information check my blog for details.


    They can be exported and imported via DXL and most REST interfaces will be straight forward.


    If that isn't working, you can also write an agent to perform the integration.

    This is much easier than what acmesh provides.


    Have a look into the existing beta 2. And stay tuned for Beta 3.


    [ Daniel Nashed / HCL Lifetime Ambassador ]

    https://blog.nashcom.de




  • Guest
    Reply
    |
    Jan 24, 2021

    If you are interested in this feature, you should take a look at Domino V12 Beta1.

    Let's Encrypt functionality is available since the first code drop.


    DNS-01 Challenges have been added for Beta1 with a very flexible interface.

    Take a look into the Beta forum or check my current blog post for details.


    Here is an example for an inplementation of a DNS provider configuration with some details.


    [ Daniel Nashed / https://blog.nashcom.de ]


    https://blog.nashcom.de/nashcomblog.nsf/dx/domino-v12-lets-enrypt-dns-01-challenges-delegating-a-sub-domain-to-digital-ocean.htm

  • Guest
    Reply
    |
    Oct 19, 2020

    Hello Thomas,

    I already saw the built-in feature in Domino 12 Early Access ( https://help.hcltechsw.com/domino/earlyaccess/secu_le_certificate_request_flow.html ), but it seems to lack the ability to use the DNS-01 Challenge Method ( https://letsencrypt.org/de/docs/challenge-types/ ). I know that it is difficult to support every DNS-"Vendors" API to be able to automatically create the TXT-Record needed to comply with the DNS-challenge, that's why I was pointing out to the acme.sh Script that supports quite many DNS-Vendors using their respective API-Calls.

    Best Regards,

    Patrick

  • Admin
    Thomas Hampel
    Reply
    |
    Oct 18, 2020

    Patrick, what if you dont need to do all steps you described above? What if all of this would be integrated in Domino? Try it yourself:

    https://blog.hcltechsw.com/domino/introducing-hcl-domino-early-access-program

  • Guest
    Reply
    |
    Sep 17, 2020

    Regarding DNS APIs:

    I currently use a basic Shell-Script to renew the Lets Encrypt Certificates on our Linux Domino-Servers which leverages

    https://github.com/acmesh-official/acme.sh/wiki &

    https://github.com/acmesh-official/acme.sh/wiki/dnsapi

    Basically:

    Run acme.sh with DNS API

    acme.sh --issue --dns dns-provider -d mycompany.com -d www.mycompany.com -d mobile.mycompany.com

    Tis generates Host-Key, Host-Certificate and a Certificate-Chain File (PEM, base64 encoded)

    I concatenate the Host-Key and Certificate-Chain File into a new file.

    After that, I check if the Domino Keyring already exists, if it does not, create the Keyring using kyrtool.

    Next step: Import the new file (Host-Key +Chain) into the Keyring using kyrtool

    After that: switch to the notes-User and run server -c "restart task http" to pick up the new certificate from the keyring.

    The script runs periodically using cron.

    Theoretically this should be available on Windows too, if you install something like git bash or cygwin.

    Best Regards,

    Patrick

  • Guest
    Reply
    |
    Sep 16, 2020

    LetsEncrypt does NOT require a static IP. We ran it for years with dynamic IP addresses. The only applications to require a static IP are mail servers.

  • Guest
    Reply
    |
    Mar 24, 2020

    Just to add a feature request, DNS validation is important as most Domino Servers are not open to the public networks. I know there are difficulties with DNS APIs, but I still think there could be extension points left to the advanced use cases.

  • Guest
    Reply
    |
    Aug 6, 2019

    Agreed. However, each of these "free" SSL sites requires a static public IP, which defeats the scalability and the "free" in LetsEncrypt. The app works GREAT though! This limitation is not in the LetsEncrypt for Domino app, but Domino's HTTP/2 SNI support.

  • Guest
    Reply
    |
    Sep 24, 2018

    At LEAST add the Root- and Intermediate certificates of LetsEncrypt to Domino (cacerts key file and pubnames.nft)

  • Guest
    Reply
    |
    Jul 16, 2018

    This makes an admin live so much easier. Speaking from personal experience!

14 MERGED

Let's Encrypt Automatic update

Merged
When enabling Let's Encrypt, it should be able to config an automatic update of cert, in server coinfig.
over 5 years ago in Domino / Security 3 Shipped
3 MERGED

Build a easy configurator for creating SSL certs

Merged
Make an wrap around program that installs Open SSL and kyrtool and one directory and opens in a GUI interface to create request and keyrings for a SSL for exteranls SSL configuration then creates a zip file for the server . The current instruction...
about 4 years ago in Domino / Administration 0 Shipped
11 MERGED

Integrate ACME Protocol for Let’s encrypt (RFC 8555)

Merged
The ACMEv2 protocol is an internet-standard (https://www.rfc-editor.org/rfc/rfc8555.txt). There is an open source implementation by midpoints (https://midpoints.de/en-solutions-LE4D). A native integration makes the use of TLS easier. Martin Garrels
over 5 years ago in Domino / Security 1 Shipped
11 MERGED

Let's encrypt bundle

Merged
Database Tools for SSL or Let's encrypt bundle for domino
about 5 years ago in Domino / Administration 0 Shipped