#dominoforever | Product Ideas Portal

 

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Include Support for Let‘s Encrypt

see https://midpoints.de/de-solutions-LE4D

  • Guest
  • Jul 14 2018
  • Shipped
  • Attach files
  • Guest commented
    16 Mar 12:09am

    Let's Encrypt integration is available since the first code drop of Domino V12.

    And in Beta2 DNS-01 challenges have been added.


    CertMgr is the new task in Domino V12 for certificate management.

    And certstore.nsf is the domain wide database to stored them encrypted for servers with access.


    The DNS-01 challenges come with options to integrate with DNS providers.

    Out of the box there are two reference implementation for Cloudflare (US) and Hetzner (DE).


    I have personally build a couple of integrations using the REST approach with @Formulas and integrated HTTP requests. And I have my own ACME DNS server running as well.


    If you are looking for current information check my blog for details.


    They can be exported and imported via DXL and most REST interfaces will be straight forward.


    If that isn't working, you can also write an agent to perform the integration.

    This is much easier than what acmesh provides.


    Have a look into the existing beta 2. And stay tuned for Beta 3.


    [ Daniel Nashed / HCL Lifetime Ambassador ]

    https://blog.nashcom.de




  • Guest commented
    24 Jan 09:01pm

    If you are interested in this feature, you should take a look at Domino V12 Beta1.

    Let's Encrypt functionality is available since the first code drop.


    DNS-01 Challenges have been added for Beta1 with a very flexible interface.

    Take a look into the Beta forum or check my current blog post for details.


    Here is an example for an inplementation of a DNS provider configuration with some details.


    [ Daniel Nashed / https://blog.nashcom.de ]


    https://blog.nashcom.de/nashcomblog.nsf/dx/domino-v12-lets-enrypt-dns-01-challenges-delegating-a-sub-domain-to-digital-ocean.htm

  • Guest commented
    19 Oct, 2020 08:49am

    Hello Thomas,

    I already saw the built-in feature in Domino 12 Early Access ( https://help.hcltechsw.com/domino/earlyaccess/secu_le_certificate_request_flow.html ), but it seems to lack the ability to use the DNS-01 Challenge Method ( https://letsencrypt.org/de/docs/challenge-types/ ). I know that it is difficult to support every DNS-"Vendors" API to be able to automatically create the TXT-Record needed to comply with the DNS-challenge, that's why I was pointing out to the acme.sh Script that supports quite many DNS-Vendors using their respective API-Calls.

    Best Regards,

    Patrick

  • Admin
    Thomas Hampel commented
    18 Oct, 2020 07:40pm

    Patrick, what if you dont need to do all steps you described above? What if all of this would be integrated in Domino? Try it yourself:

    https://blog.hcltechsw.com/domino/introducing-hcl-domino-early-access-program

  • Guest commented
    17 Sep, 2020 12:32pm

    Regarding DNS APIs:

    I currently use a basic Shell-Script to renew the Lets Encrypt Certificates on our Linux Domino-Servers which leverages

    https://github.com/acmesh-official/acme.sh/wiki &

    https://github.com/acmesh-official/acme.sh/wiki/dnsapi

    Basically:

    Run acme.sh with DNS API

    acme.sh --issue --dns dns-provider -d mycompany.com -d www.mycompany.com -d mobile.mycompany.com

    Tis generates Host-Key, Host-Certificate and a Certificate-Chain File (PEM, base64 encoded)

    I concatenate the Host-Key and Certificate-Chain File into a new file.

    After that, I check if the Domino Keyring already exists, if it does not, create the Keyring using kyrtool.

    Next step: Import the new file (Host-Key +Chain) into the Keyring using kyrtool

    After that: switch to the notes-User and run server -c "restart task http" to pick up the new certificate from the keyring.

    The script runs periodically using cron.

    Theoretically this should be available on Windows too, if you install something like git bash or cygwin.

    Best Regards,

    Patrick

  • Guest commented
    16 Sep, 2020 10:57am

    LetsEncrypt does NOT require a static IP. We ran it for years with dynamic IP addresses. The only applications to require a static IP are mail servers.

  • Guest commented
    24 Mar, 2020 12:52pm

    Just to add a feature request, DNS validation is important as most Domino Servers are not open to the public networks. I know there are difficulties with DNS APIs, but I still think there could be extension points left to the advanced use cases.

  • Guest commented
    6 Aug, 2019 12:29am

    Agreed. However, each of these "free" SSL sites requires a static public IP, which defeats the scalability and the "free" in LetsEncrypt. The app works GREAT though! This limitation is not in the LetsEncrypt for Domino app, but Domino's HTTP/2 SNI support.

  • Guest commented
    24 Sep, 2018 06:52am

    At LEAST add the Root- and Intermediate certificates of LetsEncrypt to Domino (cacerts key file and pubnames.nft)

  • Guest commented
    16 Jul, 2018 07:48am

    This makes an admin live so much easier. Speaking from personal experience!