#dominoforever | Product Ideas Portal

 

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Include Support for Let‘s Encrypt

see https://midpoints.de/de-solutions-LE4D

  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Jul 14 2018
  • Planning to implement
  • Attach files
  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    19 Oct 08:49am

    Hello Thomas,

    I already saw the built-in feature in Domino 12 Early Access ( https://help.hcltechsw.com/domino/earlyaccess/secu_le_certificate_request_flow.html ), but it seems to lack the ability to use the DNS-01 Challenge Method ( https://letsencrypt.org/de/docs/challenge-types/ ). I know that it is difficult to support every DNS-"Vendors" API to be able to automatically create the TXT-Record needed to comply with the DNS-challenge, that's why I was pointing out to the acme.sh Script that supports quite many DNS-Vendors using their respective API-Calls.

    Best Regards,

    Patrick

  • Admin
    Thomas Hampel commented
    18 Oct 07:40pm

    Patrick, what if you dont need to do all steps you described above? What if all of this would be integrated in Domino? Try it yourself:

    https://blog.hcltechsw.com/domino/introducing-hcl-domino-early-access-program

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    17 Sep 12:32pm

    Regarding DNS APIs:

    I currently use a basic Shell-Script to renew the Lets Encrypt Certificates on our Linux Domino-Servers which leverages

    https://github.com/acmesh-official/acme.sh/wiki &

    https://github.com/acmesh-official/acme.sh/wiki/dnsapi

    Basically:

    Run acme.sh with DNS API

    acme.sh --issue --dns dns-provider -d mycompany.com -d www.mycompany.com -d mobile.mycompany.com

    Tis generates Host-Key, Host-Certificate and a Certificate-Chain File (PEM, base64 encoded)

    I concatenate the Host-Key and Certificate-Chain File into a new file.

    After that, I check if the Domino Keyring already exists, if it does not, create the Keyring using kyrtool.

    Next step: Import the new file (Host-Key +Chain) into the Keyring using kyrtool

    After that: switch to the notes-User and run server -c "restart task http" to pick up the new certificate from the keyring.

    The script runs periodically using cron.

    Theoretically this should be available on Windows too, if you install something like git bash or cygwin.

    Best Regards,

    Patrick

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    16 Sep 10:57am

    LetsEncrypt does NOT require a static IP. We ran it for years with dynamic IP addresses. The only applications to require a static IP are mail servers.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    24 Mar 12:52pm

    Just to add a feature request, DNS validation is important as most Domino Servers are not open to the public networks. I know there are difficulties with DNS APIs, but I still think there could be extension points left to the advanced use cases.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    6 Aug, 2019 12:29am

    Agreed. However, each of these "free" SSL sites requires a static public IP, which defeats the scalability and the "free" in LetsEncrypt. The app works GREAT though! This limitation is not in the LetsEncrypt for Domino app, but Domino's HTTP/2 SNI support.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    24 Sep, 2018 06:52am

    At LEAST add the Root- and Intermediate certificates of LetsEncrypt to Domino (cacerts key file and pubnames.nft)

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    16 Jul, 2018 07:48am

    This makes an admin live so much easier. Speaking from personal experience!