HCL Domino Ideas Portal
Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.
For more information and upcoming events around #dominoforever, please visit our Destination Domino Page
For additional documentation or help when implementing an ACME DNS-01 TXT provider, please use the official GitHub project --> https://github.com/HCL-TECH-SOFTWARE/domino-cert-manager
You can raise issues and get help. We have multiple partners who got their implementation working.
The implementation of the interface uses one document for each TXT record to add/delete indepent of the integration type (formula/agent/cmd). the resulting document is logged on error and can be optionally always logged to look at it for debugging or development purposes.
if you have specific questions or if you need help when writing an implementation, please open an issue in the project.
It's not as simple as you would imagine to allow manual operations.
The ACME protocol has a flow, which is designed for automation.
The implementation would need a lot of extra work to allow longer delays between the different phases in the ACME protocol flow. refreshing the nonce would be one change needed. But there are more complicated once, like keeping track of the requests and re-starting the ACME communication where we left.
But this is only the protocol side. There are also other complexities like having the DNS-01 text record displayed in the document and helping the admin to add the right value to a DNS record.
And this could be quite challenging for an admin even with a nice UI.
In most companies this would also involve multi teams involved. The Domino admin is usually not responsible for DNS changes.
You are the first one asking for a manual operation. ACME and the Domino CertMgr ACME implementation are designed for automation. A manual challenge would defeat the purpose of this integration.
Ideas that could work for your use case:
You could use CNAME delegation with one of the already available DNS provider integrations.
See this Let's Encrypt link for details --> https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme/
You could also use any ACME implementation which supports a manual flow for DNS-01 (I never checked who might support it).
DNS-01 challenges don't need an inbound connection and you can use any ACME implementation.
CertMgr & certstore.nsf provide the manual flow, which can be automated. So you could get the certificate flow still automated with an external ACME implementation.
I think the main thing is that the documentation needs a good deal of expansion. The flow for the DNS config documents is rather flexible, but the doc should explain it better - that there's a single document context in use for each step, examples of when each part can/should be skipped, an explanation of how JSON (when returned) is broken out into items, etc.. These things can technically be gleaned from the examples in the GitHub repo, but there should be a lot more detail in the actual documentation.
It should also explain the flow for agent- and command-based flows, with detail for the context passed to them and examples of them in use.