HCL Domino Ideas Portal
Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.
For more information and upcoming events around #dominoforever, please visit our Destination Domino Page
Let's Encrypt integration is available since the first code drop of Domino V12.
And in Beta2 DNS-01 challenges have been added.
CertMgr is the new task in Domino V12 for certificate management.
And certstore.nsf is the domain wide database to stored them encrypted for servers with access.
The DNS-01 challenges come with options to integrate with DNS providers.
Out of the box there are two reference implementation for Cloudflare (US) and Hetzner (DE).
I have personally build a couple of integrations using the REST approach with @Formulas and integrated HTTP requests. And I have my own ACME DNS server running as well.
If you are looking for current information check my blog for details.
They can be exported and imported via DXL and most REST interfaces will be straight forward.
If that isn't working, you can also write an agent to perform the integration.
This is much easier than what acmesh provides.
Have a look into the existing beta 2. And stay tuned for Beta 3.
[ Daniel Nashed / HCL Lifetime Ambassador ]
https://blog.nashcom.de
If you are interested in this feature, you should take a look at Domino V12 Beta1.
Let's Encrypt functionality is available since the first code drop.
DNS-01 Challenges have been added for Beta1 with a very flexible interface.
Take a look into the Beta forum or check my current blog post for details.
Here is an example for an inplementation of a DNS provider configuration with some details.
[ Daniel Nashed / https://blog.nashcom.de ]
https://blog.nashcom.de/nashcomblog.nsf/dx/domino-v12-lets-enrypt-dns-01-challenges-delegating-a-sub-domain-to-digital-ocean.htm
Hello Thomas,
I already saw the built-in feature in Domino 12 Early Access ( https://help.hcltechsw.com/domino/earlyaccess/secu_le_certificate_request_flow.html ), but it seems to lack the ability to use the DNS-01 Challenge Method ( https://letsencrypt.org/de/docs/challenge-types/ ). I know that it is difficult to support every DNS-"Vendors" API to be able to automatically create the TXT-Record needed to comply with the DNS-challenge, that's why I was pointing out to the acme.sh Script that supports quite many DNS-Vendors using their respective API-Calls.
Best Regards,
Patrick
Patrick, what if you dont need to do all steps you described above? What if all of this would be integrated in Domino? Try it yourself:
https://blog.hcltechsw.com/domino/introducing-hcl-domino-early-access-program
Regarding DNS APIs:
I currently use a basic Shell-Script to renew the Lets Encrypt Certificates on our Linux Domino-Servers which leverages
https://github.com/acmesh-official/acme.sh/wiki &
https://github.com/acmesh-official/acme.sh/wiki/dnsapi
Basically:
Run acme.sh with DNS API
acme.sh --issue --dns dns-provider -d mycompany.com -d www.mycompany.com -d mobile.mycompany.com
Tis generates Host-Key, Host-Certificate and a Certificate-Chain File (PEM, base64 encoded)
I concatenate the Host-Key and Certificate-Chain File into a new file.
After that, I check if the Domino Keyring already exists, if it does not, create the Keyring using kyrtool.
Next step: Import the new file (Host-Key +Chain) into the Keyring using kyrtool
After that: switch to the notes-User and run server -c "restart task http" to pick up the new certificate from the keyring.
The script runs periodically using cron.
Theoretically this should be available on Windows too, if you install something like git bash or cygwin.
Best Regards,
Patrick
LetsEncrypt does NOT require a static IP. We ran it for years with dynamic IP addresses. The only applications to require a static IP are mail servers.
Just to add a feature request, DNS validation is important as most Domino Servers are not open to the public networks. I know there are difficulties with DNS APIs, but I still think there could be extension points left to the advanced use cases.
Agreed. However, each of these "free" SSL sites requires a static public IP, which defeats the scalability and the "free" in LetsEncrypt. The app works GREAT though! This limitation is not in the LetsEncrypt for Domino app, but Domino's HTTP/2 SNI support.
At LEAST add the Root- and Intermediate certificates of LetsEncrypt to Domino (cacerts key file and pubnames.nft)
This makes an admin live so much easier. Speaking from personal experience!