fighting for truth, justice, and a kick-butt lotus notes experience.

LE4D - Let’s Encrypt 4 Domino - Network Error - Changed LE Roots

 4 Februar 2021 08:55:42
Let's Encrypt changed its own server SSL certificates used to communicate with their API endpoints in December 2020.

Production - API Endpoint:
Staging - API Endpoint:

This may result in Let's Encrypt 4 Domino (LE4D) no longer being able to communicate with the API during agent execution for certificate updates.

The reason for it is, that the Let's Encrypt root / intermediate certificate are no longer trusted.

In the log you will get the following error message:

2021-02-03 20:41:45 INFO LE4D - midpoints LE4D (c) 2017 - 2021, V 2.2.0_20190930
2021-02-03 20:41:45 INFO LE4D - Logging events and errors to: '/var/local/notesdata/MIDPOINTS_TECHNICAL_SUPPORT/le4d/le4d.log'
2021-02-03 20:41:45 INFO LE4D - Processing configuration document: '86E7EF37D3D856600628627'.
2021-02-03 20:41:45 INFO LE4D - Using Html directory: domino/html
2021-02-03 20:41:45 INFO LE4D - Running in staging mode
2021-02-03 20:41:45 INFO LE4D - Requesting certificates.
2021-02-03 20:41:45 INFO LE4D - Writing file: '/var/local/notesdata/le/86E7EF37D3125856600628627/user.key'
2021-02-03 20:41:45 INFO LE4D - Session URL: acme://
2021-02-03 20:41:45 ERROR LE4D - org.shredzone.acme4j.exception.AcmeNetworkException: Network error
2021-02-03 20:41:45 INFO LE4D - Writing file: '/var/local/notesdata/le/86E7EF37D25856600628627/domain.key'
2021-02-03 20:41:45 ERROR LE4D - java.lang.NullPointerException
2021-02-03 20:41:45 INFO LE4D - OUPS!! Something went wrong!
2021-02-03 20:41:45 INFO LE4D - midpoints LE4D finished!

The trusted root/intermediate certificates relevant for agent execution are located in the JVM folder of the Domino server in the cacerts file.

It must be checked once whether the newly used root/intermediate certificates are present here and updated if necessary.

Maybe one of the Root CAs are missing in your cacerts file:

ISRG Root X1

DST Root CA X3

Let’s Encrypt R3

Details and CA PEM Downloads:

- You will have to restart your Domino server to initialize the JVM with the new cacerts. A 'tell HTTP restart' will not be enough.  
- HCL removed the ikeyman tool with Domino 11. So you can use the default Java keytool, which is part of the JVM install. It is a commandline tool. Details can be found here: