fighting for truth, justice, and a kick-butt lotus notes experience.

LE4D - Let’s Encrypt 4 Domino - Network Error - Changed LE Roots

 Februar 4 2021 07:55:42 AM
Let's Encrypt changed its own server SSL certificates used to communicate with their API endpoints in December 2020.

Production - API Endpoint:
https://acme-v02.api.letsencrypt.org/directory
Staging - API Endpoint:
https://acme-staging-v02.api.letsencrypt.org/directory

This may result in Let's Encrypt 4 Domino (LE4D) no longer being able to communicate with the API during agent execution for certificate updates.

The reason for it is, that the Let's Encrypt root / intermediate certificate are no longer trusted.

In the log you will get the following error message:


2021-02-03 20:41:45 INFO LE4D - midpoints LE4D (c) 2017 - 2021, V 2.2.0_20190930
2021-02-03 20:41:45 INFO LE4D - Logging events and errors to: '/var/local/notesdata/MIDPOINTS_TECHNICAL_SUPPORT/le4d/le4d.log'
2021-02-03 20:41:45 INFO LE4D - Processing configuration document: '86E7EF37D3D856600628627'.
2021-02-03 20:41:45 INFO LE4D - Using Html directory: domino/html
2021-02-03 20:41:45 INFO LE4D - Running in staging mode
2021-02-03 20:41:45 INFO LE4D - Requesting certificates.
2021-02-03 20:41:45 INFO LE4D - Writing file: '/var/local/notesdata/le/86E7EF37D3125856600628627/user.key'
2021-02-03 20:41:45 INFO LE4D - Session URL: acme://letsencrypt.org/staging
2021-02-03 20:41:45 ERROR LE4D - org.shredzone.acme4j.exception.AcmeNetworkException: Network error
2021-02-03 20:41:45 INFO LE4D - Writing file: '/var/local/notesdata/le/86E7EF37D25856600628627/domain.key'
2021-02-03 20:41:45 ERROR LE4D - java.lang.NullPointerException
2021-02-03 20:41:45 INFO LE4D - OUPS!! Something went wrong!
2021-02-03 20:41:45 INFO LE4D - midpoints LE4D finished!


The trusted root/intermediate certificates relevant for agent execution are located in the JVM folder of the Domino server in the cacerts file.

It must be checked once whether the newly used root/intermediate certificates are present here and updated if necessary.

Maybe one of the Root CAs are missing in your cacerts file:


Roots:
ISRG Root X1    
https://letsencrypt.org/certs/isrgrootx1.pem

DST Root CA X3    
https://letsencrypt.org/certs/trustid-x3-root.pem.txt

Intermediate:
 
Let’s Encrypt R3
https://letsencrypt.org/certs/lets-encrypt-r3.pem

Details and CA PEM Downloads:
 
https://letsencrypt.org/certificates/

Hints:
- You will have to restart your Domino server to initialize the JVM with the new cacerts. A 'tell HTTP restart' will not be enough.  
- HCL removed the ikeyman tool with Domino 11. So you can use the default Java keytool, which is part of the JVM install. It is a commandline tool. Details can be found here:

http://www.netzgoetter.net/internet/blogs/netzgoetter.nsf/dx/byebye-ibm-ikeyman-welcome-java-keytool.htm

Kommentare

1David Hablewitz  02/04/2021 11:32:53 PM  LE4D - Let’s Encrypt 4 Domino - Network Error - Changed LE Roots

I have this problem on a 9.0.1 server. I'm looking for the instructions on doing this using the ikeyman tool. Could you please post a link to those instructions? I know I've seen it somewhere.

2Detlev Poettgen  02/05/2021 8:12:15 AM  LE4D - Let’s Encrypt 4 Domino - Network Error - Changed LE Roots

The ikeyman instructions are included in the First Steps PDF - page 7, which is part of the LE4D download package.

3Rainer  02/05/2021 4:47:42 PM  LE4D - Let’s Encrypt 4 Domino - Network Error - Changed LE Roots

Hallo

ich hatte genau diesen Fall am 02.02.2021 mit einem zu erneuernden SSL Zertifikat.

Erst das einspielen der neuen Zertifikate in die cacert hatte uns geholfen.

Danke hier noch mal ausdrücklich für die Hilfe an die Technik von Midpoints.

Gruß Rainer

4Dan Carter  02/08/2021 10:43:56 AM  LE4D - Let’s Encrypt 4 Domino - Network Error - Changed LE Roots

Hi Detlev, thanks for this post. I've noticed the same error this morning.

I was able to update the ISRG Root X1 certificate.

keytool -import -trustcacerts -keystore "C:\Program Files\IBM\Lotus\Domino\jvm\lib\security\cacerts" -storepass changeit -alias ISRGRootX1 -import -file c:\ca\isrgrootx1.pem

Certificate already exists in keystore under alias <letsencryptisrgx1 [jdk]>

Do you still want to add it? [no]: y

Certificate was added to keystore

And the inter.

keytool -import -trustcacerts -keystore "C:\Program Files\IBM\Lotus\Domino\jvm\lib\security\cacerts" -storepass changeit -alias LetsEncryptR3 -import -file c:\ca\lets-encrypt-r3.pem

Certificate was added to keystore

but I can seem to import the cross signed root."input not an x.509 certificate"

keytool -import -trustcacerts -keystore "C:\Program Files\IBM\Lotus\Domino\jvm\lib\security\cacerts" -storepass changeit -alias DSTRootCAX3 -import -file c:\ca\trustid-x3-root.pem.txt

keytool error: java.lang.Exception: Input not an X.509 certificate

Would you have any ideas? I've tried to rerun the letsencrypt agent without the cross-signed certificate but I still get the original error

Agent Manager: Agent printing: org.shredzone.acme4j.exception.AcmeNetworkException: Network error

Agent Manager: Agent printing: Writing file: 'D:\temp\lead-workdir\BA2D79FC20976E828025852300324CAB\domain.key'

Agent Manager: Agent printing: java.lang.NullPointerException

Agent Manager: Agent printing: OUPS!! Something went wrong!

kind regards

Dan

5Friedhelm Klein  07/04/2021 12:10:38 AM  LE4D - Let’s Encrypt 4 Domino - Network Error - Changed LE Roots

Little hint: The cacerts file from Domino 12 is compatible with older Domino versions and includes way more root certificates than version 9.x or 10.x did.

Though Domino 12 uses OpenJDK instead of IBM / Oracle JVM, the file structure (and password) of cacerts is still the same. Simply copy a Domino 12 cacerts to your older servers and your root certs are up to date.

  •  
  • Hinweis zum Datenschutz und Datennutzung:
    Bitte lesen Sie unseren Hinweis zum Datenschutz bevor Sie hier einen Kommentar erstellen.
    Zur Erstellung eines Kommentar werden folgende Daten benötigt:
    - Name
    - Mailadresse
    Der Name kann auch ein Nickname/Pseudonym sein und wird hier auf diesem Blog zu Ihrem Kommentar angezeigt. Die Email-Adresse dient im Fall einer inhaltlichen Unklarheit Ihres Kommentars für persönliche Rückfragen durch mich, Detlev Pöttgen.
    Sowohl Ihr Name als auch Ihre Mailadresse werden nicht für andere Zwecke (Stichwort: Werbung) verwendet und auch nicht an Dritte übermittelt.
    Ihr Kommentar inkl. Ihrer übermittelten Kontaktdaten kann jederzeit auf Ihren Wunsch hin wieder gelöscht werden. Senden Sie in diesem Fall bitte eine Mail an blog(a)poettgen(punkt)eu

  • Note on data protection and data usage:
    Please read our Notes on Data Protection before posting a comment here.
    The following data is required to create a comment:
    - Name
    - Mail address
    The name can also be a nickname/pseudonym and will be displayed here on this blog with your comment. The email address will be used for personal questions by me, Detlev Pöttgen, in the event that the content of your comment is unclear.
    Neither your name nor your e-mail address will be used for any other purposes (like advertising) and will not be passed on to third parties.
    Your comment including your transmitted contact data can be deleted at any time on your request. In this case please send an email to blog(a)poettgen(dot)eu

Archive