fighting for truth, justice, and a kick-butt lotus notes experience.

midpoints LE4D 2.0 – some hints

Detlev Poettgen  März 30 2018 10:31:29 AM
On March, 28th, we released Let's Encrypt 4 Domino aka LE4D . If you are running LE4D v1.x, you must update to v2.0.

Certificate renewal will no longer work with v1.x because of some changes Let's Encrypt made on their Let’s Encrypt API endpoint.

If you are new to Let's Encrypt 4 Domino  you can get it here: https://www.midpoints.de/de-solutions-LE4D

Here are some additional hints to get v2.0 working:

Settings documents are disabled after design update to v2.0


In v2.0, we added a new feature to toggle the status of setings documents.

Image:midpoints LE4D 2.0 – some hints

All new settings are disabled by default. You have to enable them prior to run the agent.

Error: No trusted certificates found


You might see the following error message on the Domino console:
29.03.2018 08:21:39   Agent Manager: Agent  error: Caused by:
29.03.2018 08:21:39   Agent Manager: Agent  error: com.ibm.jsse2.util.h: No trusted certificate found

29.03.2018 08:21:39   Agent Manager: Agent  error:         at com.ibm.jsse2.util.g.a(g.java:21)

This happens most likely after you have applied a Domino FP or HF. In all cases we have seen, the cacerts is replaced with the default cacerts during FP/ HF install.

To fix this problem, you have to import the needed certificates again.

The certificates can be found here https://letsencrypt.org/certificates/

You should import the ISRG Root X1 CA and the two Intermediate certs:

ISRG Root X1 (self-signed)

    ◦        Let’s Encrypt Authority X3 (IdenTrust cross-signed)

    ◦        Let’s Encrypt Authority X3 (Signed by ISRG Root X1)


An “HowTo” about importing the certs can be found here:

http://abdata.ch/add-a-root-certificate-to-ibm-domino-jvm-keystore/


Error: Order’s status (“invalid”) was not pending


You might see the following error message on the Domino console:
28/03/2018 22:51:58   Agent Manager: Agent  error:         at lotus.domino.NotesThread.run(Unknown Source)
28/03/2018 22:51:58   Agent Manager: Agent printing: [ERROR] – Order’s status (“invalid”) was not pending

28/03/2018 22:51:58   Agent Manager: Agent printing: LE4D  – finished!

Due to the change in the underlying ACME protocol, Let’s Encrypt needs to re-validate the HTTP challenge on certificate renewal.
To do this, the challenge token must be accessible on the Domino server on port 80.

If you only have port 443 enabled or forward port 80 to 443, then the challenge will fail and you will see the error message.

Just for clarification. Port 80 is only needed for the first time challenge validation after the upgrade to LE4D v2.0. It is also needed, when you change the configuration and add a new host to the existing list of hostnames.

After the challenge has been validated, you can close port 80 again. It is not needed for certificate renewal.

Treffpunkte

Archive