Skip to main content

HTTPS Drama on Domino 12.0

I'm not a big fan of HTTPS. Don't get me wrong, I agree with all of the security and comfort that it provides. I just hate the whole renewal process.

Domino 12 introduces a new way to do HTTPS and it's apparently much easier going forward.  That's great news. Unfortunately, we hit a couple of snags on the way in, and I wanted to warn everyone about them - especially since the workarounds are so simple. 


Domino Needs to Generate the CSR

You're probably thinking that that this is pretty obvious but if so, you're not thinking about wildcard certificates. We use a wildcard certificate *.mydomain.com.au - This allows us to use it across multiple systems, including Domino, Azure, some WordPress websites and a Drupal Website. We also use it in conjunction with several hosted services.

The wildcard certificate allows us to use the same certificate on different subdomains.

For example:

  • www.mydomain.com.au
  • domino.mydomain.com.au
  • azure.mydomain.com.au
  • othersite.mydomain.com.au
  • extranet.mydomain.com.au
The possibilities are endless.

Last year, when we were on Domino 9.0.1, we generated the Certificate Signing Request (CSR) on Domino and set up domino first. Then we did our other sites. 

This year, on Domino 12.0, we generated the CSR in Azure. We were able to use the resulting certificate on several platforms including WordPress and Drupal but it wouldn't load correctly in Domino. 

Eventually we had to generate a CSR from Domino and get a new certificate.  Luckily the newly generated certificate didn't muck up those existing sites. 

Next year, we'll be starting the CSR process at Domino. 

You need 12.0.1 or Higher

The second big issue we hit was that we couldn't stop the server from loading the old certificates, which were done Domino 9 style.  We tried restarting the http task, tried rebooting the server and tried removing the .KYR files from the domino directory -- this last action prevented HTTPS from working at all. 

In the end, we did an impromptu upgrade of our 12.0 servers to 12.0.1 (and added Fix Pack 11). HTTPS started working immediately. 


Hopefully these tips will make your certificate renewal process a little smoother than our last effort. 

Labels:

Comments

Daniel Nashed said…
There is no change in 12.0.1 for the behavior you are describing. The old KYR cache is loading in parallel to the TLS Cache by design -- also in 12.0.1.

This is implemented to ensure that when running the new more modern TLS Cache, the existing KYR files still work until you remove them manually from disk.

The new TLS Cache is always checked first. If no matching TLS Credentials document is found, it will still try to find a KYR file.

There are a couple of improvements in 12.0.1 to help you find out about the configuration used and also for importing. But this all worked the same in 12.0 already!

You can use "load certmgr -showcerts" to see all active TLS Credentials for a server.

It does not matter how you create the CSR nor how you import it.
You don't have to do it in Domino. But importing existing certificates has been improved in 12.0.1 with the import/export UI in certstore.nsf.

In 12.0. you had to import existing PEM based certs into certstore.nsf via "load certmgr -importpem ..".

This command did not enable the imported TLS Credentials automatically for the current server and you had to add your server to "Server with access" to get the private key encrypted for your server.id and to let the TLS Cache load it.

This command has been aligned with the new import functionality in 12.0.1 and automatically adds the own server -- that's the only change I an think of making a difference for you. So you might have missed to enable "Servers with access" for the TLS Credentials document.

Your blog post is based on assumptions and it is misleading for others!


Thanks

Daniel
10:08 pm
Daniele Vistalli said…
I'm having a quite different experience. V12+ (even 12.0) is just working with all scenarios, single hostname, multiple hostnames wherever we create our CSR and however we manage certificates (we use letsencrypt a lot actually.. also to avoid the practice of wildcard certificates that end up everywhere and with little securit).

Looks like, to me, you hit a config iussue more than a bug.
10:39 pm
Post a Comment

Popular posts from this blog

How to Create a Bootable DVD Using Nero Burning ROM 9

I often need to create bootable CDs and DVDs but it's weird because I frequently end up buring myself a new coaster instead. It's not that the process is difficult, just that nero has a few too many options and I forget which ones to choose and end up picking the wrong one. I figured that the best way to avoid this mistake in future would be to write the steps down. Procedure Insert CD or DVD into your DVD Burner. Start Nero Burning ROM 9 Choose DVD-ROM (Boot) or CD-ROM (Boot) depending on what you're creating You'll be prompted for a disk image source. Choose a Nero Source - you'll usually find them somewhere like this... C:\Program Files\Nero\Nero9\Nero Burning Rom\DOSBootImage.ima Leave the Boot Locale as English - unless you really need a different keyboard layout Tick the box marked [X] Enable Expert Settings Choose Hard Drive Emulation and leave any other settings as they are. Click the button marked New Add any files you want but don't try to add operati
11 comments
Read more

How to Change Your Notification Options for New Lotus Notes Mail in version 8.x

Don't worry, I'm not patronizing you (my readers), I just decided to re-document this for one of our internal users and thought you might want to be able to use it in your own user documentation. WHAT IS THIS DOCUMENT ABOUT? Some people who don't get a lot of mail, like to be notified when such an event occurs. Notification can be; via a sound via a pop-up box via the system tray (where the computer clock is) The pop up box looks like this; Other people, who like myself, get too much mail would rather not be notified. The aim of this document is to tell you how (and where) to turn these options on and off. CHANGING YOUR SETTINGS To change your settings from the Notes 8.x client; On the Menu, click File , then Preferences... On the left hand side , click on the little plus sign to the left of Mail to expand the options. Click on the option marked Sending and Receiving . In the middle section, under receiving, you can control your notifications. If you untick the box mark
12 comments
Read more

How to Create an Auto-Response Mail Message in Lotus Notes 8.5.3+

Why would you do this? Suppose that you have an externally accessible generic email address for your company; support@mycompany.com or info@mycompany.com. You might expose this to the web and allow people to send messages to you. Setting up an auto-response email will tell the senders that their message reached its destination and that it will be dealt with accordingly.  It's also good practice to include links to FAQs or other useful information. Why 8.5.3 The techniques we'll be using here work in older versions of Notes but some of the options seem to have moved around in 8.5.3.  I figured it was a good time to show you where they've moved to. The Procedure Start Domino Designer and open the Mail file to be modified.  A really quick way to do this is to right-click on the application tab and choose "Open in Designer". In the Left hand panel of designer, expand Code and then double-click Agents.  A new window should appear. Click the action
22 comments
Read more