Skip to main content

HTTPS Drama on Domino 12.0

I'm not a big fan of HTTPS. Don't get me wrong, I agree with all of the security and comfort that it provides. I just hate the whole renewal process.

Domino 12 introduces a new way to do HTTPS and it's apparently much easier going forward.  That's great news. Unfortunately, we hit a couple of snags on the way in, and I wanted to warn everyone about them - especially since the workarounds are so simple. 


Domino Needs to Generate the CSR

You're probably thinking that that this is pretty obvious but if so, you're not thinking about wildcard certificates. We use a wildcard certificate *.mydomain.com.au - This allows us to use it across multiple systems, including Domino, Azure, some WordPress websites and a Drupal Website. We also use it in conjunction with several hosted services.

The wildcard certificate allows us to use the same certificate on different subdomains.

For example:

  • www.mydomain.com.au
  • domino.mydomain.com.au
  • azure.mydomain.com.au
  • othersite.mydomain.com.au
  • extranet.mydomain.com.au
The possibilities are endless.

Last year, when we were on Domino 9.0.1, we generated the Certificate Signing Request (CSR) on Domino and set up domino first. Then we did our other sites. 

This year, on Domino 12.0, we generated the CSR in Azure. We were able to use the resulting certificate on several platforms including WordPress and Drupal but it wouldn't load correctly in Domino. 

Eventually we had to generate a CSR from Domino and get a new certificate.  Luckily the newly generated certificate didn't muck up those existing sites. 

Next year, we'll be starting the CSR process at Domino. 

You need 12.0.1 or Higher

The second big issue we hit was that we couldn't stop the server from loading the old certificates, which were done Domino 9 style.  We tried restarting the http task, tried rebooting the server and tried removing the .KYR files from the domino directory -- this last action prevented HTTPS from working at all. 

In the end, we did an impromptu upgrade of our 12.0 servers to 12.0.1 (and added Fix Pack 11). HTTPS started working immediately. 


Hopefully these tips will make your certificate renewal process a little smoother than our last effort. 

Comments

Daniel Nashed said…
There is no change in 12.0.1 for the behavior you are describing. The old KYR cache is loading in parallel to the TLS Cache by design -- also in 12.0.1.

This is implemented to ensure that when running the new more modern TLS Cache, the existing KYR files still work until you remove them manually from disk.

The new TLS Cache is always checked first. If no matching TLS Credentials document is found, it will still try to find a KYR file.

There are a couple of improvements in 12.0.1 to help you find out about the configuration used and also for importing. But this all worked the same in 12.0 already!

You can use "load certmgr -showcerts" to see all active TLS Credentials for a server.

It does not matter how you create the CSR nor how you import it.
You don't have to do it in Domino. But importing existing certificates has been improved in 12.0.1 with the import/export UI in certstore.nsf.

In 12.0. you had to import existing PEM based certs into certstore.nsf via "load certmgr -importpem ..".

This command did not enable the imported TLS Credentials automatically for the current server and you had to add your server to "Server with access" to get the private key encrypted for your server.id and to let the TLS Cache load it.

This command has been aligned with the new import functionality in 12.0.1 and automatically adds the own server -- that's the only change I an think of making a difference for you. So you might have missed to enable "Servers with access" for the TLS Credentials document.

Your blog post is based on assumptions and it is misleading for others!


Thanks

Daniel
I'm having a quite different experience. V12+ (even 12.0) is just working with all scenarios, single hostname, multiple hostnames wherever we create our CSR and however we manage certificates (we use letsencrypt a lot actually.. also to avoid the practice of wildcard certificates that end up everywhere and with little securit).

Looks like, to me, you hit a config iussue more than a bug.

Popular posts from this blog

How to Create an Auto-Response Mail Message in Lotus Notes 8.5.3+

Why would you do this? Suppose that you have an externally accessible generic email address for your company; support@mycompany.com or info@mycompany.com. You might expose this to the web and allow people to send messages to you. Setting up an auto-response email will tell the senders that their message reached its destination and that it will be dealt with accordingly.  It's also good practice to include links to FAQs or other useful information. Why 8.5.3 The techniques we'll be using here work in older versions of Notes but some of the options seem to have moved around in 8.5.3.  I figured it was a good time to show you where they've moved to. The Procedure Start Domino Designer and open the Mail file to be modified.  A really quick way to do this is to right-click on the application tab and choose "Open in Designer". In the Left hand panel of designer, expand Code and then double-click Agents.  A new window should appear. Click the action

How to Change Your Notification Options for New Lotus Notes Mail in version 8.x

Don't worry, I'm not patronizing you (my readers), I just decided to re-document this for one of our internal users and thought you might want to be able to use it in your own user documentation. WHAT IS THIS DOCUMENT ABOUT? Some people who don't get a lot of mail, like to be notified when such an event occurs. Notification can be; via a sound via a pop-up box via the system tray (where the computer clock is) The pop up box looks like this; Other people, who like myself, get too much mail would rather not be notified. The aim of this document is to tell you how (and where) to turn these options on and off. CHANGING YOUR SETTINGS To change your settings from the Notes 8.x client; On the Menu, click File , then Preferences... On the left hand side , click on the little plus sign to the left of Mail to expand the options. Click on the option marked Sending and Receiving . In the middle section, under receiving, you can control your notifications. If you untick the

How to Do a Mail Merge to Email using Lotus Notes

Why do one? In today's "green" world, it makes much better sense to send out emails than letters but you still want to personalize them. Sadly, by itself Lotus Notes doesn't support mail merge to email. Of course, we know that outlook does (but then it lets anyone and anything send emails for you - even when you don't want them to). So, how to do it in Notes? OpenNTF The first port of call is OpenNTF ( http://www.openntf.org/ ). This place is full of great things but most of them are really badly documented. Still, these guys give things away for free and they develop in their spare time, so we should be grateful for what we get. There's a great little project there called MailMerge Excel to Notes . Go there, click on releases and download the ZIP file. Getting to the Code The installation is tricky though I've noted that since I asked the author about the install, it's been updated (so maybe these steps are less necessary). Unzip the files to som