Quick Tip: Running Domino with Let's Encrypt? You may have to do this

Friday, October 7, 2022 at 8:27 AM UTC

We came across an issue with some Java code that uses the Apache HTTP client to access another resource on the same Domino server. It's basically an agent that collects stuff from other NSFs using an HTTP request.

This works perfectly as long as your server works with a custom wild card SSL certificate from a "common" certificate authority. However, when you are using the Let's Encrypt certificate that you get using Domino's CertMgr, your code may stop working as the HTTP request will fail with an error like this:

javax.net.ssl.SSLHandshakeException: 3659

This is because the XSP/HTTP stack is not aware of the Let's Encrypt CA. There is a solution to make it available.

Ingredients

You need to download the root certificate from Let's Encrypts' website: https://letsencrypt.org/certificates/

I selected the "Active ISRG Root X1" type, "cross signed", file type "der".

Next is to have the cert.id of your Domino environment ready to use and the password of course. The rest is straight forward.

In your Domino directory, navigate to Configuration, Security, Certifcates. In the Notes menu, choose Actions, Import Internet Certificates. Select the der-file you downloaded. You may have to select the der file type in the file dialog.

In the upcoming dialog review the certificate information and just click "Accept All". The certificate can be found in the view under Internet Certifiers, US, Internet Security Research Group, ISRG Root X1, R3/Let's Encrypt/US.

I have also seen the imported certificate under Internet Certifiers, Digital Signature Trust Co., DST Root CA X3, ISRG Root X1/...

Now, select this document in the view and click Actions, Create Cross Certificate. The following dialogs tell you to define the server and the Domino certificate to which you want to cross-certify the Let's Encrypt one to.

After the cross-certificate is created, you can find it in the view under Internet Cross Certificates, <YourDominoCert>, R3/Let's Encrypt/US.

Finally restart your HTTP task and enjoy your code working again Smile






Latest comments to this post

Paul Baila wrote on 12.01.2024, 09:13

Thanks. Had upgraded from 11.0.1 FP5 to 11.0.1 FP8 and started getting this error. Worked like a charm.

 Link to this comment
Filip Navratil wrote on 25.10.2023, 00:47

We upgraded from 12.0.1 to 12.0.2FP2 and started seeing this error. I am not sure why it worked before and not after upgrade. However, your post was a saviour.

 Link to this comment

Leave a comment right here