fighting for truth, justice, and a kick-butt lotus notes experience.

Announcing - Lets Encrypt for Domino v2.1 - Just Do SSL

 Juli 12 2019 06:37:24 AM
Today we are pleased to announce the new version 2.1.0 of midpoints Let's Encrypt 4 Domino aka LE4D

Image:Announcing - Lets Encrypt for Domino v2.1 - Just Do SSL
LE4D 2.1.0 uses the ACME v2 protocol, based on Java 8, and is supported on Domino 10 and Domino 9.0.1 FP8+ on Windows & Linux.

What's new in LE4D 2.1.0


-        Multi value field for Domain now supports comma, semicolon and new line as separator.

-        New Setting: HTML Directory to support custom domino/html directory.

-        New Restart Option:  Restart of the Domino Server after successfully renewal.

-        Extended log messages during agent execution.

-        Agent output will be added and saved in the settings document and can be viewed there.

-        Added additional hints in the settings form to make it a little bit easier to start using LE4D.


Upgrade Instruction


-        Request the new version here:
https://www.midpoints.de/LE4D
               We are sending out the new version by mail. Please, check your spam folder, if you don't receive it within 15 minutes after sending the request.

-        Sign the new downloaded Template
-        Upgrade the database design of your existing LE4D database

-        Open the database and your existing settings documents once and save them


Regarding Let's Encrypt Wildcard Certificates


We are getting asked quit often regarding support for Let's Encrypt wildcard certificates and we already have a running prototype, that works really well - but:


The Let's Encrypt ACME protocol for wildcard certs is using a DNS challenge instead of a HTTP challenge used for a single server certificate.

We had a running prototype supporting wildcards, but we skipped further development, because you will have to add a TXT-Record with the challenge to your DNS zone.
The challenge will change with every renewal, so you will have to automate the update of the TXT-Record on your DNS server too.

The problem here is, that every DNS server solution or hoster provides their own set of APIs to do that. There is no standard DNS API.

Our own hoster for example does not provide any DNS API for example, only a webfrontend to manage the DNS zone.
We tried to find a solution by running a local small DNS server integrated into LE4D and to configure a DNS delegation for the ACME DNS challenge pointing to the local DNS server.
It works yeah! We can get Let's Encrypt Wildcard Certificates issued by LE4D running on your Domino Server and we were able to do automated renewals.

But the requirements and configurations will be complex. You will have to make changes to your DNS zone (hint: DNS delegation) and open additional firewall rules to allow incoming DNS queries to our local LE4D integrated DNS server. We already started doing a documentation, but it is a longer list of steps and the number of possible error cases are high.

Because LE4D is for free and we don't make any money with it, the time for support and development to implement and test against all the different DNS API's would costs us to much time and money :-(


So - at the moment LE4D does not support wildcard certs.



If you have any feedback or suggestion, pls. let us know.


Let' Encrypt !

Kommentare

1Friedhelm Klein  07/12/2019 8:39:44 AM  Announcing - Lets Encrypt for Domino v2.1 - Just Do SSL

Hallo Detlev, vielen Dank und wie immer tolle Arbeit. Werde es mir gleich mal anschauen.

2Richard Pajerski  07/12/2019 9:16:40 PM  Announcing - Lets Encrypt for Domino v2.1 - Just Do SSL

Hello Detlev --

By coincidence, we just released LEND today -- which looks like it does very much the same thing as LE4D -- with the same version number: 2.1.0!

We added the DNS Challenge into the product back in December 2018 and faced the same hurdles as you. There is no standard way to update DNS settings across the various cloud providers which makes full automation problematic.

What we do to address that is send an email reminder to administrators to update the TXT records at renewal time. After that, it's a simple button click to continue the certificate renewal and then once again to accept the challenge. It works well but still requires a bit of manual intervention.

If you only have a handful of domains that need LE, we've found it's simpler to define those sites once and let LEND do all of the automation thereafter over HTTP.

Best of luck with the LE4D product!

Richard

  •  
  • Hinweis zum Datenschutz und Datennutzung:
    Bitte lesen Sie unseren Hinweis zum Datenschutz bevor Sie hier einen Kommentar erstellen.
    Zur Erstellung eines Kommentar werden folgende Daten benötigt:
    - Name
    - Mailadresse
    Der Name kann auch ein Nickname/Pseudonym sein und wird hier auf diesem Blog zu Ihrem Kommentar angezeigt. Die Email-Adresse dient im Fall einer inhaltlichen Unklarheit Ihres Kommentars für persönliche Rückfragen durch mich, Detlev Pöttgen.
    Sowohl Ihr Name als auch Ihre Mailadresse werden nicht für andere Zwecke (Stichwort: Werbung) verwendet und auch nicht an Dritte übermittelt.
    Ihr Kommentar inkl. Ihrer übermittelten Kontaktdaten kann jederzeit auf Ihren Wunsch hin wieder gelöscht werden. Senden Sie in diesem Fall bitte eine Mail an blog(a)poettgen(punkt)eu

  • Note on data protection and data usage:
    Please read our Notes on Data Protection before posting a comment here.
    The following data is required to create a comment:
    - Name
    - Mail address
    The name can also be a nickname/pseudonym and will be displayed here on this blog with your comment. The email address will be used for personal questions by me, Detlev Pöttgen, in the event that the content of your comment is unclear.
    Neither your name nor your e-mail address will be used for any other purposes (like advertising) and will not be passed on to third parties.
    Your comment including your transmitted contact data can be deleted at any time on your request. In this case please send an email to blog(a)poettgen(dot)eu

Archive