fighting for truth, justice, and a kick-butt lotus notes experience.

midpoints LE4D 2.0 – some hints

 März 30 2018 10:31:29 AM
On March, 28th, we released Let's Encrypt 4 Domino aka LE4D . If you are running LE4D v1.x, you must update to v2.0.

Certificate renewal will no longer work with v1.x because of some changes Let's Encrypt made on their Let’s Encrypt API endpoint.

If you are new to Let's Encrypt 4 Domino  you can get it here: https://www.midpoints.de/de-solutions-LE4D

Here are some additional hints to get v2.0 working:

Settings documents are disabled after design update to v2.0


In v2.0, we added a new feature to toggle the status of setings documents.

Image:midpoints LE4D 2.0 – some hints

All new settings are disabled by default. You have to enable them prior to run the agent.

Error: No trusted certificates found


You might see the following error message on the Domino console:
29.03.2018 08:21:39   Agent Manager: Agent  error: Caused by:
29.03.2018 08:21:39   Agent Manager: Agent  error: com.ibm.jsse2.util.h: No trusted certificate found

29.03.2018 08:21:39   Agent Manager: Agent  error:         at com.ibm.jsse2.util.g.a(g.java:21)

This happens most likely after you have applied a Domino FP or HF. In all cases we have seen, the cacerts is replaced with the default cacerts during FP/ HF install.

To fix this problem, you have to import the needed certificates again.

The certificates can be found here https://letsencrypt.org/certificates/

You should import the ISRG Root X1 CA and the two Intermediate certs:

ISRG Root X1 (self-signed)

    ◦        Let’s Encrypt Authority X3 (IdenTrust cross-signed)

    ◦        Let’s Encrypt Authority X3 (Signed by ISRG Root X1)


An “HowTo” about importing the certs can be found here:

http://abdata.ch/add-a-root-certificate-to-ibm-domino-jvm-keystore/


Error: Order’s status (“invalid”) was not pending


You might see the following error message on the Domino console:
28/03/2018 22:51:58   Agent Manager: Agent  error:         at lotus.domino.NotesThread.run(Unknown Source)
28/03/2018 22:51:58   Agent Manager: Agent printing: [ERROR] – Order’s status (“invalid”) was not pending

28/03/2018 22:51:58   Agent Manager: Agent printing: LE4D  – finished!

Due to the change in the underlying ACME protocol, Let’s Encrypt needs to re-validate the HTTP challenge on certificate renewal.
To do this, the challenge token must be accessible on the Domino server on port 80.

If you only have port 443 enabled or forward port 80 to 443, then the challenge will fail and you will see the error message.

Just for clarification. Port 80 is only needed for the first time challenge validation after the upgrade to LE4D v2.0. It is also needed, when you change the configuration and add a new host to the existing list of hostnames.

After the challenge has been validated, you can close port 80 again. It is not needed for certificate renewal.
Kommentare

1Michal Novacek  05/10/2018 8:40:03 AM  midpoints LE4D 2.0 – some hints

Hi Detlev, I just upgraded LE4D and after running letsencrypt agent got an error message:

Agent printing: [ERROR] - Order's status ("invalid") is not acceptable for finalization

Agent Manager: Agent printing: LE4D - finished!

Port 80 is opened and Domino version is 9.0.1FP9HF139.

Any suggestions would be great.

Thank you

Michal

2scholle  06/12/2018 11:07:57 AM  midpoints LE4D 2.0 – some hints

Hi,

ich habe dasselbe Problem:

Agent Manager: Agent error: org.shredzone.acme4j.exception.AcmeServerException: Order's status ("invalid") is not acceptable for finalization

Agent Manager: Agent error: at org.shredzone.acme4j.connector.DefaultConnection.throwAcmeException(DefaultConnection.java:431)

Agent Manager: Agent error: at org.shredzone.acme4j.connector.DefaultConnection.performRequest(DefaultConnection.java:359)

Agent Manager: Agent error: at org.shredzone.acme4j.connector.DefaultConnection.sendSignedRequest(DefaultConnection.java:174)

Agent Manager: Agent error: at org.shredzone.acme4j.connector.DefaultConnection.sendSignedRequest(DefaultConnection.java:154)

Agent Manager: Agent error: at org.shredzone.acme4j.Order.execute(Order.java:133)

Agent Manager: Agent error: at de.midpoints.le4d.manager.Le4dManager.downloadCertificate(Le4dManager.java:255)

Agent Manager: Agent error: at de.midpoints.le4d.manager.Le4dManager.orderCertificateUseHTTPChallenge(Le4dManager.java:207)

Agent Manager: Agent error: at de.midpoints.le4d.manager.Le4dManager.process(Le4dManager.java:132)

Agent Manager: Agent error: at de.midpoints.le4d.manager.Le4dManager.run(Le4dManager.java:97)

Agent Manager: Agent error: at de.midpoints.MPStarter.NotesMain(MPStarter.java:16)

Agent Manager: Agent error: at lotus.domino.AgentBase.runNotes(Unknown Source)

Agent Manager: Agent error: at lotus.domino.NotesThread.run(Unknown Source)

Agent Manager: Agent printing: [ERROR] - Order's status ("invalid") is not acceptable for finalization

Agent Manager: Agent printing: LE4D - finished!

AMgr: Agent 'letsencrypt' in 'le4d_v2.nsf' completed execution

domino linux v9.01 FP10

3scholle  06/12/2018 11:14:08 AM  midpoints LE4D 2.0 – some hints

Bitte den Beitrag löschen,

ich Dummbart habe nicht gesehen dass der HTTP Server nicht lief!

Nachdem ich den Task gestartet habe lief auf le4d durch!

4Detlev Poettgen  06/12/2018 2:51:07 PM  midpoints LE4D 2.0 – some hints

:-)

5Paul Maechler  01/30/2019 3:54:19 PM  Network error

Bekomme folgende Errors auf einem Domino Server 9 mit FP10 unter 2008R2 :

30.01.2019 16:40:37 AMgr: Start executing agent 'letsencrypt' in 'l4d.nsf'

30.01.2019 16:40:39 Agent Manager: Agent printing: Requesting certificates.

30.01.2019 16:40:39 Agent Manager: Agent printing: Session URL: acme://letsencrypt.org

30.01.2019 16:40:39 Agent Manager: Agent error: org.shredzone.acme4j.exception.AcmeNetworkException: Network error

30.01.2019 16:40:39 Agent Manager: Agent error: at org.shredzone.acme4j.connector.DefaultConnection.sendRequest(DefaultConnection.java:148)

30.01.2019 16:40:39 Agent Manager: Agent error: at org.shredzone.acme4j.provider.AbstractAcmeProvider.directory(AbstractAcmeProvider.java:57)

30.01.2019 16:40:39 Agent Manager: Agent error: at org.shredzone.acme4j.Session.readDirectory(Session.java:190)

30.01.2019 16:40:39 Agent Manager: Agent error: at org.shredzone.acme4j.Session.resourceUrl(Session.java:159)

30.01.2019 16:40:39 Agent Manager: Agent error: at org.shredzone.acme4j.AccountBuilder.createLogin(AccountBuilder.java:188)

30.01.2019 16:40:39 Agent Manager: Agent error: at org.shredzone.acme4j.AccountBuilder.create(AccountBuilder.java:166)

30.01.2019 16:40:39 Agent Manager: Agent error: at de.midpoints.le4d.manager.Le4dManager.findOrRegisterAccount(Le4dManager.java:158)

30.01.2019 16:40:39 Agent Manager: Agent error: at de.midpoints.le4d.manager.Le4dManager.orderCertificateUseHTTPChallenge(Le4dManager.java:177)

30.01.2019 16:40:39 Agent Manager: Agent error: at de.midpoints.le4d.manager.Le4dManager.process(Le4dManager.java:132)

30.01.2019 16:40:39 Agent Manager: Agent error: at de.midpoints.le4d.manager.Le4dManager.run(Le4dManager.java:97)

30.01.2019 16:40:39 Agent Manager: Agent error: at de.midpoints.MPStarter.NotesMain(MPStarter.java:16)

30.01.2019 16:40:39 Agent Manager: Agent error: at lotus.domino.AgentBase.runNotes(Unknown Source)

30.01.2019 16:40:39 Agent Manager: Agent error: at lotus.domino.NotesThread.run(Unknown Source)

30.01.2019 16:40:39 Agent Manager: Agent error: Caused by:

30.01.2019 16:40:39 Agent Manager: Agent error: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found

Weiss da jemand eine Lösung ?

Verstehe den Grund für "No trusted cert certificate found" nicht.

Danke

Paul

6Detlev Poettgen  01/31/2019 9:34:43 AM  Network error

Bitte einmal auf Seite 6 des First Step PDFs schauen.

Das Let's Encrypt Root und die beiden Intermediate Zertifikate müßen im Java Keystore importiert werden, wenn Domino <10.0.1 eingesetzt wird.

Falls weiterhin Probleme auftreten, bitte einfach ein Mail an die im PDF angegebene Mailadresse.

7Frank Dröge  02/17/2019 5:13:11 PM  midpoints LE4D 2.0 – some hints

Hallo Detlev,

ich bekomme im Staging-Modus mit laufendem http-Server und Port 80 offen ebenfalls die Meldung "Order's status ("invalid") is not acceptable for finalization"

Ich habe Domino 10.0.1 auf Win 2016. Habe ich evtl. zu viele Zertifikate installiert (5 insgesamt für Staging & Prod?) Ich habe gesehen, dass es im CACert von Domino bereits etwas von Let's Encrypt gab... auch Dein Posting suggeriert, dass man mit 10.0.1 evtl. anders vorgehen muss als im PDF angegeben?

Viele Grüße

Frank

8Mike  04/29/2019 10:07:02 PM  midpoints LE4D 2.0 – some hints

Hi

I've just installed LE4D and run it for the very first time.

It is not completing properly, I get the final entry in log.nsf as follows:

Agent Manager: Agent printing: [ERROR] - Order's status ("invalid") is not acceptable for finalization

domino server is 10.0.1 FP1 for Windows running on Server2012 R2.

C:\temp contains a folder with a very long string as its name which itself contains:

Domain.csr

Domain,key

User.key

all are 2Kb in size and appear to be correctly formatted CSRs and Keys

I have noticed that there is no keyfile.kyr in the Data Directory.

Thanks is advance for any help.

9Dan  10/09/2019 12:36:43 PM  midpoints LE4D 2.0 – some hints

Hi Detlev,

Thanks for the great tool.

I'm getting the following too - "Order's status ("invalid") is not acceptable for finalization"

Agent Manager: Agent error: org.shredzone.acme4j.exception.AcmeServerException: Order's status ("invalid") is not acceptable for finalization

Agent Manager: Agent error: at org.shredzone.acme4j.connector.DefaultConnection.throwAcmeException(DefaultConnection.java:431)

Agent Manager: Agent error: at org.shredzone.acme4j.connector.DefaultConnection.performRequest(DefaultConnection.java:359)

Agent Manager: Agent error: at org.shredzone.acme4j.connector.DefaultConnection.sendSignedRequest(DefaultConnection.java:174)

Agent Manager: Agent error: at org.shredzone.acme4j.connector.DefaultConnection.sendSignedRequest(DefaultConnection.java:154)

Agent Manager: Agent error: at org.shredzone.acme4j.Order.execute(Order.java:133)

Agent Manager: Agent error: at de.midpoints.le4d.manager.Le4dManager.downloadCertificate(Le4dManager.java:255)

Agent Manager: Agent error: at de.midpoints.le4d.manager.Le4dManager.orderCertificateUseHTTPChallenge(Le4dManager.java:207)

Agent Manager: Agent error: at de.midpoints.le4d.manager.Le4dManager.process(Le4dManager.java:132)

Agent Manager: Agent error: at de.midpoints.le4d.manager.Le4dManager.run(Le4dManager.java:97)

Agent Manager: Agent error: at de.midpoints.MPStarter.NotesMain(MPStarter.java:16)

Agent Manager: Agent error: at lotus.domino.AgentBase.runNotes(Unknown Source)

Agent Manager: Agent error: at lotus.domino.NotesThread.run(Unknown Source)

Agent Manager: Agent printing: [ERROR] - Order's status ("invalid") is not acceptable for finalization

Agent Manager: Agent printing: LE4D - finished!

I've tested from external that I can get to and download the files help in /.well-know/acme-challenge folder via HTTP.

wondered if you would be able to advise what might have gone wrong with this install.

Kind regards in advance

Dan

10Roland  10/16/2019 10:25:31 AM  midpoints LE4D 2.0 – some hints

Hi, great tool :-) I get it run on one server (ver 9.0.latest) but on the other (ver 10.0.3) I get the same error than others reported here:

Agent Manager: Agent error: org.shredzone.acme4j.exception.AcmeServerException: Order's status ("invalid") is not acceptable for finalization

Agent Manager: Agent error: at org.shredzone.acme4j.connector.DefaultConnection.throwAcmeException(DefaultConnection.java:431)

Agent Manager: Agent error: at org.shredzone.acme4j.connector.DefaultConnection.performRequest(DefaultConnection.java:359)

Agent Manager: Agent error: at org.shredzone.acme4j.connector.DefaultConnection.sendSignedRequest(DefaultConnection.java:174)

Agent Manager: Agent error: at org.shredzone.acme4j.connector.DefaultConnection.sendSignedRequest(DefaultConnection.java:154)

Agent Manager: Agent error: at org.shredzone.acme4j.Order.execute(Order.java:133)

Agent Manager: Agent error: at de.midpoints.le4d.manager.Le4dManager.downloadCertificate(Le4dManager.java:255)

Agent Manager: Agent error: at de.midpoints.le4d.manager.Le4dManager.orderCertificateUseHTTPChallenge(Le4dManager.java:207)

Agent Manager: Agent error: at de.midpoints.le4d.manager.Le4dManager.process(Le4dManager.java:132)

Agent Manager: Agent error: at de.midpoints.le4d.manager.Le4dManager.run(Le4dManager.java:97)

Agent Manager: Agent error: at de.midpoints.MPStarter.NotesMain(MPStarter.java:16)

Agent Manager: Agent error: at lotus.domino.AgentBase.runNotes(Unknown Source)

Agent Manager: Agent error: at lotus.domino.NotesThread.run(Unknown Source)

Agent Manager: Agent printing: [ERROR] - Order's status ("invalid") is not acceptable for finalization

Agent Manager: Agent printing: LE4D - finished!

AMgr: Agent 'letsencrypt' in 'system/le4d.nsf' completed execution

Its hard to trace the error, since I followed and double-checked the configurations

11Roland  10/16/2019 11:08:06 AM  midpoints LE4D 2.0 – some hints

tested on production and staging environment, error remains the same:

[ERROR] - Order's status ("invalid") is not acceptable for finalization

tested on Domino v 10.0.1FP3 on Linux CentOS7

I don't know how to solve this issue.

12David  11/20/2019 8:55:14 PM  midpoints LE4D 2.0 – some hints

I configured LE4D in August and it worked fine.

I just forgot to create the program document so it would renew. It expired today. I tried running the agent manually and got the error below. I also opened port 80 and it still fails. I switched it to run in staging mode until we get this fixed.

tell amgr run "ssl\letsencrypt.nsf" 'letsencrypt'

[0F30:0042-037C] 11/20/2019 12:47:14 PM Remote console command issued by David S Hablewitz/AICorp: tell amgr run "ssl\letsencrypt.nsf" 'letsencrypt'

[0628:0002-0FE4] 11/20/2019 12:47:19 PM JVM: Java Virtual Machine initialized.

[0628:0006-0E60] 11/20/2019 12:47:19 PM AMgr: Start executing agent 'letsencrypt' in 'ssl\letsencrypt.nsf'

[0628:0008-0AAC] 11/20/2019 12:47:21 PM Agent Manager: Agent printing: Requesting certificates.

[0628:0008-0AAC] 11/20/2019 12:47:21 PM Agent Manager: Agent printing: Running in staging mode

[0628:0008-0AAC] 11/20/2019 12:47:21 PM Agent Manager: Agent printing: Session URL: acme://letsencrypt.org/staging

[0628:0008-0AAC] 11/20/2019 12:47:24 PM Agent Manager: Agent printing: ... challenge:E:\Lotus\Domino\data\domino\html\.well-known\acme-challenge\CwMtbTQ7n6Z8hL4-M0U-RpccmYu0HfsO_H-n84-h0cI

[0628:0008-0AAC] 11/20/2019 12:48:28 PM Agent Manager: Agent error: org.shredzone.acme4j.exception.AcmeServerException: Order's status ("invalid") is not acceptable for finalization

[0628:0008-0AAC] 11/20/2019 12:48:28 PM Agent Manager: Agent error: at org.shredzone.acme4j.connector.DefaultConnection.throwAcmeException(DefaultConnection.java:431)

[0628:0008-0AAC] 11/20/2019 12:48:28 PM Agent Manager: Agent error: at org.shredzone.acme4j.connector.DefaultConnection.performRequest(DefaultConnection.java:359)

[0628:0008-0AAC] 11/20/2019 12:48:28 PM Agent Manager: Agent error: at org.shredzone.acme4j.connector.DefaultConnection.sendSignedRequest(DefaultConnection.java:174)

[0628:0008-0AAC] 11/20/2019 12:48:28 PM Agent Manager: Agent error: at org.shredzone.acme4j.connector.DefaultConnection.sendSignedRequest(DefaultConnection.java:154)

[0628:0008-0AAC] 11/20/2019 12:48:28 PM Agent Manager: Agent error: at org.shredzone.acme4j.Order.execute(Order.java:133)

[0628:0008-0AAC] 11/20/2019 12:48:28 PM Agent Manager: Agent error: at de.midpoints.le4d.manager.Le4dManager.downloadCertificate(Le4dManager.java:255)

[0628:0008-0AAC] 11/20/2019 12:48:28 PM Agent Manager: Agent error: at de.midpoints.le4d.manager.Le4dManager.orderCertificateUseHTTPChallenge(Le4dManager.java:207)

[0628:0008-0AAC] 11/20/2019 12:48:28 PM Agent Manager: Agent error: at de.midpoints.le4d.manager.Le4dManager.process(Le4dManager.java:132)

[0628:0008-0AAC] 11/20/2019 12:48:28 PM Agent Manager: Agent error: at de.midpoints.le4d.manager.Le4dManager.run(Le4dManager.java:97)

[0628:0008-0AAC] 11/20/2019 12:48:28 PM Agent Manager: Agent error: at de.midpoints.MPStarter.NotesMain(MPStarter.java:16)

[0628:0008-0AAC] 11/20/2019 12:48:28 PM Agent Manager: Agent error: at lotus.domino.AgentBase.runNotes(Unknown Source)

[0628:0008-0AAC] 11/20/2019 12:48:28 PM Agent Manager: Agent error: at lotus.domino.NotesThread.run(Unknown Source)

[0628:0008-0AAC] 11/20/2019 12:48:28 PM Agent Manager: Agent printing: [ERROR] - Order's status ("invalid") is not acceptable for finalization

[0628:0008-0AAC] 11/20/2019 12:48:28 PM Agent Manager: Agent printing: LE4D - finished!

[0628:0006-0E60] 11/20/2019 12:48:28 PM AMgr: Agent 'letsencrypt' in 'ssl\letsencrypt.nsf' completed execution

13David  11/20/2019 9:08:27 PM  midpoints LE4D 2.0 – some hints

Never mind.

While I had changed port 80 from redirect to ssl, I also had it set to now allow anonymous. I did that and the renewal worked. Thanks!

14Fabrice  01/02/2020 12:02:00 AM  midpoints LE4D 2.0 – some hints

Order's status ("invalid") is not acceptable for finalization

I solved this error with a correct value in "Internet Domain Name" (the very first field in the Settings doc). I had put a real "domain name" , like acme.com. I had to put in something that can be addressed, like "webmail.acme.com".

The documentation shows several values in that field, and a bare "domain name" : how does the robot use these values to get the challenge file ? does it handle wildcard ? does it default to www ?

Anyway it works like a charm now, thank you !

  •  
  • Hinweis zum Datenschutz und Datennutzung:
    Bitte lesen Sie unseren Hinweis zum Datenschutz bevor Sie hier einen Kommentar erstellen.
    Zur Erstellung eines Kommentar werden folgende Daten benötigt:
    - Name
    - Mailadresse
    Der Name kann auch ein Nickname/Pseudonym sein und wird hier auf diesem Blog zu Ihrem Kommentar angezeigt. Die Email-Adresse dient im Fall einer inhaltlichen Unklarheit Ihres Kommentars für persönliche Rückfragen durch mich, Detlev Pöttgen.
    Sowohl Ihr Name als auch Ihre Mailadresse werden nicht für andere Zwecke (Stichwort: Werbung) verwendet und auch nicht an Dritte übermittelt.
    Ihr Kommentar inkl. Ihrer übermittelten Kontaktdaten kann jederzeit auf Ihren Wunsch hin wieder gelöscht werden. Senden Sie in diesem Fall bitte eine Mail an blog(a)poettgen(punkt)eu

  • Note on data protection and data usage:
    Please read our Notes on Data Protection before posting a comment here.
    The following data is required to create a comment:
    - Name
    - Mail address
    The name can also be a nickname/pseudonym and will be displayed here on this blog with your comment. The email address will be used for personal questions by me, Detlev Pöttgen, in the event that the content of your comment is unclear.
    Neither your name nor your e-mail address will be used for any other purposes (like advertising) and will not be passed on to third parties.
    Your comment including your transmitted contact data can be deleted at any time on your request. In this case please send an email to blog(a)poettgen(dot)eu

Archive