midpoints LE4D 2.0 – some hints

On March, 28th, we released LE4D v2.0. If you are running LE4D v1.x, you must update to v2.0. Certificate renewal will no longer work with v1.x because of some changes on the Let’s Encrypt API endpoint.

Here are some additional hints.

Settings documents are disabled after design change

In v2.0, we added a new feature to toggle the status of setings documents. All new settings are disabled by default. And also, after the design replace, you have to enable them prior to run the agent.

LE4DDisabled

Error: No trusted certificates found

You might see the following error message on the Domino console:

29.03.2018 08:21:39   Agent Manager: Agent  error: Caused by:
29.03.2018 08:21:39   Agent Manager: Agent  error: com.ibm.jsse2.util.h: No trusted certificate found
29.03.2018 08:21:39   Agent Manager: Agent  error:         at com.ibm.jsse2.util.g.a(g.java:21)

This happens most likely after you have applied a FP or HF. In all cases we have seen, the cacerts is replaced with the default cacerts during FP/ HF install.

To fix this problem, you have to import the needed certificates again.

The certificates can be found here https://letsencrypt.org/certificates/

An “HowTo” about importing the certs can be found here http://abdata.ch/add-a-root-certificate-to-ibm-domino-jvm-keystore/

Error: Order’s status (“invalid”) was not pending

You might see the following error message on the Domino console:

28/03/2018 22:51:58   Agent Manager: Agent  error:         at lotus.domino.NotesThread.run(Unknown Source)
28/03/2018 22:51:58   Agent Manager: Agent printing: [ERROR] – Order’s status (“invalid”) was not pending
28/03/2018 22:51:58   Agent Manager: Agent printing: LE4D  – finished!

Due to the change in the underlying ACME protocol, Let’s Encrypt needs to re-validate the HTTP challenge on certificate renewal. Do do this, the challenge token must be accessible on the Domino server on port 80.

If you only have port 443 open, then the challenge will fail and you will see the error message.

Just for clarification. Port 80 is only needed for the first time challenge validation after the upgrade to LE4D v2.0. It is also needed, when you change the configuration and add a new host to the existing list of hostnames.

After the challenge has been validated, you can close port 80 again. It is not needed for certificate renewal.

 

5 thoughts on “midpoints LE4D 2.0 – some hints

  1. Excellent timing, I was looking to see if there were any updates earlier this week in regards to ACMEv2 which is required for the now supported wildcard certificates. Does this new version of LE4D support them? I know the validation process has to be done through DNS instead of HTTP.

    • Thanks for the feedback. The biggest pain was the internal connection. That caused a lot of support effort. I am glad, that I could strip it out. Now you have no problem when already using self-signed certificates. Prior to v2.0 you had to re-configure your server to use port 80 first, then get the LE certificate and switch back to port 443.
      Now you can leave all as is and just request a valid LE certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *

11 + 8 =