On March, 28th, we released LE4D v2.0. If you are running LE4D v1.x, you must update to v2.0. Certificate renewal will no longer work with v1.x because of some changes on the Let’s Encrypt API endpoint.
Here are some additional hints.
Settings documents are disabled after design change
In v2.0, we added a new feature to toggle the status of setings documents. All new settings are disabled by default. And also, after the design replace, you have to enable them prior to run the agent.
Error: No trusted certificates found
You might see the following error message on the Domino console:
29.03.2018 08:21:39 Agent Manager: Agent error: Caused by:
29.03.2018 08:21:39 Agent Manager: Agent error: com.ibm.jsse2.util.h: No trusted certificate found
29.03.2018 08:21:39 Agent Manager: Agent error: at com.ibm.jsse2.util.g.a(g.java:21)
This happens most likely after you have applied a FP or HF. In all cases we have seen, the cacerts is replaced with the default cacerts during FP/ HF install.
To fix this problem, you have to import the needed certificates again.
The certificates can be found here https://letsencrypt.org/certificates/
An “HowTo” about importing the certs can be found here http://abdata.ch/add-a-root-certificate-to-ibm-domino-jvm-keystore/
Error: Order’s status (“invalid”) was not pending
You might see the following error message on the Domino console:
28/03/2018 22:51:58 Agent Manager: Agent error: at lotus.domino.NotesThread.run(Unknown Source)
28/03/2018 22:51:58 Agent Manager: Agent printing: [ERROR] – Order’s status (“invalid”) was not pending
28/03/2018 22:51:58 Agent Manager: Agent printing: LE4D – finished!
Due to the change in the underlying ACME protocol, Let’s Encrypt needs to re-validate the HTTP challenge on certificate renewal. Do do this, the challenge token must be accessible on the Domino server on port 80.
If you only have port 443 open, then the challenge will fail and you will see the error message.
Just for clarification. Port 80 is only needed for the first time challenge validation after the upgrade to LE4D v2.0. It is also needed, when you change the configuration and add a new host to the existing list of hostnames.
After the challenge has been validated, you can close port 80 again. It is not needed for certificate renewal.
Vielen, vielen Dank für die Bereitstellung und die aktive Benachrichtigung (per E-Mail)!!!
Excellent timing, I was looking to see if there were any updates earlier this week in regards to ACMEv2 which is required for the now supported wildcard certificates. Does this new version of LE4D support them? I know the validation process has to be done through DNS instead of HTTP.
The free, agent based version does not support the DNS challenge. If you have a strong need for wildcard certificates, send Detlev or me an email.
Thanks again for this great tool 🙂
Part about Port 80 needed only on initial request is great step forward for LE (and LE4D).
Thanks for the feedback. The biggest pain was the internal connection. That caused a lot of support effort. I am glad, that I could strip it out. Now you have no problem when already using self-signed certificates. Prior to v2.0 you had to re-configure your server to use port 80 first, then get the LE certificate and switch back to port 443.
Now you can leave all as is and just request a valid LE certificate.