Let's Encrypt CA challenge options

When you receive a certificate from the Let’s Encrypt CA, their servers use challenges to validate that you control the domain names in the certificate. There are two types of challenges supported, both of which are available to use with Domino.

HTTP-01 challenge

With this configuration, a challenge from the Let's Encrypt servers is stored on the HTTP server where it is accessed through a well known URL over port 80. Certification request processing involves just your servers and Let's Encrypt servers. In the case of Domino, the DSAPI is used to manage the interactions between the Let's Encrypt CA and Domino. This is the challenge that is the easiest to configure and that is typically used.

DNS-01 challenge

With this configuration, a TXT record containing challenge information from the Let's Encrypt servers is added to your registered DNS domain. To validate a request, the Let's Encrypt server verifies the challenge in the TXT record.

Your DNS provider's TXT record API is used to automate adding the challenge to a TXT record. The required API coding is implemented through a DNS Provider Configuration document created in certstore.nsf.

Use of the DNS-01 challenge offers these advantages:
  • DNS-01 allows the Let's Encrypt CA to verify a whole domain, in contrast to HTTP-01 which can only be used to validate host by host. Therefore, DNS-01 challenges support wildcard certificates like *.mydomain.com.
  • Access to port 80 on your Domino web server from the public internet is not required.

If a DNS Provider Configuration and a DNS Provider Account are enabled in certstore.nsf for a host name specified in the TLS Credential document created to submit a request, DNS-01 challenges are used rather than HTTP-01 challenges. In this case, a DNS server uses the DNS API integration in the DNS Provider Configuration to write the challenge information into a DNS TXT record in your registered domain.

CertMgr offers flexibility in creating a DNS Provider Configuration document. A DXL file is available that contains reference API implementations for two specific DNS providers using their DNS provider APIs. If you use one of these DNS providers, you can simply import the DXL file into certstore.nsf to create the required DNS Provider Configuration document which is then ready to use. If your DNS provider is not one of the two reference providers, you or a business partner can develop a DNS configuration using your DNS provider API. To get the reference DXL file and to learn about how to build your own DNS provider configuration, see article KB0089487 on the HCL Support site.