Preparing a Domino server to request certificates using HTTP-01 challenges

After you've run CertMgr to create certstore.nsf, follow the steps in this procedure to prepare the CertMgr server to request a certificate from the Let's Encrypt® CA using HTTP-01 challenges.

About this task

A Domino 12 server running the CertMgr task must request the certificate. The server for which the certificate is requested can be an internet-facing Domino 10, 11, or 12 Web server running on 64-bit Windows or Linux.

Procedure

  1. Review the Certificate Store (certstore.nsf) ACL. Administrators and Domino servers in the domain require Manager access and the Administrator role. LocalDomainAdmins and LocalDomainServers have this access by default.
  2. Configure the outgoing HTTPs port (443) on the CertMgr server. If the server connects to Let's Encrypt® servers through a proxy server, configure a proxy account in certstore.nsf. For more information, see Configuring CertMgr to connect through a proxy.
  3. Use the notes.ini setting HttpPublicURLs to configure the Web server for which the certificate is being requested to respond to HTTP requests on port 80 on the .well-known/acme-challenge/ URL:
    The following example uses the notes.ini setting HttpPublicURLs to define the .well-known/acme-challenge/ URL and to use an iNotes or Verse redirect login database:
    HttpPublicURLs=/redir.nsf/*:/.well-known/acme-challenge/* 
    Note: For this Beta, redirecting HTTP (Port 80) to HTTPS (Port 443) is not supported.
  4. Enable the required DSAPI filter on the Web server for which the certificate is being requested:
    1. If using a Web Site document, click the Configuration tab. If using a Server document, click the Internet Protocols > HTTP tab.
    2. In the DSAPI section of the document, enter one of the following values in the DSAPI filter file names field.

      On Windows, enter ncertmgrdsapi.

      On Linux, enter certmgrdsapi.

  5. If the Web server for which the certificate is requested is not the CertMgr server, complete these steps:
    1. Make sure the Web server has access to the Certificate Store (certstore.nsf) database on the Domino 12 server.
    2. Add the following notes.ini setting to the Web server to identity the Domino server making the request:
      CertMgr_Server=<Domino12_servername>
      For example:
      CertMgr_Server=domino-v12/Srv/Renovations
  6. Restart the HTTP task on the Web server:
    restart task http
  7. If CertMgr connects to Let's Encrypt servers through a proxy server, complete the procedure Configuring CertMgr to connect through a proxy.

What to do next

Complete the procedure Configuring the ACME account profiles