Migrate Certificate to Domino Keystore

This article is the last one discovering the migration of Let's encrypt certificates to a domino environment. The previous artile was about Create Certificates with Let's Encrypt.

Now we can pickup the certificate. It will be stored on the filesystem of your server where you issued the certbot-auto command. The application tells you were you can pickup the certificate.  In our case the cerficates are located at

/etc/letsencrypte/archive/<nameOfTheServer>

Switch to that directory and copy all four files to a single file. You can either use an editor to to this or just cat them into the file.

cat firstfile.pem >> all.pem

...

cat fourthfile.pem >> all.pem

Now copy the file "all.pem" to an appropriate Notes client or Domino server. Download the kyrtool from IBM and extract the file into the programm directory. Now you can create a new kyr-file by initiating

 c:\Notes\kyrtool.exe create -k c:\cert\ourKeyring.kyr -p appropriateSecuredPassword

This will create a ourKeyring.kyr and ourKeyring.sth file in c:\cert directory. Now we can import the all.pem file into that keyring.

c:\Notes\kyrtool.exe import all -k c:\cert\ourKeyring.kyr -i c:\cert\all.pem

Now, we are done. Just copy the two files ourKeyring.kyr and ourKeyring.sth file to your domino data directory. Ensure the filename is the same as you entered it in your domino directory and that filepermissions are set correctly (notes:notes or what your runtime user is).

That's it. After a restart of Domino's http-task your new certificate is active.

Have fun

Create Certificate

This article is the sequel to Let's Encrypt in Domino Environments

To create a certificate is very easy: Instruct the certbot-auto application to create the certificate:

./certbot-auto certonly -d <yourFQDN> --manual

This command (you need internet access) will contact Let's encrypt. It will ask you to create a cryptic file on your server with a much more cryptic content. With this file and it's content Let's encrypt can check whether you have appropriate rights to receive a certificate. They will access the file and compare the content with the content they generated. If both is identical, you will receive the ceriticate immediately.

First, create the necessary subdirectories on you Domino server.

mkdir <notesdata>/domino/html/.well-known/acme-challenge

Then create a file with the filename highlighted in certbot-auto on your filesytem and add the content form certbot-auto to the file

touch <notesdata>/domino/html/.well-known/acme-challenge/<certbotAutoFileName>

cat <certbotAutoContent> <notesdata>/domino/html/.well-known/acme-challenge/<certbotAutoFileName>

On Linux, AIX etc ensure that filepermissions are set correctly.

chown -R notes:notes <notesdata>/domino

This command will correct the permissions. Now you can switch to your server certbot-auto ist running on. When you agree to the test of your environment this will immediatly create the certificate. It is very useful to keep this filestructure and file on your server for later automatic renew of the certificate.

In the last article we will explain how to migrate those certificates to your domino server.

Let's Encrypt in Domino Environments

From time to time we have to implement or update a certificate on our Domino and/or Traveler servers. Let's encrypt enables us to get those certificates for free without any charge (Expiration time: 90 days). The first step is to receive those certificates. Depending on your operation system you have to install one of the several clients. We use the certbot-auto client.

The way to install that client is well documented and there is no need to be explained here. After that you need to create your certificate. Here are the steps on how to create and convert them into a domino environment.

1. Create Certificate
   1. Execute necessary command
   2. Create necessary file in your domino environment
   3. Let's encrypt will check for this file
   4. Certificates will be generated
2. Migrate certificates to Domino
   1. Create single certificate file
   2. Download kyrtool from IBM
   3. Use kyrtool to create a Domino KYR-file
   4. Import all data into newly created KYR-file
   5. Install new certifcate in Domino

In the next article we will explain how to create Let's Encrypt certificates. And in the last article we will explain how to migrate them to domino.

Where Do I Find NOTES.INI On My Mac

If you try to find the notes.ini file on your Mac you will not find one. All application specific properties will be stored in a file called

"Notes Preferences"

in each users home directory. If your user eg is called Keith then navigate to

/Users/Keith/Library/Preferences/

here you will find the file Notes Preferences which includes the same information and syntax as the notes.ini file.

Ubuntu Kernel patched: solved bindsock issue on Domino servers

If you run a Domino, Sametime or Traveler server on Ubuntu than you might have recognized an issue during the last kernel releases that prevented to start http, ldap or any other task running a port smaller than 1024.

The Ubuntu kernel team solved that issue by implementing a workaround in the kernel because the main issue seems to be in bindsock library on domino side. Now we could run the up to date kernel release on Domino servers again.

Hopefully this workaround will not be removed in later kernel versions (again).

If you want to be informed follow:

Ubuntu Bug 1335478