fighting for truth, justice, and a kick-butt lotus notes experience.

LE4D - Let’s Encrypt 4 Domino - Network Error - Changed LE Roots

 Februar 4 2021 07:55:42 AM
Let's Encrypt changed its own server SSL certificates used to communicate with their API endpoints in December 2020.

Production - API Endpoint:
https://acme-v02.api.letsencrypt.org/directory
Staging - API Endpoint:
https://acme-staging-v02.api.letsencrypt.org/directory

This may result in Let's Encrypt 4 Domino (LE4D) no longer being able to communicate with the API during agent execution for certificate updates.

The reason for it is, that the Let's Encrypt root / intermediate certificate are no longer trusted.

In the log you will get the following error message:


2021-02-03 20:41:45 INFO LE4D - midpoints LE4D (c) 2017 - 2021, V 2.2.0_20190930
2021-02-03 20:41:45 INFO LE4D - Logging events and errors to: '/var/local/notesdata/MIDPOINTS_TECHNICAL_SUPPORT/le4d/le4d.log'
2021-02-03 20:41:45 INFO LE4D - Processing configuration document: '86E7EF37D3D856600628627'.
2021-02-03 20:41:45 INFO LE4D - Using Html directory: domino/html
2021-02-03 20:41:45 INFO LE4D - Running in staging mode
2021-02-03 20:41:45 INFO LE4D - Requesting certificates.
2021-02-03 20:41:45 INFO LE4D - Writing file: '/var/local/notesdata/le/86E7EF37D3125856600628627/user.key'
2021-02-03 20:41:45 INFO LE4D - Session URL: acme://letsencrypt.org/staging
2021-02-03 20:41:45 ERROR LE4D - org.shredzone.acme4j.exception.AcmeNetworkException: Network error
2021-02-03 20:41:45 INFO LE4D - Writing file: '/var/local/notesdata/le/86E7EF37D25856600628627/domain.key'
2021-02-03 20:41:45 ERROR LE4D - java.lang.NullPointerException
2021-02-03 20:41:45 INFO LE4D - OUPS!! Something went wrong!
2021-02-03 20:41:45 INFO LE4D - midpoints LE4D finished!


The trusted root/intermediate certificates relevant for agent execution are located in the JVM folder of the Domino server in the cacerts file.

It must be checked once whether the newly used root/intermediate certificates are present here and updated if necessary.

Maybe one of the Root CAs are missing in your cacerts file:


Roots:
ISRG Root X1    
https://letsencrypt.org/certs/isrgrootx1.pem

DST Root CA X3    
https://letsencrypt.org/certs/trustid-x3-root.pem.txt

Intermediate:
 
Let’s Encrypt R3
https://letsencrypt.org/certs/lets-encrypt-r3.pem

Details and CA PEM Downloads:
 
https://letsencrypt.org/certificates/

Hints:
- You will have to restart your Domino server to initialize the JVM with the new cacerts. A 'tell HTTP restart' will not be enough.  
- HCL removed the ikeyman tool with Domino 11. So you can use the default Java keytool, which is part of the JVM install. It is a commandline tool. Details can be found here:

http://www.netzgoetter.net/internet/blogs/netzgoetter.nsf/dx/byebye-ibm-ikeyman-welcome-java-keytool.htm

Archive