LE4D - Let’s Encrypt 4 Domino - Network Error - Changed LE Roots
Detlev Poettgen Februar 4 2021 07:55:42 AM
Let's Encrypt changed its own server SSL certificates used to communicate with their API endpoints in December 2020.Production - API Endpoint: https://acme-v02.api.letsencrypt.org/directory
Staging - API Endpoint: https://acme-staging-v02.api.letsencrypt.org/directory
This may result in Let's Encrypt 4 Domino (LE4D) no longer being able to communicate with the API during agent execution for certificate updates.
The reason for it is, that the Let's Encrypt root / intermediate certificate are no longer trusted.
In the log you will get the following error message:
2021-02-03 20:41:45 INFO LE4D - midpoints LE4D (c) 2017 - 2021, V 2.2.0_20190930
2021-02-03 20:41:45 INFO LE4D - Logging events and errors to: '/var/local/notesdata/MIDPOINTS_TECHNICAL_SUPPORT/le4d/le4d.log'
2021-02-03 20:41:45 INFO LE4D - Processing configuration document: '86E7EF37D3D856600628627'.
2021-02-03 20:41:45 INFO LE4D - Using Html directory: domino/html
2021-02-03 20:41:45 INFO LE4D - Running in staging mode
2021-02-03 20:41:45 INFO LE4D - Requesting certificates.
2021-02-03 20:41:45 INFO LE4D - Writing file: '/var/local/notesdata/le/86E7EF37D3125856600628627/user.key'
2021-02-03 20:41:45 INFO LE4D - Session URL: acme://letsencrypt.org/staging
2021-02-03 20:41:45 ERROR LE4D - org.shredzone.acme4j.exception.AcmeNetworkException: Network error
2021-02-03 20:41:45 INFO LE4D - Writing file: '/var/local/notesdata/le/86E7EF37D25856600628627/domain.key'
2021-02-03 20:41:45 ERROR LE4D - java.lang.NullPointerException
2021-02-03 20:41:45 INFO LE4D - OUPS!! Something went wrong!
2021-02-03 20:41:45 INFO LE4D - midpoints LE4D finished!
The trusted root/intermediate certificates relevant for agent execution are located in the JVM folder of the Domino server in the cacerts file.
It must be checked once whether the newly used root/intermediate certificates are present here and updated if necessary.
Maybe one of the Root CAs are missing in your cacerts file:
Roots:
ISRG Root X1 https://letsencrypt.org/certs/isrgrootx1.pem
DST Root CA X3 https://letsencrypt.org/certs/trustid-x3-root.pem.txt
Intermediate:
Let’s Encrypt R3 https://letsencrypt.org/certs/lets-encrypt-r3.pem
Details and CA PEM Downloads:
https://letsencrypt.org/certificates/
Hints:
- You will have to restart your Domino server to initialize the JVM with the new cacerts. A 'tell HTTP restart' will not be enough.
- HCL removed the ikeyman tool with Domino 11. So you can use the default Java keytool, which is part of the JVM install. It is a commandline tool. Details can be found here:
http://www.netzgoetter.net/internet/blogs/netzgoetter.nsf/dx/byebye-ibm-ikeyman-welcome-java-keytool.htm
- Kommentare [5]
