In this article I will show how to use a slightly modified version of IBM help documentation to get your Let’s Encrypt issues certificate to work as the SSL certificate on your Domino server.
Introduction
Since the introduction of R9.0.1FP3 server we have had the ability to load a TLS certificate into the notes SSL keyring.kyr file. There is existing documentation on how to handle this using the new KYRTOOL and openssl but those instructions are not entirely clear as how they relate to let’s encrypt. This article is as much for my own edification and memory as anything else!
Part of the disconnect was that the instructions from IBM did not match the names fo the files which were created for me by Let’s Encrypt. This community posting helped explain things – https://community.letsencrypt.org/t/how-to-get-crt-and-key-files-from-i-just-have-pem-files/7348/2
Existing IBM instructions
The following article from IBM show how to create the certificate file using openssl Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation.
In there you will find a link to download the kyrtool – I places the win32 version in my notes client installation directory (C:\Program Files (x86)\IBM\Notes)
- Download link: http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Lotus&product=ibm/Lotus/Lotus+Domino&release=9.0.1.2&platform=All&function=fixId&fixids=KYRTool_9x_ClientServer
- Place the KYRTool in the Notes program directory, as it relies on .DLLs installed by Notes.
- If you have the Notes/Domino program directory in your system’s PATH environment variable, this can be installed to any directory,
Let’s Encrypt
If you follow the instructions in this article you can create your own Let’s Encrypt certificate .pem file(s).
I copied all the filed into a c:\certs folder to prevent a lot of typing and to simplify my life.
You will need to download the root certificate and an intermediate certificate from Let’s Encrypt – https://letsencrypt.org/certificates/
Save the files into your c:\certs directory as root.pem and intermediate.pem
Make sure you get the Signed by ISRG Root X1 intermediate
Open a command window in your notes client directory by holding down SHIFT and right clicking on the folder
Open a second command window in the c:\certs directory
Copy the following and then right click into the command window
- type privkey.pem cert.pem intermediate.pem root.pem > server.txt
Copy the following and back in the C:\Program Files (x86)\IBM\Notes CMD window and right click again
- kyrtool =”C:\Program Files (x86)\IBM\Notes\notes.ini” verify “C:\certs\server.txt”
You should get the happy message….
The final step is to import the new server.txt file into a new Notes keyring file.
Create a new keyring file by copying the following and right clicking into the C:\Program Files (x86)\IBM\Notes CMD window
- kyrtool =”C:\Program Files (x86)\IBM\Notes\notes.ini” create -k “C:\Program Files (x86)\IBM\Notes\Data\keyring.kyr” -p password
Then import the server.txt file by again copying the following and right clicking in the C:\Program Files (x86)\IBM\Notes CMD window
- kyrtool =”C:\Program Files (x86)\IBM\Notes\notes.ini” import all -k “C:\Program Files (x86)\IBM\Notes\Data\keyring.kyr” -i “C:\certs\server.txt”
You can now
- take the keyring.kyr and keyring.sth files, copy them into the server’s data directory
- Configure your website document (or server document) to use the keyring.kyr file
- restart the http task on the server
- and it should work….
Conclusion
In this article we have seen how to successfully import the Let’s Encrypt certificates into the notes kry file. This is only part of the story though. As the Let’s Encrypt certificates are only valid for 90 days, this is a laborious repetitive task to have to accomplish on that time frame. Now I know what I am doing, for my local server it shouldn’t take very long to re-do, but this is far from a production solution. I might try and batch file it, that would probably help. We’ll see how annoyed I get when my cert fails right before a client demo 🙂
Xomino 
Great article! Thanks! I hope that you get annoyed long before the client demo… LOL Cheers!
Thanks for the article~ I’m using lets encrypt windows client ( github.com/Lone-Coder/letsencrypt-win-simple ) and set the ACME challenge to the domino\html root and the rest was following this article~ and it’s working well~ now I just have to think about how to use the task scheduler to renew the certificate
Smart! if you figure it out please share 🙂
Thanks for the feedback
Any way to get the kyrtool on a public site? Fix central claims I can’t download it 😛
Because you don’t have an IBM ID?
Because you need to have active support on your IBM ID …