Adding your Let’s Encrypt SSL certificate into your Domino keyring file

In this article I will show how to use a slightly modified version of IBM help documentation to get your  Let’s Encrypt issues certificate to work as the SSL certificate on your Domino server.

Introduction

Since the introduction of R9.0.1FP3 server we have had the ability to load a TLS certificate into the notes SSL keyring.kyr file. There is existing documentation on how to handle this using the new KYRTOOL and openssl but those instructions are not entirely clear as how they relate to let’s encrypt. This article is as much for my own edification and memory as anything else!

Part of the disconnect was that the instructions from IBM did not match the names fo the files which were created for me by Let’s Encrypt. This community posting helped explain things – https://community.letsencrypt.org/t/how-to-get-crt-and-key-files-from-i-just-have-pem-files/7348/2

Existing IBM instructions

The following article from IBM show how to create the certificate file using openssl Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation.

In there you will find a link to download the kyrtool – I places the win32 version in my notes client installation directory (C:\Program Files (x86)\IBM\Notes)

Let’s Encrypt

If you follow the instructions in this article you can create your own Let’s Encrypt certificate .pem file(s).

w1

 

I copied all the filed into a c:\certs folder to prevent a lot of typing and to simplify my life.

You will need to download the root certificate and an intermediate certificate from Let’s Encrypt – https://letsencrypt.org/certificates/

w2

Save the files into your c:\certs directory as root.pem and intermediate.pem

Make sure you get the Signed by ISRG Root X1 intermediate

w3

Open a command window in your notes client directory by holding down SHIFT and right clicking on the folder

w4

Open a second command window in the c:\certs directory

Copy the following and then right click into the command window

  • type privkey.pem cert.pem intermediate.pem root.pem > server.txt

w5

Copy the following and back in the C:\Program Files (x86)\IBM\Notes CMD window and right click again

  • kyrtool =”C:\Program Files (x86)\IBM\Notes\notes.ini” verify “C:\certs\server.txt”

You should get the happy message….

w6

The final step is to import the new server.txt file into a new Notes keyring file.

Create a new keyring file by copying the following and right clicking into the C:\Program Files (x86)\IBM\Notes CMD window

  • kyrtool =”C:\Program Files (x86)\IBM\Notes\notes.ini” create -k “C:\Program Files (x86)\IBM\Notes\Data\keyring.kyr” -p password

w7

Then import the server.txt file by again copying the following and right clicking in the C:\Program Files (x86)\IBM\Notes CMD window

  •  kyrtool =”C:\Program Files (x86)\IBM\Notes\notes.ini” import all -k “C:\Program Files (x86)\IBM\Notes\Data\keyring.kyr” -i “C:\certs\server.txt”

w8

You can now

  • take the keyring.kyr and keyring.sth files, copy them into the server’s data directory
  • Configure your website document (or server document) to use the keyring.kyr file
  • restart the http task on the server
  • and it should work….

w9

Conclusion

In this article we have seen how to successfully import the Let’s Encrypt certificates into the notes kry file. This is only part of the story though. As the Let’s Encrypt certificates are only valid for 90 days, this is a laborious repetitive task to have to accomplish on that time frame. Now I know what I am doing, for my local server it shouldn’t take very long to re-do, but this is far from a production solution. I might try and batch file it, that would probably help. We’ll see how annoyed I get when my cert fails right before a client demo 🙂

 

Advertisements

6 thoughts on “Adding your Let’s Encrypt SSL certificate into your Domino keyring file

  1. Thanks for the article~ I’m using lets encrypt windows client ( github.com/Lone-Coder/letsencrypt-win-simple ) and set the ACME challenge to the domino\html root and the rest was following this article~ and it’s working well~ now I just have to think about how to use the task scheduler to renew the certificate

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s