Certmgr new certificates are not being found

anon-2271 · April 24, 2025, 4:39pm

I have upgraded a domino 11.0.1 server to 14FP4

I am now trying to get the new CertStore working.. (Previously we used LED LetsEncrypt)

I followed the instructions from: https://help.hcl-software.com/domino/14.0.0/admin/secu_le_using_certificate_manager.html

The certificate has been generated and when I run : load certmgr -showcerts I can see the certificate is there:

[013965:000152-00007F6EEE7CF640] 04/24/2025 17:22:54 Remote console command issued by xxxxxxxxxxx: load certmgr -showcerts
[016018:000002-00007F023DF85000] Subject key identifier Key info Expiration KeyFile/Tag Host names (SANs)
[016018:000002-00007F023DF85000] ------------------------------------------------------------------------------------------------------------------------------------------------------
[016018:000002-00007F023DF85000] 8FFF EA16 221F 1D18 ... NIST P-256 89.9 days xxxxxxxxt.net mail01.xxxxxx.net
[016018:000002-00007F023DF85000] ------------------------------------------------------------------------------------------------------------------------------------------------------
[016018:000002-00007F023DF85000] 1 TLS Credentials

However, the HTTP server OR TLS for mail does not recognise the certificate.

[015872:000012-00007EFDA9572640] 04/24/2025 17:28:53 HTTP Server: SSL handshake failure, no SSL Keyring file specified for IP address [192.168.1.30]

And a TLS check for E-mail does allow SSL connection:
[000.389] <‑‑ 220 Ready to start TLS
[000.389] STARTTLS command works on this server
[000.389] SSL_ocsp_mode = SSL_OCSP_FULL_CHAIN
[001.406] Cannot convert to SSL (reason: SSL connect attempt failed)

kaycerygonzales · April 24, 2025, 5:07pm

Hi,

Good day!

Please ensure that the server document or Internet site document is updated with the hostname under the TLS Key File Name field.

Server Document: Go to Ports > Internet Ports > modify the TLS key file name from keyring file to FQDN.
Internet Site Document: Go to Security tab > Key file name field.

Once modified, please restart the HTTP Task: tell http quit then load http.

Also, please ensure that the template for your names.nsf has been upgraded to version 14 so that it has the updated TLS Ciphers.

Thank you.

Best regards,
Kaycery

jerome · April 24, 2025, 5:58pm

According to what you display

1/ Your certmgr doc contains

xyz.net

and

mail01.xyz.net

with the correct domino servername

2/ in you server document (or internet site)

for keyfile field just set: *.xyz.net

3/ tell http restart

if startls for smtp: restart task smtp

if ldaps: restart ldap

if more (pop/imap, etc..): restart server

anon-2271 · April 24, 2025, 6:17pm

Brilliant. Many thanks @Kaycery Gonzales and @Jerome Deniau

It was the TLS Keyfile needs to be set to the domain

Cheers
Tony