Setting up my first Nomad server (1.0.13) on Domino 12.0.2 FP2 (Windows 64)
I have configured manual TLS Certificate.
When I load Nomad at the console it shows:
So far, so good. But when I show tasks, Nomad shows as idle, although other tasks show themselves as listening on the appropriate ports.
When I browse (using Edge) to <hostname>:9443, hoping for a Nomad setup screen, I get the response:
Is there a vital step I am leaving out?
Hi Andrew,
This looks to be a known issue (Nomad shows as Idle on server task) on Nomad prior to version 1.0.14.
Nomad should indicate that the http and/or https servers are running, the port numbers, and the bound host. Also, make sure that the pre requisites are met (ID files in ID Vault, TLS cert) and to open the notes.ini file of the Domino server and add the below notes.ini setting to have the Nomad server host name.
Nomad_Web_Host= <hostname>
I would recommend to upgrade Nomad server on Domino to 1.0.14 and check if the issue still persists.
For reference:
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0116524
Regards,
Joseph
TLS is set up, and my ID in the vault, so that should be fine. But I am not getting that far. First hurdle is to get the server to respond on port 9443 - I will cross the authentication bridge when I come to it.
The host is specified in notes.ini
When 1.0.14 is available I will try it. But let's get 1.0.13 working first.
Hello.
It is no problem that the status of Nomad task is Idle.
You can run "netstat -qo" command from a command prompt to see if 9443 is Listen.
I suspect that port 9443 is not available in your environment.
Please check your firewall settings.
Regards,
Shigemitsu Tanaka
Port 9443 has been opened in the firewall, and I have confirmed via Powershell that it is accessible, but I still get the same timeout.
1.0.14 isn't released yet. The Idle (which is accurate in that there are no active connections at that moment) will be changed to Listening... (and not be based on active connections but instead be just the listening port) in 1.0.14, but you can't get 1.0.14 yet (coming soon).
What is the full URL you are using? Do you have the /nomad/ on the end?
The full URL is as I quoted above. I have tried with /nomad/ at the end, with the same result.
Simply using the hostname, without specifying a port, immediately gets me the default Domino splash screen.
I don't see where the full URL is above. I see "<hostname>:9443" but that isn't a full URL. You at least answered the /nomad/ part on the end, but do you have https:// on the beginning? If not, it will be HTTP and port 9443 isn't listening for HTTP.
Leaving off the port will be HTTP or HTTPS depending on what you have at the beginning (or nothing which is http:// by default and port 80).
It needs to be https://<fully qualified host name>:9443/nomad/.
After that, it really seems like something in the firewall or a browser setting that is blocking it. You could temporarily put Nomad server on port 443 (and turn off Domino HTTP on port 443) and see if that makes it work because if that works, it probably is some rule/proxy/firewall somewhere blocking it.
Did you try any other browsers (Chrome or Firefox)?
You can also try https://<fully qualified host name>:9443/nomad/userConfig.json which should be a JSON response and doesn't require the service worker or any part of the Nomad for web browsers client to be downloaded to run (it is just a regular HTTPS request and response).
Ah, I see. My bad. Thank you.
Alas, Edge is the only browser supported in the environment.
When I specify https (I thought that port 9443 would redirect to that automatically) I DO get Nomad, but only after it gives me a security warning.
Certificate Store reports the TLS Credentials as valid. What am I missing now?
I use the Nomad 1.0.13 IF2 same as yours and I do not see an issue when the certificate is configured via nomad-config.yml file.
Edge browser.
Check if you have a proxy server in your environment used by the browser. Since the URL for Nomad is unique with port 9443. Make sure the proxy allows it else, disable the proxy and check the Nomad access.
If the Domino is running on the Windows OS, you can check the Nomad access on the same box by installing any Chrome/Edge browser.
This will isolate nomad access without any proxy server involved, provided the server OS is not configured to use a proxy.
Thank you
Regards
Shrikant J
No proxy is involved. Nomad is running as Domino server task.
The YAML file is on required if you are overriding default settings, isn't it?
Hi Andrew,
I can see the same issue as yours as below.
I believe you are using the certmgr task (certstore.nsf) on the Domino server to use the TLS certificate for your nomad server.
Please verify the following:
1) What is set in the Domino server notes.ini parameter for Nomad_Web_Host ?
2) Is it the above value set same as your Nomad server host which you are trying to access it from the browser ?
3) Do you have DNS entry or local host entry for the Nomad server mapped to the Domino server IP ?
These should match: the TLS hostname in the certstore.nsf, the Nomad_Web_Host ini, a DNS entry or host entry mapped to the Domino server, and the browser URL you are trying to hit.
Example:
certstore.nsf containing TLS credentials : mynomad.notesdomtech.com
Domino server "Nomad_Web_Host" ini containing: Nomad_Web_Host=mynomad.notesdomtech.com
DNS Entry or Host Entry containing: mynomad.notesdomtech.com
Browser URL accessed same as above host: https://mynomad.notesdomtech.com:9443
Thank you
Regards
Shrikant J
Thank you, Shrikant
Yes, I am using certstore. The hostname listed there, and with credentials shown as valid, is identical to the one I am typing into the browser, and to the value of the Nomad_web_host notes.ini variable. The hostname is resolvable by DNS.
I was not previously specifying https. At Robert Sielken's prompting I did so, and am now getting a response. That's progress.
BUT I then get a "your connection is not private" warning. When seek more information it reports "[the server]'s security certificate is not trusted by your computer's operating system" and if I persist with the connection I do get Nomad, but it reports (unsurprisingly, at this point) that "an SSL certificate error occurred when fetching the script".
What do I need to do to get the OS to trust the certificate?
Hi Andrew, do you mean to say the TSL certificate is not from trusted certificate authority? Or it is issued by your internal CA or self signed ?. Thank you.
I should have mentioned that, of course!
Yes, the certificate is issued by an internal CA.
You can try trusting the internal CA and see if that helps.
Note: You need to have the your internal CA certificate file.
Steps
-Type certmgr.msc in the Start menu Search field, and then press Enter.
-Expand Trusted Root Certification Authorities, and then select Certificate.
-Right-click on the empty space, and then select All tasks > Import.
-Click Next in the Certificate Import Wizard window.
-Click Browse and select the CA that you want to import, and then click Next.
-Select the Place all certificates in the following store option to store the CA securely.
-Click Browse, and then select Trust Root Certification Authorities as certificate store.
-Click Next, and then Finish to import the certificate.
Thank you
Regards
Shrikant J
Thank you, @Shrikant Jamkhandi. Very helpful. I was able to get the root certificate installed on my client, but it is still not recognising the server. I now have a new certificate issued by an internal authority whose root certificate is installed on all company clients, so am starting again. I will raise a new question - many thanks for your help to date!
I observe the same behavior following upgradee from version 1.0.10 which works very well to version 1.0.13 IF2 or 1.0.14 ; see attachment for debug in release 1.0.14 , something is missing ?
nomad_debug.txtDo you have the /nomad/ on the end of the URL in the browser (which you blanked over)?
You should probably open a support case so we can look at both client (https://help.hcl-software.com/nomad/1.0_web/nw_report_problem.html) and server logs from the same time. That will also allow the data to be handled confidentially (rather than posting in this public forum).
Hi Robert,
Thanks for reply.
In fact yesterday I had to upgrade to the last version because new connection failed with errors like
https://support.hcl-software.com/community?id=community_question&sys_id=a71061bb93a9d2100dddf87d1dba10b1
I was facing same behavior unable to reach server through Https.
Like we are not using http on our Domino for nomad , our nomad-config.yml was filled with port to 443 not 9443 ; firewall for this port was open on Windows Server ,
so like error was closed to port not allowed , I made a new firewall rule for nomad executable on port 443 and what happened
can connect to nomad service now , hope this will help someone else.
