Server loading of TLS certificate

HCL Domino Domino Forum
,
1

Domino 12.0.2 FP5, Nomad 1.0.15 on MS Server 2022

Having run Nomad successfully in test, we are now trying to duplicate in production. TLS certificate (same trusted root as in test) is configured in Cert Store.

On loading Nomad in PROD, console shows
“WARN Nomad:: http: Generating self-signed certificate for 0.0.0.0”
Naturally, when we try to connect it warns that the connection is not secure.

In TEST, the corresponding line in the load sequence shows
“INFO Nomad:: http: Using Domino server’s SSL certificate for host ”

But for the hostname, as far as I can tell the configurations are identical.

What could be causing the certificate not to be recognised in Prod?

2

The hostname in the server document on production server should be same as in TLS certificate or it should match Subject Alternate Names in the TLS certificate.
Hope you have ensured this on your prod server.

3

The hostname is correct, in the Fully Qualified Internet Hostname field and in the Net Address in the Ports tab.

4

Answer found!

I had not set NOMAD_WEB_HOST in the Notes.ini

I can now connect, but on giving my user name, instead of an initial password request it tells me that I am connecting to the correct Domino server name, then I get a message box “Nomad Setup Error”.

5

https://help.hcl-software.com/nomad/1.0_admin/config_options.html?scLang=en

See if this helps

6

Hello Andrew,

Can you check the below link on " Troubleshooting Nomad Web". Check the point number 11.

https://help.hcl-software.com/nomad/1.0_web/setup_troubleshooting_nomad.html

“Nomad Setup Error” could be caused by the following:

  • The Home server is not available, or cannot be reached.
  • A misconfiguration in Nomad server

Thank you
Regards
Shrikant J

7

Thank you, Shrikant.

Looking at the console does indeed give me further information. Nomad has to be finding the server, for I am presented with the Nomad interface, which can come from nowhere else. Further, the console tells me that it has retrieved (presumably from the server) my fully qualified name and the servers.

Here is where I start to wonder, though.

  1. In the first line below (I am using square brackets to mask client identifying server and org names) it refers to userconfig.json. I cannot find any such file on the server.
  2. Although the value for userCN is my correct (fully qualified, not common) name, with name and org separated by a “/” character, the corresponding server name (which is otherwise correct) has no “/”.

The second line uses that concatenated server name, and apparently it works, for the fourth line reports the successful download of a file, followed by others.

The bolded line is where it seems to go seriously wrong. It starts addressing the hostname rather than the Domino server name, using http (not https), but still referring to port 9443. It is two lines after that that we get the Error 0x807 “not responding”.

Can you help me interpret?

Andrew

[2025-06-06T00:02:38.305Z] [00001:00002-17896712] 06/06/2025 10:02:37.76 AM ShowWebBrowserDialog> Downloaded 63 bytes for user configuration from URL /nomad/userConfig.json: {“userCN”:“Andrew Brew/[OrgName]”,“homeServerCN”:[.ServerName][OrgName]"}

[2025-06-06T00:02:38.310Z] [00001:00002-17896712] 06/06/2025 10:02:37.76 AM DeskBusyMessageSignalHandler> Connecting to [ServerName][OrgName]…

[2025-06-06T00:02:38.502Z] [125096384] 06/06/2025 10:02:38.502 AM fetch_notes_files: waiting for 1 files to download

[2025-06-06T00:02:38.581Z] [12588024] 06/06/2025 10:02:38.581 AM wgetSucceeded: Download of /program/NotoSansCJKjp-Regular.otf completed

[2025-06-06T00:02:39.524Z] [125096384] 06/06/2025 10:02:39.524 AM saveHashTrackingFile: Saving known hashes in /data/hashedinitnames.txt…

[2025-06-06T00:02:39.525Z] [125096384] 06/06/2025 10:02:39.525 AM fetch_notes_files: Fetch thread completed 47 downloads in 2031 ms

[2025-06-06T00:02:40.059Z] [00001:00002-17896712] 06/06/2025 10:02:39.51 AM wasmjs_websocket_new> URL changed to wss://[serverhostname]:9443/nrpc-wss]

2025-06-06T00:02:40.667Z] [125096384] 06/06/2025 10:02:40.667 AM fetch_notes_files: handleNomadFileSystemMigrationMusl() took 1142 ms

[2025-06-06T00:02:42.635Z] [00001:00002-17896712] 06/06/2025 10:02:42.09 AM JsonCallback> Error 0x807 during Nomad setup: The server is not responding. The server may be down or you may be experiencing network or VPN problems. Contact your system administrator if this problem persists.

[2025-06-06T00:02:42.658Z] SW serving response for: https://:9443/nomad/fonts/8f1e0300e8d26fa8919d.woff2 from cache.

[2025-06-06T00:03:08.150Z] [00001:00005-117738664] 06/06/2025 10:03:08.00 AM GLWatchdogProc> level2 timer, 30014 msec since last heard from UI thread

[2025-06-06T00:03:23.141Z] [00001:00005-117738664] 06/06/2025 10:03:22.99 AM GLWatchdogProc> level3 timer, 45006 msec since last heard from UI thread

[2025-06-06T00:03:38.141Z] [00001:00005-117738664] 06/06/2025 10:03:37.99 AM GLWatchdogProc> level4 timer, 60006 msec since last heard from UI thread

8

Hello Andrew,

This is what I see.. I am using the Nomad 1.0.16. My Nomad/Mail Server/ID Vault server is same.

846-d418344e9a20e9f3e85a.js:47 [2025-06-06T04:06:10.317Z] [128038648] 06/06/2025 09:36:10.316 AM fetch_notes_files: Fetch thread completed 48 downloads in 1015 ms
846-d418344e9a20e9f3e85a.js:47 [2025-06-06T04:06:10.927Z] [MAIN_BROWSER_THREAD ] 06/06/2025 09:36:10.57 AM DictionaryDownload> wasmDictionaryDownloadCompleteMainThread: pSpell is NULL

846-d418344e9a20e9f3e85a.js:47 [2025-06-06T04:06:11.822Z] [128038648] 06/06/2025 09:36:11.822 AM fetch_notes_files: handleNomadFileSystemMigrationMusl() took 1505 ms
846-d418344e9a20e9f3e85a.js:47 [2025-06-06T04:06:11.891Z] [00001:00002-18479336] 06/06/2025 09:36:11.53 AM wasmjs_websocket_new> URL changed to wss://nomad.notesdomtech.com:9443/nrpc-wss
846-d418344e9a20e9f3e85a.js:47 [2025-06-06T04:06:11.914Z] [00001:00002-18479336] 06/06/2025 09:36:11.56 AM DeskBusyMessageSignalHandler> Looking up Peter Meter…
846-d418344e9a20e9f3e85a.js:47 [2025-06-06T04:06:11.969Z] [00001:00002-18479336] 06/06/2025 09:36:11.61 AM DeskBusyMessageSignalHandler**> Extracting ID from the Vault…**

Just wanted to understand if your user person document Mail server /ID Vault server and Nomad server are same or they are different.

Please check if the Nomad server can reach to the ID vault server. Also check if there are any configuration in the nomad-config.yml file for parameter " ```
defaultMailServers:

[https://help.hcl-software.com/nomad/1.0_admin/config_options.html](https://help.hcl-software.com/nomad/1.0_admin/config_options.html)

Thank you
Regards
Shrikant J
9

The ID Vault server, Nomad server and Mail server (as defined in both my Person document and my location document) are the same.

I cannot find on the server any nomad-config.yml file, nor userconfig.json referred to earlier. Should that be a problem? Where ought I to look for them?

I suspect that the problem is with fetching my ID from the Vault, but cannot see why the server should be unreachable for that purpose when it has already been contacted for other purposes.

10

Andrew, based on your response, I understand your Mail/ID Vault & Nomad server is the same. Can you try resetting the ID file password in the vault for your user account in the Administrator client.
After that try accessing the Nomad from the browser and see if that helps.

If it still doesn’t help. You can enable the below debugs to know more.
Debug_IDV_Connect=1
Debug_IDV_Trace=1
Debug_IDV_TrustCert=1
DEBUG_IDV_API=1

Debugs can be enabled via set config command.

Set Config Debug_IDV_Connect=1
Set Config Debug_IDV_Trace=1
Set Config Debug_IDV_TrustCert=1
Set Config DEBUG_IDV_API=1

This should print more on the ID vault calls in the console.log file of the Domino server.

Thank you
Regards
Shrikant J

11

Hi. I have encountered a similar error.
I solved it like this:
Create nomad-config.yml file in Domino data.
In the file I specified 2 lines:

 servers:
   CN=server/O=test: 127.0.0.1:1352

After that I restarted nomad.

12

Thank you Shrikant and Aleksandr. I shall try out your suggestions in the morning.

AB

13

Re-setting my password worked, but had no affect on my ability to set up Nomad.

The only additional information I get logged to the console now on attempting to connect/setup is
nomad::nrpc: Could not look up the server!

… which fits what we are seeing, but does not really answer the question of “why?”

I suppose this is the Nomad task trying to look up the server on which the ID Vault resides (same server, remember), using nrpc through web sockets. I know that Nomad is aware of both the server’s hostname (it reports that to the console on startup) and the Domino server name (it shows that in the UI - “Connecting to…” just before it reports “Nomad Setup Error”.