Fixing introspection issues with PROTON and IAM after Let's Encrypt Root Cert expired

A couple of customers and students of our AppDevPack course called me on various channels that thex ran into issues with Proton and IAM, seeing Introspection errors trying act-as-user scenarios after September 30th.

Fixing introspection issues with PROTON and IAM after Let's Encrypt Root Cert expired

Howdy,

a couple of customers and students of our AppDevPack course called me on various channels that thex ran into issues with Proton and IAM, seeing Introspection errors trying act-as-user scenarios after September 30th.

In almost all cases, this was due to Let's Encrypt Certs being used for securing IAM communication and a Let's Encrypt Root Cert (X3) that purposfully expired by end of september.

To make Proton accept SSL connections via IAM this trust root cert had been imported in the corresponding .kyr - File for the Proton task on the Domino Server.

We were able to fix the issue by importing the new X1 and X2 root cert and the R3 intermediate cert into the kyr file using KYRTOOL and copying the respective *.pem files to the IAM Server in ../config/certs/ca Folder.

Here's where you can find the certs:

Vertrauenskette
Wurzelzertifikate (Root-Zertifikate) Unsere Wurzelzertifikate (Root-Zertifikate) werden sicher, vom Internet getrennt, aufbewahrt. Wir stellen Anwenderzertifikate aus, welche durch die in dem folgenden Abschnitt beschriebenen Zwischenzertifikate (Intermediate-Zertifikate) signiert wurden. Während wi…

Please make sure to use the .pem files and the ones cross-certified by IdenTrust.
In case you don't have the kyrtool command and hand, here's the linux version of it, including the curl command to download the R3 pem file. If you're on Windows - please check your paths accordingly and download the certs via the browser if needed.

Using Domino on Linux:

cd /local/notesdata

curl https://letsencrypt.org/certs/isrgrootx1.pem -o le-ca-x1.pem
curl https://letsencrypt.org/certs/isrg-root-x2-cross-signed.pem -o le-ca-x2.pem
curl https://letsencrypt.org/certs/lets-encrypt-r3.pem -o le-ca-r3.pem

/opt/ibm/domino/bin/tools/startup /opt/ibm/domino/notes/latest/linux/kyrtool import roots -k proton.kyr -i le-ca-x1.pem

/opt/ibm/domino/bin/tools/startup /opt/ibm/domino/notes/latest/linux/kyrtool import roots -k proton.kyr -i le-ca-x2.pem

/opt/ibm/domino/bin/tools/startup /opt/ibm/domino/notes/latest/linux/kyrtool import roots -k proton.kyr -i le-ca-r3.pem

Important - after doing so, make sure your restart the Proton Task and then IAM to pick up the new CA chains.

Hope this helps...

Heiko.

Subscribe to Heikos Blog

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe