Wildcard SSL on Lotus Domino
If you follow me on Twitter, you’ve seen me throw out a couple lifelines for help on getting Wildcard SSL to work on Domino. Basically, it’s getting a *.company.com SSL certificate that allows you to use it on all the subdomains for that domain in question. For example, one SSL cert could work for www.company.com, login.company.com, webmail.company.com and so on.
There is no documentation I can find from Lotus on using wildcard SSL certificates. Nothing in admin help, and nothing in technotes. I also could only find one post on Notes.net where someone named Joe Walters claimed to have it working.
So with that as my only glimmer of hope, I bought the wildcard certificate anyway. Now if you read anything about wildcard SSL on the internet, the articles state that wildcard SSL works as long as every site has the same IP address. In Domino documentation, it says that you need a unique IP address for every internet site. So right there you have a major conflict. Well, since there was LOTS of articles and posts stating that wildcard SSL needed to share one IP address and there was NO documentation concerning wildcard SSL on Domino I figured I would go the shared IP route.
Um, wrong answer.
What happens if you simply create internet site documents with no mention of the IP address, then SSL only wants to work for the default site (if it’s using SSL) or if there is no default site, it uses the first one listed in the view. And it does it in a weird fashion. Let me try to explain.
- First assume you’ve gotten your SSL keyring all set up correctly and ready to go.
- Let’s also assume all of your internet site documents are set up and do not reference the IP address in the Host names or Addresses field
- In your Domino data directory you have a folder called Companies. Inside that folder, you have additional folders for each company.
- Lets say you have a site at ABC.company.com. When you log into http://abc.company.com the site goes to http://abc.company.com/companies/abc/abc.nsf
- Likewise, you have an XYZ.company.com site. When you log into http://xyz.company.com the site goes to http://xyz.company.com/companies/xyz/xyz.nsf
- Now you enable SSL for the ABC site by checking the Redirect TCP to SSL checkbox in the internet site document
- Now when you go to http://abc.company.com, Domino redirects to the SSL version https://abc.company.com/companies/abc/abc.nsf
That’s fine, that’s what you expect
- Now you enable SSL for the XYZ site by checking the Redirect TCP to SSL checkbox in the internet site document
- If you now try to access http://xyz.company.com it redirects to the following https://xyz.company.com/companies/abc/abc.nsf
Notice what it did there? It kept the domain name correct with xyz, but the rest of the URL points to the ABC stuff. That’s because Domino needs separate IP addresses for each SSL site. Otherwise it uses the info for the first SSL site, or Default Site if there is one. As you can imagine, that causes problems.
🙂
So, instead, make sure you give each site it’s own IP address to appease Domino, and then SSL will work as you imagine.
This took many hours of discovery to figure out. Lots of testing, lots of changing settings. And then, when I was about to give up, I decided to try looking for the Joe Walters from notes.net. Well through some Google luck, I found the right Joe Walters and sent him an email hoping he could help. Within hours he had responded, and shortly after we were IM’ing and then on the phone. Joe confirmed all of the weirdness I had found and let me know that we needed a unique IP for each one. SO I am hugely indebted to him.
I asked him what he thought about being the expert on Wildcard SSL on Domino? “Well I’m not the expert any more, you are!” he said “We’re moving away from Domino, so in a couple years I might not even remember it so I’m passing the baton to you.” Well thank you Joe, thanks for the help, and thanks for the baton. I hope I don’t end up falling on my face before the finish line.
Hopefully this will prevent other folks from having to fumble through this in the dark too. Wildcard SSL on Domino works fine, just give each site sharing the SSL cert it’s own IP address. Life is then good!
Tim E. Brown
October 21, 2008 @ 1:45 pm
This is somewhat related also
{ Link }
It’s been around for a few months.
Greyhawk68
October 21, 2008 @ 1:56 pm
That was posted from information from Joe Walters. And it makes no mention of the site documents you have to set up, it only goes into getting the keyring set up.
The big thing missing from there is the site setup and the requirement to use individual IP addresses. But yes, I had found that, but unfortunately it hadn’t helped much.
-Grey
Jens Krogh
October 21, 2008 @ 2:00 pm
You could also just use the old Web Configurations documents with a virtual host for each website. Then you doesn’t need to use a new ip-address for each site.
peter smith
October 21, 2008 @ 2:39 pm
Another good point is that wildcard SSL IS supported on Domino. There is a 6.5 era technote that says it isn’t, but when I asked the question recently IBM confirmed that it now is supported.
Greyhawk68
October 21, 2008 @ 3:26 pm
@4 It would be nice if they would document it… oh I dunno… anywhere!
If you read all the documentation and technotes, you would think wildcard SSL doesn’t exist at all!
-Grey
Tinus Riyanto
October 22, 2008 @ 12:47 am
I believe I have read something about it on the ND7 forum about a year back when I tried to setup reverse proxy in front of our domino servers.
In our case the problem that remained is where would you install such SSL cert, on the domino servers or on the reverse proxy ? We decided to put it on the reverse proxy because it made sense to us at that time. Might be wrong though.
Mats Ekman
January 17, 2014 @ 10:23 pm
Wildcard SSL certificate from P12/PFX file into Domino
I did some documentation and a checklist on how to do this at my company blog.
Maybe that could help you out, here is the link:
http://wp.me/p1CuQM-pG
Regards
Mats