Wildcard SSL on Lotus Domino

If you follow me on Twitter, you’ve seen me throw out a couple lifelines for help on getting Wildcard SSL to work on Domino. Basically, it’s getting a *.company.com SSL certificate that allows you to use it on all the subdomains for that domain in question. For example, one SSL cert could work for www.company.com, login.company.com, webmail.company.com and so on.

There is no documentation I can find from Lotus on using wildcard SSL certificates. Nothing in admin help, and nothing in technotes. I also could only find one post on Notes.net where someone named Joe Walters claimed to have it working.

So with that as my only glimmer of hope, I bought the wildcard certificate anyway. Now if you read anything about wildcard SSL on the internet, the articles state that wildcard SSL works as long as every site has the same IP address. In Domino documentation, it says that you need a unique IP address for every internet site. So right there you have a major conflict. Well, since there was LOTS of articles and posts stating that wildcard SSL needed to share one IP address and there was NO documentation concerning wildcard SSL on Domino I figured I would go the shared IP route.

Um, wrong answer.

What happens if you simply create internet site documents with no mention of the IP address, then SSL only wants to work for the default site (if it’s using SSL) or if there is no default site, it uses the first one listed in the view. And it does it in a weird fashion. Let me try to explain.

  • First assume you’ve gotten your SSL keyring all set up correctly and ready to go.
  • Let’s also assume all of your internet site documents are set up and do not reference the IP address in the Host names or Addresses field
  • In your Domino data directory you have a folder called Companies. Inside that folder, you have additional folders for each company.
  • Lets say you have a site at ABC.company.com. When you log into http://abc.company.com the site goes to http://abc.company.com/companies/abc/abc.nsf
  • Likewise, you have an XYZ.company.com site. When you log into http://xyz.company.com the site goes to http://xyz.company.com/companies/xyz/xyz.nsf
  • Now you enable SSL for the ABC site by checking the Redirect TCP to SSL checkbox in the internet site document
  • Now when you go to http://abc.company.com, Domino redirects to the SSL version https://abc.company.com/companies/abc/abc.nsf

That’s fine, that’s what you expect

  • Now you enable SSL for the XYZ site by checking the Redirect TCP to SSL checkbox in the internet site document
  • If you now try to access http://xyz.company.com it redirects to the following https://xyz.company.com/companies/abc/abc.nsf

Notice what it did there? It kept the domain name correct with xyz, but the rest of the URL points to the ABC stuff. That’s because Domino needs separate IP addresses for each SSL site. Otherwise it uses the info for the first SSL site, or Default Site if there is one. As you can imagine, that causes problems.

🙂

So, instead, make sure you give each site it’s own IP address to appease Domino, and then SSL will work as you imagine.

This took many hours of discovery to figure out. Lots of testing, lots of changing settings. And then, when I was about to give up, I decided to try looking for the Joe Walters from notes.net. Well through some Google luck, I found the right Joe Walters and sent him an email hoping he could help. Within hours he had responded, and shortly after we were IM’ing and then on the phone. Joe confirmed all of the weirdness I had found and let me know that we needed a unique IP for each one. SO I am hugely indebted to him.

I asked him what he thought about being the expert on Wildcard SSL on Domino? “Well I’m not the expert any more, you are!” he said “We’re moving away from Domino, so in a couple years I might not even remember it so I’m passing the baton to you.” Well thank you Joe, thanks for the help, and thanks for the baton. I hope I don’t end up falling on my face before the finish line.

Hopefully this will prevent other folks from having to fumble through this in the dark too. Wildcard SSL on Domino works fine, just give each site sharing the SSL cert it’s own IP address. Life is then good!