SECURING
When you receive a certificate from the Let’s Encrypt CA, their servers use challenges to validate that you control the domain names in the certificate. There are two types of challenges supported, both of which are available to use with Domino.
HTTP-01 challenge
With this configuration, a challenge from the Let's Encrypt servers is stored on the HTTP server where it is accessed through a well known URL over port 80. Certification request processing involves just your servers and Let's Encrypt servers. In the case of Domino, the DSAPI is used to manage the interactions between the Let's Encrypt CA and Domino. This is the challenge that is the easiest to configure and that is typically used.
DNS-01 challenge
With this configuration, a TXT record containing challenge information from the Let's Encrypt servers is added to your registered DNS domain. To validate a request, the Let's Encrypt server verifies the challenge in the TXT record.
Your DNS provider's TXT record API is used to automate adding the challenge to a TXT record. The required API coding is implemented through a DNS Provider Configuration document created in certstore.nsf.
Use of the DNS-01 challenge offers these advantages:
CertMgr offers flexibility in creating a DNS Provider Configuration document. A DXL file is available that contains reference API implementations for two specific DNS providers using their DNS provider APIs. If you use one of these DNS providers, you can simply import the DXL file into certstore.nsf to create the required DNS Provider Configuration document which is then ready to use. If your DNS provider is not one of the two reference providers, you or a business partner can develop a DNS configuration using your DNS provider API. To get the reference DXL file and to learn about how to build your own DNS provider configuration, see article https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0089487 on the HCL Support site.
Parent topic: Managing certificates with the Let's Encrypt CA