An Admin Present You Didn't Know You Needed

 Hi, welcome back to my burnt out blog. 1,500 posts and, well, I am kind of burnt out, but that doesn't stop me from giving to the community these little bits.

I'd like to write more but a lot of things have been internal client items that I can't write about, but I am active.

Preamble, excuses out of the way, so, who wants some goodies?

About 2 weeks ago, I gave an impromptu webinar for Openntf.org as a last-minute fill-in.

Openntf, for those that don't know, is the Notes/Domino+ community, where devs, admins, business people, HCL, and others share code and ideas, templates, and projects for the benefit of the greater worldwide community.

I wanted to inform people that monitoring Tasks in the Administrator client has some changes.

Why is this important? Because unless you are a 1 server company, you have a lot of information to remember, such as:

1. How do you know if DBMT ran? 
2. How do you know which server Certmgr runs on?
3. Which web server do you run the Domino REST API on?
4. Which server handles your Backups and Restores, presuming you leverage the v14 options?
   
5. Is NOMAD running?
   
6. Is your DirSync working?
   
7. Are you sure the awesome OnTime Group calendar is running?
8. Have you enabled Aautoupdate yet? One look and you know.

Intriguing questions, right?

Between v9 and v12, nothing changed in the tasks that could be monitored. Traveler seems to have been the last item added, and that was from 8.5, but it found its way into the Monitoring Dashboard in v9.

Now comes v14 and HCl has cleared out some older items, like x500 info and the Fax server....but did not add any of the newer tasks that have come along since v9.

To be fair to HCL, it is not as simple as a few fields and renaming a file.

But fear not my fellow Admins, for I have not only explained it all in my presentation, which you can watch over here on the Openntf YouTube page, I have made the tasks available for everyone to update their Admin Monitoring Dashboard.

If you just want the slides, go here.

And because I know you are probably as lazy as I am, I have made the forms available with instructions to help you get more from your Monitoring Dashboard.

Go get the tasks from my Openntf project over here.

If I missed a task that is not listed, let me know, and I will update the project database.

SSL Cert Renewed in Certmgr but no one could see it

Certmgr is the greatest thing in Domino these days if you are an admin.

Autorenewing SSL saves so many problems, delays, and potential loss of revenue for customers that it is, in my opinion, one of the best things HCL has added to Domino.

Much of the credit for it goes to HCL Lifetime Ambassador Daniel Nashed. 

When you see him at Engage or DNUG, buy him a beer.

Daniel was on hand to help me with my problem tonight, and he was correct with his original assessment, Certmgr should just work. 

I agreed, and it was working, or so it showed in the view when verifying it using "tell certmgr show certs" at the server console, but we could not see the validated certificates for 2 domains.

Since I had manually renewed them today, we should have seen a date of expiration for March 18. Instead, we saw December 17th for the one that expired yesterday, and the other showed January 21.

The TLS cache should be auto-refreshing when it gets the new certificates, but appeared to not be doing the task.

We reviewed the basic configuration and tried some test requests, which should have triggered a cache refresh and resolved the issue. But that didn't help us see the correct certificates in our browsers.

While Daniel asked me about different parameters, I learned something about the updated certmgr, we don't need to put the .kyr name in the Security tab, TLS options field. 

Instead, we should be using the DNS name. I totally missed this. The .kyr name in the field is there for the legacy people who have yet to move to V12 or V14. See page 36 of the slide deck mentioned below.

You can read Daniel's slides from his OpenNTF session, which is full of deep technical information. https://blog.nashcom.de/presentations/openntf2021_domino_certmgr.pdf

The other part, which I did know, but had yet to remove from the customer server is the Internet Sites Basics tab, DSAPI Filters field no longer requires ncertmgrdsapi.

After doing these bits of cleanup, and restarting HTTP a few times, we were still left with the issue of incorrectly reported SSL certificate dates.

We turned on debugging for the cache using set config CERTSTORE_CACHELOG=1. 

Page 47 in the above slide deck.

And we got nothing.

Which surprised both of us.

And then we went to look at the notes.ini to see if anything was pointing to the wrong place.

And this is where we found the problem.

Now, there is a parameter that should not have been there at all, and there was only one Google reference for it that we found. Evidently, that reference should not have been public, but it was, and someone at the customer site had added it sometime in the last 60 days or so because Certmgr had been running fine for over a year already.

For the sake of some poor admin out there troubleshooting this, I will say that if you experience the same problem as I did, look in your Domino notes.ini for a line that starts with "SSL_DISABLE_TLS".

I will not put the rest of the command here because, as Daniel said, no one should be using it.

If you find something like this, just remove the line outright from your notes.ini.

You can use "set config ssl_disable_tls(rest of the name)=" to remove it from your active server.

There is no 0 or 1 to put to remove it.

Then, at your server console, type "restart task HTTP," which is the better way to restart HTTP.

And poof, like magic, it all worked again.

That command blocks the newer TLS Cache refresh implementation from running. Thus even though Certmgr could get the updated certificates, it could not run the refresh because this line was telling it not to run.

Customers are so cute when they tell you they didn't change anything.