SSL Cert Renewed in Certmgr but no one could see it

Certmgr is the greatest thing in Domino these days if you are an admin.

Autorenewing SSL saves so many problems, delays, and potential loss of revenue for customers that it is, in my opinion, one of the best things HCL has added to Domino.

Much of the credit for it goes to HCL Lifetime Ambassador Daniel Nashed. 

When you see him at Engage or DNUG, buy him a beer.

Daniel was on hand to help me with my problem tonight, and he was correct with his original assessment, Certmgr should just work. 

I agreed, and it was working, or so it showed in the view when verifying it using "tell certmgr show certs" at the server console, but we could not see the validated certificates for 2 domains.

Since I had manually renewed them today, we should have seen a date of expiration for March 18. Instead, we saw December 17th for the one that expired yesterday, and the other showed January 21.

The TLS cache should be auto-refreshing when it gets the new certificates, but appeared to not be doing the task.

We reviewed the basic configuration and tried some test requests, which should have triggered a cache refresh and resolved the issue. But that didn't help us see the correct certificates in our browsers.

While Daniel asked me about different parameters, I learned something about the updated certmgr, we don't need to put the .kyr name in the Security tab, TLS options field. 

Instead, we should be using the DNS name. I totally missed this. The .kyr name in the field is there for the legacy people who have yet to move to V12 or V14. See page 36 of the slide deck mentioned below.

You can read Daniel's slides from his OpenNTF session, which is full of deep technical information. https://blog.nashcom.de/presentations/openntf2021_domino_certmgr.pdf

The other part, which I did know, but had yet to remove from the customer server is the Internet Sites Basics tab, DSAPI Filters field no longer requires ncertmgrdsapi.

After doing these bits of cleanup, and restarting HTTP a few times, we were still left with the issue of incorrectly reported SSL certificate dates.

We turned on debugging for the cache using set config CERTSTORE_CACHELOG=1. 

Page 47 in the above slide deck.

And we got nothing.

Which surprised both of us.

And then we went to look at the notes.ini to see if anything was pointing to the wrong place.

And this is where we found the problem.

Now, there is a parameter that should not have been there at all, and there was only one Google reference for it that we found. Evidently, that reference should not have been public, but it was, and someone at the customer site had added it sometime in the last 60 days or so because Certmgr had been running fine for over a year already.

For the sake of some poor admin out there troubleshooting this, I will say that if you experience the same problem as I did, look in your Domino notes.ini for a line that starts with "SSL_DISABLE_TLS".

I will not put the rest of the command here because, as Daniel said, no one should be using it.

If you find something like this, just remove the line outright from your notes.ini.

You can use "set config ssl_disable_tls(rest of the name)=" to remove it from your active server.

There is no 0 or 1 to put to remove it.

Then, at your server console, type "restart task HTTP," which is the better way to restart HTTP.

And poof, like magic, it all worked again.

That command blocks the newer TLS Cache refresh implementation from running. Thus even though Certmgr could get the updated certificates, it could not run the refresh because this line was telling it not to run.

Customers are so cute when they tell you they didn't change anything.

Domino V14 - A New User Capability - Mail Merge

I have asked for this for many years, and we got it in V14! 

This is my guide and first reaction.

If you have Admin Assistants or need to do your marketing, you need to use Word or some 3rd party to do what should be a simple effort.

HCL has given us a nice Mail Merge inside the notes client.

It may take some testing for your first one, but hang in there, it is much easier than other methods I have used.

I will elaborate on these topics below:

• Where is the Mail Merge option
• What you need to set up the Mail Merge 
• Creating your Mail Merge
• Previewing and Running a Mail Merge

Where is the Mail Merge option?

Naturally, the first place to get information is the HCL Documentation.

https://help.hcltechsw.com/notes/14.0.0/client/mail_create_mailmerge.html

I'd like to say this is well-documented, so someone who is not a developer or in IT can follow along.

But it isn't, which is one of my few issues and why I am writing this blog post.

Presuming you updated your Notes client to V14 and updated your mail file template to V14, Mail Merge is a newly added option in your Mail inbox view, when you select New > Mail Merge.

(1st screenshot is from the HCL Docs and presumably a Mac client, the 2nd is from my Windows client, How do I get the Stationery option in Windows?)
   

What you need to set up the Mail Merge 

Like most Mail Merges, you need your data, usually in a spreadsheet. HCL asks for Excel. I did not test any other spreadsheets.

The documentation says, but doesn't show or provide an example:

1. Create an Excel spreadsheet.

   Each column represents an aspect of the email body that will be personalized; each row should specify every user receiving the email and their personalized information.

2. Save the Excel file.

Took me a few tries to figure this out.

Naturally, every row should be a name, easy enough.

What is the column story exactly?

At first, I tried putting in details, but that didn't work right.

You need to provide a Title to each column.

I thought I needed the Notes designer name for each field, which would be crazy for an end user, but I was wrong. 

The title can be anything you want; this is cool because oftentimes, you get hard requirements for naming.

But make it easy to follow, as you will see in the next steps.

Here is an example of my simple test Excel file, without the attachment column.

Then save your file.

Creating your Mail Merge

This is what you came here for, and it is set up like a Wizard to help you.

After selecting New>Mail Merge and you select the Excel file you created, you will see this dialog box:

(1st screenshot is the documentation and a mac client, 2nd is my windows client. Note the differences, Stationery, and Attachments are not consistent)

If you click on the drop-downs you can see all the column titles you created and in my screenshot below, it recognizes some names directly.

Attachments in Excel are messy, but I tested using a local file link.

Once your basic fields are defined, you move to the memo form.

NOTE: The attachment(s) do not appear anywhere in this form! But they are there, as we will see shortly.

I did not know what to expect, so I created a "Body" column with the text I wanted. Normally, this is where you would paste your Word document or email template, so the body field I created is not needed, but I added the field there to show an example of fields and text.

People who are used to creating a Mail Merge will understand that you format the mail/body text like usual and you can include graphics and other changes to fonts, etc..

NOTE: In my testing graphics that appeared in the preview did not come through to the recipient.

Usage cases for this include bulk email senders, bill notifications, or other similar types of standardized messages, but if you don't need heavy, intensive graphics, this will do quite well for your marketing team, too. YMMV.

When you need your fields from the Excel file, click on the Insert merge field, and it will add the block. You can then move it or work around it, as i did with BODY below.

Once your mail is ready, click the Preview and Send button.

Previewing and Running a Mail Merge

I grabbed a side-by-side screenshot to show you how the form looked compared to the preview.

You can see the attachment is now shown and takes up the top part of the mail, I would prefer it be on the bottom, and this causes a different issue when NOT including attachments, as we will see below.

There is a little arrow and number for you to check your previews, and if you need to edit it, select the Continue Editing button, or if it is ok to send, click on the Send Mail Merge button.

The screenshot below is how the email looks in my Verse client, and Gmail, when I receive it.

NOTE: I need to verify what went on, but the Mail merge seems to include an auto bcc to the sender. Be nice if this was documented or stopped, because why would I want 100s of emails flooding my inbox?

Note the long line across and how the message doesn't start on top but only under that long line? That area is the attachment area.

My hope is HCL fixes this in the future because it looks like the mail got cut off or is missing something.

For a fresh Out of The Box benefit for people, I like it and hope to use it in my marketing efforts.

Hope this helps you and your team that needs mail merge and thank an HCL person for listening to the customer voice.

V14 Notes, Domino, Traveler are out Now

But your Notes install may have an issue.

NOTE: This post will be updated/edited as I figure out more of what is going on. Domino install-info after the Notes client info below.

I tried installing HCL notes, only comes in 64-bit now, on 2 different machines.

The installation was on top of the existing ones.

You may want to use the NICE tool to clean up the prior install first, might save you some headache.

1st is my usual laptop, 6 months old, Windows 11 Pro which already had 1202fp2(64-bit), and while it looked ok after about 20 minutes of waiting to finish, it gave me this, with no more details. It possibly happened while uninstalling or disabling something.

And then backed out the installation.

Subsequently, what I did was extracted the installer to a new location.

Then ran the setup, RunAs admin.

And this time it worked. Thank you Marc Thomas for the hint that there may be some extraction issue and to try it this way.

So, 2 clients installed, a server with traveler installed and it took about an hour and a half including troubleshooting/retries.

The 2nd installation on my Windows Server 2019 which is a hosted VM gave me this message:

And after trying again to click ok said this:

Never had something like this happen before during an install. 

I extracted the 1202 notes client as requested to get the MSI file and then the installation continued on its way. Also takes about 20 minutes.

So the Server install completed, even after asking for the 1202 code.

Now to figure out what is wrong with my Windows 11 install.

Domino Install

If you do a custom install, like I do, you will see the options to install Nomad and Ontime and I think Verse, my screen capture did not capture, sorry.

You will also see something my beta code did not do which is confirm the Domino login name for the startup services.

You may want to be careful with that if you don't know how you are logging in because your server may not start afterward.

Time to update was between 5-10 minutes including restarting the server and updating the Directory.

Traveler is also available and installs like usual in a few minutes.

Nomad works just like it did before, so the update did not change that, but it would be nice if it told us which version it was, instead of developer code which is 1.0.9.5525-3341. How do I know if mine was even updated? Maybe 1.0.9 was what was installed, but i already was at that level.

Verse works as well. 3.2, which I had installed, need to look up what version is installed as V14.

Ontime kept my configuration, and the booking settings still work as well.

Pretty cool when you think about all the stuff HC has to verify on the Domino side given these things are now included in the installation.

SMTP BlackListing, WhiteListing and Log and Reject/Tag

If you rely on your Domino server to handle all your mail, you probably have had numerous attacks on your server over time or even lately, as I did last week.

My personal Domino server is a mix of real code, websites, and active email, with various half-coded things and weird templates or customer testing.

However, I started getting harassed by sites looking for open SMTP accounts recently and figured something was amiss in my configuration document.

The official blacklist servers worked fine, but some of these rogues were missing.

Looking at my log file, I found a few domains/IP addresses and put them into the deny access group known as the Private Blacklist Filter found in the Servers Configuration document, as shown below.

But that wasn't enough to stop them. They kept coming. 

I wondered if 12.02.FP2 had some problems, so I opened a ticket with HCL.

Turns out the problem was on my end, but I still have some questions, but first, what was the problem?

I had a default configuration document, which was fine, but I  also had a separate one for my server explicitly named a relic from a test issue.

The explicit one took over the default one, and so while I thought I was maintaining one list, I was wasting my time.

I deleted the explicit one and just focused on the default document, it is my server after all.

And all was good, sort of.

I wanted to understand why I was still getting a few spam emails.

I had set the server to Log and tag instead of Log and reject. 

Here is where the problems got worse.

I decided to block all spam and set all fields to Log and reject messages. You probably can guess what happened next.

My inbox was very clean. Very few emails came through.

I thought I would whitelist what I needed, like bank mail, and HCL support mail (not so simple, someone at HCL should look into their SMTP issues that have them on a blacklist).

Still not getting lots of mail.

Next, I looked at what else was set in the doc and saw the verify domain lookup option was set, and rightly so as this does a great job.

However, I have learned that many organizations don't have good, clean SMTP/DKIM/SPF entries, and thus, they are getting blocked.

Sadly, I had to revert back to Log and tag to interact with customers and business partners.

Customers of mine with issues were notified, as was HCL, but if you have been playing with SMTP, something else always pops up. It needs babysitting.

While my mail is more stable now, I know I lost a few entities that got the denied server message and probably will not resend anything in the future. Which is a problem as some are bills and other items of usefulness.

If you are a new Domino administrator be careful with how you edit your Configuration document.

Data Extraction Help for Rich Text Field

Preamble:

This post is being written more for my long-term memory benefit than for its genius of development.

A customer wanted to export their data from an NSF to import into Salesforce.

They thought they could just export the view.

Sure, if the view had all the data, which of course, it did not.

Thus how it ends up in my inbox.

Action:

I created a view and proceeded to add a column for each field in their form.

No problem, done this many times.

When I verified the data before giving it to them, I found it was missing one field.

For unknown reasons, one can not see rich text in a view column even when specifying the field. Oh, and you can't specify a rich text field, either.

Developer friends are shaking their heads, they understand, but us admins, we figure it should just work, right?

Work Around Solution:

UPDATED EDIT: Thomas, in the comments pointed out, rightly so, that "Rich Text items can contain not only formatted texts, but tables, images, file attachments and more. But the abstract item will only contain the unformatted text." 

In this case, my client only has some textual notes in the field, but if they had other items, you should seek a proper developers help.

This is what I did after mentioning it in the openntf.org Discord chat, where I learned about the @abstract formula.

I used Jake's blog post, from 2001, http://www.codestore.net/store.nsf/unid/DFOU-4PRG73?OpenDocument, as the guide. But that was only one part of the story, and I had to fix the code.

Jake wrote: First thing to do is to create a Computed field, of type Text, and call it something like "Abstract". The formula for this will be somthing like :

@If(@IsAvailable(name_of_the_rt_field); @Abstract( [Abbrev]; 200; ""; "name_of_the_rt_field");"" )

Jake included a * at the end of the formula. My designer client balked at it, so I removed it, and it accepted the code as shown above.

I added a field to the original form, called it Abstract, and set it to type Text and Computed field.

Then entered the formula, substituting the name of my Rich text field, where Jake wrote name_of_the_rt_field.

I also changed the 200 to 2,000, so I could get all the text in the field. 

Saved it all, refreshed my view, and ..... nothing.

2nd Part Work Around Solution:

Further Googling found that the rich text field would only show up now if it was resaved.

I tested this, and sure enough, I resaved a form and magic, the rich text was shown in my view.

Great, but, I can't re-edit all 1,500 documents, nor know even if they have anything in the rich text field without opening it, so what do I do?

I asked Bruce Lill what he uses, and he said to create an agent, with a Forumla and a target set to none.

The formula to include is @Command([ToolsRefreshSelectedDocs])

And after saving it, selected a few forms and ran the agent, and now the rich text shows up.

And I can give the client their data for importing into Salesforce.

Conclusion:

Domino developers have dealt with this for many years and created workarounds for it. Admins have just lived in pure ignorance all this time about this issue.