We came across an issue with some Java code that uses the Apache HTTP client to access another resource on the same Domino server. It's basically an agent that collects stuff from other NSFs using an HTTP request.
This works perfectly as long as your server works with a custom wild card SSL certificate from a "common" certificate authority. However, when you are using the Let's Encrypt certificate that you get using Domino's CertMgr, your code may stop working as the HTTP request will fail with an error like this:
This is because the XSP/HTTP stack is not aware of the Let's Encrypt CA. There is a solution to make it available.
You need to download the root certificate from Let's Encrypts' website: https://letsencrypt.org/certificates/
I selected the "Active ISRG Root X1" type, "cross signed", file type "der".
Next is to have the cert.id of your Domino environment ready to use and the password of course. The rest is straight forward.
In your Domino directory, navigate to
Configuration, Security, Certifcates. In the Notes menu, choose
Actions, Import Internet Certificates. Select the
der-file you downloaded. You may have to select the
der file type in the file dialog.
In the upcoming dialog review the certificate information and just click "Accept All". The certificate can be found in the view under
Internet Certifiers, US, Internet Security Research Group, ISRG Root X1, R3/Let's Encrypt/US.
I have also seen the imported certificate under
Internet Certifiers, Digital Signature Trust Co., DST Root CA X3, ISRG Root X1/...
Now, select this document in the view and click
Actions, Create Cross Certificate. The following dialogs tell you to define the server and the Domino certificate to which you want to cross-certify the Let's Encrypt one to.
After the cross-certificate is created, you can find it in the view under
Internet Cross Certificates, <YourDominoCert>, R3/Let's Encrypt/US.
Finally restart your HTTP task and enjoy your code working again