HCL Domino 12 and ACME TLS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.suminet.com

I ran this command:
used HCL Domino 12 certlog.nsf database. accepted the terms of use. completed the TLS creditionals document

It produced this output: receive the following message: Cannot verify challenge on server - Check HTTP port 80 inbound connection!
Failed to write one or more challenge(s)

However, when I run a test through the debug. i receive this All OK: No issues were found with mail.suminet.com

My web server is (include version): HCL Domino 12

The operating system my web server runs on is (include version): Windows Server 2016

My hosting provider, if applicable, is: Network Solutions

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hello @ChrisVA, welcome to the Let's Encrypt community. :slightly_smiling_face:

Here is a list of issued certificates crt.sh | suminet.com, none of the seem to be from Let’s Encrypt.

Of the Challenge Types - Let's Encrypt the DNS-01 challenge does not need Port 80 access.
That being said, the online tool Let's Debug yields these results https://letsdebug.net/mail.suminet.com/1772545 of OK (meaning it was successful).

1 Like


You also likely have one or more firewalls filtering Ports 443, 465, and 587.

$ nmap -Pn -p80,443,465,587 mail.suminet.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-17 00:21 UTC
Nmap scan report for mail.suminet.com (
Host is up (0.087s latency).

80/tcp  open     http
443/tcp filtered https
465/tcp filtered smtps
587/tcp filtered submission

Nmap done: 1 IP address (1 host up) scanned in 2.09 seconds
1 Like

What about port 25?

1 Like

Hi @ChrisVA,

Looks like Port 443 has been unfiltered and open

$ nmap -Pn -p25,80,443,465,587 mail.suminet.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-18 21:39 UTC
Nmap scan report for mail.suminet.com (
Host is up (0.086s latency).

25/tcp  filtered smtp
80/tcp  open     http
443/tcp open     https
465/tcp filtered smtps
587/tcp filtered submission

Nmap done: 1 IP address (1 host up) scanned in 1.79 seconds

Did that solve your issue?

1 Like

Unfortunately no

Hi @ChrisVA,

You stated:

Yet I see on Port 80 Server: Microsoft-HTTPAPI/2.0

$ curl -Ii http://mail.suminet.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Content-Length: 315
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Sat, 20 Jan 2024 19:02:11 GMT
Connection: close
1 Like

However on Port 443 HTTPS I see Server: Lotus-Domino

$ curl -k -Ii https://mail.suminet.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 200 OK
Server: Lotus-Domino
Date: Sat, 20 Jan 2024 19:03:28 GMT
Content-Type: text/html
Content-Length: 21
Strict-Transport-Security: max-age=0
1 Like

That's 2 different Servers, I bet you want just 1 Server for both Port 80 & 443.

1 Like

This looks like a config issue for HCL Domino. The error message on the panel is not very helpful. It is not a specific error from Let's Encrypt Servers. It could mean several things.

Have you tried contacting their support directly? Or even their community forum? Either of those will know more about its configuration requirements than we do.


Ok, you were correct. I was provided with a notes.ini setting that needed to be added. However, now we are getting this failure. My network team is asking any advice that you can provide would be greatly appreciated! Invalid response from http://mail.suminet.com/.well-known/acme-challenge/aI-d1RfqU7KLWNbMfRElrZ5NqljZWstfTTRPKEzD4MY: 404 (invalid)

The 404 is an HTTP 404 Not Found error. It means the Let's Encrypt server requested the auth token with that HTTP request but your server responded with a not found.

More detail ... in an HTTP Challenge, the ACME Client (Domino here) places a token on the server (often in a file but could be memory). It signals the ACME Server (Let's Encrypt here) to validate that token and issue the cert. The error you see is from the LE Server saying the validation failed with the not found.

I don't know how Domino manages port 80 requests and these tokens. Generally, a 404 indicates the ACME Client and its local server are not coordinated. Maybe the client not using the correct listening method. Or, client placing the token in the wrong folder. These are very general examples among many other possibilities.

Domino provide their expected flows here:


Dont know if i I have thanked you! We finally got it figured out. It was a firewall issue. We are up and running!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.