CertMgr_MaxRedirHTTPChallenge – HTTP Redirects (HCL Domino)

Parameter: CertMgr_MaxRedirHTTPChallenge

Short description: Maximum number of HTTP redirects that CertMgr follows when verifying an ACME HTTP-01 challenge. Default 5. 0 disables following redirects.

Profile

Parameter	`CertMgr_MaxRedirHTTPChallenge`
Category	Security / TLS (Certificate Manager / ACME HTTP-01)
Available since	At least 12.0.1 — documented in the HCL CertMgr maintainer presentation Domino V12.0.1 Certificate Management (Nash!Com); not listed in the HCL main documentation index
GUI equivalent	notes.ini only (no GUI)
Possible values	Integer `≥ 0` (e.g. `0`, `1`, `5`, `10`)
Default	`5` redirects per request

Description

According to the HCL maintainer presentation Domino V12.0.1 Certificate Management (Nash!Com / HCL CertMgr maintainer Daniel Nashed):

Configurable Follow Redirects for Curl Requests — LibCurl requests by default do not follow redirects. ACME challenge verification in V12.0 used an own logic to follow redirects. Changed to use core LibCurl functionality to follow redirects. Default: 5 redirects per request. Notes.ini: CertMgr_MaxRedirHTTPChallenge=n (can be also set to zero).

CertMgr_MaxRedirHTTPChallenge defines how many HTTP redirects the Certificate Manager (CertMgr) will follow at most during the internal self-check of an ACME HTTP-01 challenge when it verifies the reachability of the challenge URL. Background: ACME HTTP-01 requests always start on port 80; the target may be redirected via HTTP redirect to another server, port 443 or another path. CertMgr follows these redirects in order to consistently get the same result as the external ACME provider.

In Domino 12.0, CertMgr used its own logic for following redirects; from Domino 12.0.1 onwards, CertMgr uses the standard functionality of the built-in LibCurl library. Since LibCurl by default does not follow redirects, this parameter was introduced with default 5 so that the previous workflow is preserved.

Example configuration

Do not follow any redirects (strict mode):


CertMgr_MaxRedirHTTPChallenge=0

Allow more redirects (e.g. for setups with multi-stage reverse proxy):


CertMgr_MaxRedirHTTPChallenge=10

Notes & pitfalls

Introduced in Domino 12.0.1. Not available in Domino 12.0 (which used its own redirect logic with fixed depth).

Applies only to the self-check of the ACME HTTP-01 challenge — the ACME protocol communication itself never follows redirects (per the Nash!Com presentation: ACME communication by default allows not redirects).

Related parameters: CertMgr_NoVerifyHTTPChallenge=1 (skip self-check entirely) and CertMgr_MaxRedirDNSProvide=n (redirects for DNS-TXT provider calls; default 0 there).

High values (≫ 10) can mask redirect loops — better to consolidate the redirect configuration in the upstream reverse proxy / load balancer.

Sources

HCL CertMgr maintainer presentation Domino V12.0.1 Certificate Management (Nash!Com / Daniel Nashed): www.nashcom.de/presentations/Domino-12.0.1-CertMgr.pdf

Official HCL repository domino-cert-manager (maintainer confirmation): github.com/HCL-TECH-SOFTWARE/domino-cert-manager/discussions/3

HCL Domino – Troubleshooting ACME HTTP-01 challenges (official HCL Software repository): github.com/HCL-TECH-SOFTWARE/domino-cert-manager/blob/main/docs/troubleshooting_acme_challenges.md

HCL Domino 14.5.1 – CertMgr notes.ini settings (overview of "classic" CertMgr parameters): help.hcl-software.com/domino/14.5.1/admin/secu_le_notesini_settings.html