Parameter:
CertMgr_NoVerifyHTTPChallengeShort description: Disables the internal HTTP-01 challenge verification by CertMgr before confirming in the ACME flow. Useful when the server cannot reach the challenge internally but the ACME provider can verify it externally.
Profile
Parameter | CertMgr_NoVerifyHTTPChallenge |
Category | Security / TLS (Certificate Manager / ACME HTTP-01) |
Available since | At least 12.0.1 (HCL documentation — GitHub troubleshooting & KB article) |
GUI equivalent | notes.ini only — in Domino 12.0 only available via CLI option -g (e.g. load certmgr -g) |
Possible values | 0 (default, verification active) or 1 (internal verification disabled) |
Default | 0 (verification active) |
Description
According to the HCL product documentation (GitHub repository domino-cert-manager, Troubleshooting ACME HTTP-01 challenges):
By default CertMgr verifies the HTTP-01 challenge before confirming the HTTP-01 in the ACME protocol flow. … In case your Domino server cannot resolve the hostname(s) in the certificate requested or you have no HTTP connection to your server from the CertMgr server, you can disable the verification step. … Domino V12.0.1 introduces a new notes.ini parameterCertMgr_NoVerifyHTTPChallenge=1to disable the verification step.
and according to HCL KB article KB0100248 (Errors occur when renewing certificates using Let's Encrypt):
If there are connectivity errors, place the parameterCertMgr_NoVerifyHTTPChallenge=1in the server notes.ini which disables the verification step.
With
CertMgr_NoVerifyHTTPChallenge=1, the Certificate Manager (CertMgr) skips its own local self-check of whether the ACME HTTP-01 challenge is resolvable via its own host name and reachable via HTTP/port 80. By default, CertMgr performs this check before confirming the challenge in the ACME protocol flow, in order to ensure that the challenge data in certstore.nsf is delivered correctly before the ACME provider starts its external verify run.In certain network configurations (internal vs. external DNS resolution, split-horizon DNS, geo-fencing, asymmetric routing) this internal self-check can fail even though the ACME provider can retrieve the challenge from the outside without problems. The parameter is intended for exactly these cases.
Example configuration
CertMgr_NoVerifyHTTPChallenge=1
In Domino 12.0 (before the notes.ini parameter was introduced), the equivalent on the console is:
load certmgr -g
Notes & pitfalls
- Introduced in Domino 12.0.1. In Domino 12.0 only available via CLI option
-g.
- Should only be set if the self-check actually fails — otherwise the additional check is valuable because it surfaces problems before the ACME verify run (rate-limit friendly).
- Before setting it, check alternative solutions: set
HTTPPUBLICURLS=/.well-known/acme-challenge/*, fix DNS resolution of your own host name, hosts file entry, IPv6/IPv4 consistency.
- Applies only to ACME HTTP-01 challenges — ACME DNS-01 is not affected by this.
Sources (HCL Product Documentation)
- HCL Domino – Troubleshooting ACME HTTP-01 challenges (official HCL Software repository): github.com/HCL-TECH-SOFTWARE/domino-cert-manager/blob/main/docs/troubleshooting_acme_challenges.md
- HCL Software Support – KB0100248 Errors occur when renewing certificates using Let's Encrypt: support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0100248
- HCL Domino 14.5.1 – CertMgr notes.ini settings (overview): help.hcl-software.com/domino/14.5.1/admin/secu_le_notesini_settings.html