Parameter:
LogPrintCertChainErrorsShort description: Logs detailed errors when building the certificate chain – ideal for diagnosing TLS trust issues with
certmgr / Internet Sites.Profile
Parameter | LogPrintCertChainErrors |
Category | Security / TLS |
Component | Server |
Available since | 12.0 |
Supported versions | 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = off (default), 1 = log detailed cert chain errors |
Description
During the TLS handshake, Domino validates the certificate chain presented by the peer against its own trust store. If that fails, the standard error message is often very terse (“certificate chain validation failed”).
LogPrintCertChainErrors=1 adds detailed diagnostic output – including subject / issuer of each certificate, the reason for the validation result (expired, self-signed, missing CA, wrong hostname), and the affected connection context. Very helpful for certmgr / Let's Encrypt diagnostics and SMTP / SAML integrations.Example configuration
LogPrintCertChainErrors=1
Notes & pitfalls
- Logs can grow large with many TLS errors – disable again after diagnostics.
- Takes effect after a server restart or after a restart of the consuming tasks (HTTP, SMTP, etc.).
- Pairs with
SSL_LogLevel/DebugSSLHandshakefor deeper TLS debugging.
- Also helpful when, after
tell certmgr renew, the HTTP task does not pick up the new certificates.