TPP 19.1 + on Ubuntu 18.04 LTS
- Create a Virtual Machine with Windows Server 2012 R2 OS and Trust Protection Platform installed
- Create a Virtual Machine with Ubuntu 18.04 LTS OS installed
- Configure your firewall to allow web traffic on port 443 and port 80
- Create an A Record entry in both host files for both VMs to resolve to the host name of each VM
- Windows: c:\windows\system32\drivers\etc\hosts (e.g. Ip and hostname of the ubuntu client)
- Linux: /etc/hosts (e.g. Ip and hostname of the TPP server)
- Will need to create a TPP user that has an email address prior to installation of Certbot
Configure Trust Protection Platform to leverage ACME
- Install the ACME service
- Configure TPP server for ACME
NOTE: Make sure to do an IIS reset after updating the URL host name. Pay attention to what host URL you use. (e.g. https://tc-tpp191-test/acme/v1/<mynewdirectory>/directory)
Configure and install Certbot
- Make sure your A Records are in place on each VM.
- Place the root certificate of the Venafi Operational Certificate (VOC) in the ca-certificates directory on your Linux VM:
- Copy your CA to
- Use command:
sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
- Update the CA store:
- Copy your CA to
- Run through the follow article to install Certbot:
- When you request a certificate, you should have a successful result similar to this:
NOTE: If you run into an issue try simply registering and attempting to request a certificate with the command below. Other wise, run through the troubleshooting steps below. (e.g. sudo certbot certonly --webroot -w /var/www/html --server https://<your tpp server>-test/vacme/v1/tc/directory -d <domain name>)
- Failed authorization procedure. <host name of Liunx box> (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for <host name of Liunx box>
- If you run into this issue try making sure you have the correct A Record entries in your host files. Once updated, try pinging to the host name and see if you get a response.
- "WARNING: cannot verify <your tpp server's> certificate, issued by ‘CN=QA Venafi CA,DC=venqa,DC=venafi,DC=com’:
- If you run into an issue, the root CA that you placed in the ca-certificates directory isn't matching the root CA from your TPP box.
- You can check if the serial numbers match by running the following command: openssl x509 -text -noout -your_cert_ file.crt
- To validate that the certificate is accepted, run the wget command and look for the 200 OK response code. Make sure to run the command from the Linux home directory.
NOTE: You may need to replace the root ca cert with a certificate in a PEM format with the file extension of .crt. You will need to run the < sudo update ca-certificates > command any time a change is made to that ca-certificates directory.
- If you run into the error below, it could be caused by two issues:
- There is a discrepancy with the root CA. Go back and double check the the serial number on the root CA matches with the root CA of the VOC in TPP.
- The host name URL is not matching with the host name in your Linux command/request. The image below is an example of a bad example.
NOTE: You needed to make sure all the certbot requests and responses use consistent host names for the client and the server.