How To: Set up TPP to Use ACME with Certbot

Applies To: 

TPP 19.1 + on Ubuntu 18.04 LTS


  • Create a Virtual Machine with Windows Server 2012 R2 OS and Trust Protection Platform installed
  • Create a Virtual Machine with Ubuntu 18.04 LTS OS installed
  • Configure your firewall to allow web traffic on port 443 and port 80
  • Create an A Record entry in both host files for both VMs to resolve to the host name of each VM 
    • Windows: c:\windows\system32\drivers\etc\hosts (e.g. Ip and hostname of the ubuntu client)
    • Linux: /etc/hosts (e.g. Ip and hostname of the TPP server)
  • Will need to create a TPP user that has an email address prior to installation of Certbot


Part 1. 

Configure Trust Protection Platform to leverage ACME

  1. Install the ACME service
    1. Installing the ACME ServiceWebAdmin.php
  2. Configure TPP server for ACME
    1. Enabling and configuring ACME using Aperture

NOTE: Make sure to do an IIS reset after updating the URL host name. Pay attention to what host URL you use. (e.g. https://tc-tpp191-test/acme/v1/<mynewdirectory>/directory)


Part 2. 

Configure and install Certbot

  1. Make sure your A Records are in place on each VM. 
  2. Place the root certificate of the Venafi Operational Certificate (VOC) in the ca-certificates directory on your Linux VM:
    1. Copy your CA to  /usr/local/share/ca-certificates/
    2. Use command: sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
    3. Update the CA store: sudo update-ca-certificates
  3. Run through the follow article to install Certbot:
  4. When you request a certificate, you should have a successful result similar to this: image__1_.png

NOTE: If you run into an issue try simply registering and attempting to request a certificate with the command below. Other wise, run through the troubleshooting steps below. (e.g. sudo certbot certonly --webroot -w /var/www/html --server https://<your tpp server>-test/vacme/v1/tc/directory -d <domain name>)

Troubleshoot Suggestions 

  • Failed authorization procedure. <host name of Liunx box> (http-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for <host name of Liunx box>
    • If you run into this issue try making sure you have the correct A Record entries in your host files. Once updated, try pinging to the host name and see if you get a response. 
  • "WARNING: cannot verify <your tpp server's> certificate, issued by ‘CN=QA Venafi CA,DC=venqa,DC=venafi,DC=com’: 
    • If you run into an issue, the root CA that you placed in the ca-certificates directory isn't matching the root CA from your TPP box.
    • You can check if the serial numbers match by running the following command: openssl x509 -text -noout -your_cert_ file.crt
    • To validate that the certificate is accepted, run the wget command and look for the 200 OK response code. Make sure to run the command from the Linux home directory. 

NOTE: You may need to replace the root ca cert with a certificate in a PEM format with the file extension of .crt. You will need to run the < sudo update ca-certificates > command any time a change is made to that ca-certificates directory.

  • If you run into the error below, it could be caused by two issues:  mceclip0.png
    • There is a discrepancy with the root CA. Go back and double check the the serial number on the root CA matches with the root CA of the VOC in TPP. 
    • The host name URL is not matching with the host name in your Linux command/request. The image below is an example of a bad example. image.png

NOTE: You needed to make sure all the certbot requests and responses use consistent host names for the client and the server.

Additional Resources

1. Certbot Installations instructions: 
2. Updating a Root CA to a Linux server: 
Was this article helpful?
0 out of 0 found this helpful