Getting Certbot on RedHat Linux to work with Venafi TPP

CbbLEuser · April 20, 2023, 7:41pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

an internal domain named Silver.com

I ran this command:

sudo certbot certonly --apache --server https://CIWAPPXD1390.Silver.com/vacme/v2/acme/directory -d cvlappxd30839.silver.com --key-type rsa --no-verify-ssl --email ved_admin@silver.com
It produced this output:

My web server is (include version):
Apache Server version: Apache/2.4.37 (Red Hat Enterprise Linux)
Server built: Jan 31 2023 12:55:09

The operating system my web server runs on is (include version):
[m21686a@silver.com@cvlappxd30839 ~]$ grep '^VERSION' /etc/os-release
VERSION="8.7 (Ootpa)"
VERSION_ID="8.7"

My hosting provider, if applicable, is:
Venafi TPP

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.22.0

somehow the wrong Certbot client got instaled

rg305 · April 20, 2023, 7:53pm

Hi @CbbLEuser, and welcome to the LE community forum

What is shown by?:
certbot certificates

What is shown by Venafi?

Osiris · April 20, 2023, 8:43pm

That's not a lot of output!

Unfortunately, you didn't mention how you installed Certbot at all.

Also, do you actually own silver.com? If not, why would you use a publicly registered domain name owned by someone else for your own internal purposes? Just curious.

rg305 · April 20, 2023, 8:59pm

They also didn't mention why they think that is

It's definitely not from snap...
But that isn't enough, for me, to say that it is "wrong" in any way.

Osiris · April 20, 2023, 9:07pm

I'm guessing they find it too old? Which is true. But that's just a guess..

webprofusion · April 21, 2023, 1:37am

I think your redhat system is configured to use epel packages and they only offer cerbot 1.22:

https://dl.fedoraproject.org/pub/epel/8/Everything/SRPMS/Packages/c/

You could look into using snap instead, or perhaps try acme.sh or another client.

Alternatively you can use a client on a different machine and deploy your certificate with a script over ssh/sftp.

As an aside, I'd be keen to get Venafi TPP working with Certify The Web (or at least test it), if you have a contact at Venafi as mentioned on the win-acme discussion for the same topic. CTW can also do remote deployment and scripting over SSH if required.

CbbLEuser · April 21, 2023, 5:08pm

Thanks.

I was able get Certbot 1.22 to work successfully with Venafi from my RedHat Linux host and Venafi issued the digital cert and it looked good in Venafi.

No Common Name in the Subject, just the SAN’s which is certbot creating the csr that way.

So yes I will upgrade/replace certbot 1.22 with the 2.5 version.

I am working on using Snap into and ran into an issue.

Yes I had a ticket open with Venafi while I was trying to get this working.

They support:

Linux

Certbot

Windows

Certbot

WIN ACME

I also got certbot to work with my Windows Server, but not WIN ACME. Venafi says I have to upgrade Venafi TPP to 22.4 from my current version to support WIN ACME.

system · May 21, 2023, 5:08pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.