European Union Flag
European Apple Users Information & Support
LOGIN
VirtualHostX side-grade/upgrade from OS X/macOS Server
The next event is:
TFM / Ecommerce Expo 2024

From 18 September 2024
to 19 September 2024
More events…

macOS 14 Sonoma
FREE
Amazon UK Mac Software Affiliate Link
VirtualHostX side-grade/upgrade from OS X/macOS Server

How To Setup Let's Encrypt For OS X / macOS + Server 5.x

Article ID = 211
Article Title = How To Setup Let's Encrypt For OS X / macOS + Server 5.x
Article Author(s) = Graham Needham (BH)
Article Created On = 23rd November 2017
Article Last Updated = 9th March 2020
Article URL = https://www.macstrategy.com/article.php?211

Article Brief Description:
How to setup and configure Let's Encrypt secure certificates with OS X / macOS and Server 5.x

How To Setup Let's Encrypt For OS X / macOS + Server 5.x

WARNING: As of September 2018 Apple has gutted macOS Server and removed most/all of the useful Server features!

Instructions for installing Let's Encrypt website secure SSL certificates for OS X / macOS with websites hosted by OS X / macOS Server.
  1. Preparation
  2. Install and setup "Let's Encrypt" (Certbot) with Homebrew
  3. Create required (hidden) directories
  4. Obtain the initial domain certificate manually
  5. Manually convert the certificate for use with OS X / macOS
  6. Import the certificate into the OS X / macOS Keychain
  7. Configure your website(s) to use https
  8. Manual certificate renewal
  9. Automate certificate renewal
  10. Considerations of moving to https
  11. References

Preparation

In this article:
  • Replace all instances of "your_domain_name" with your actual Domain Name
  • Replace all instances of ".tld" with the appropriate |Top-Level Domain" code applicable to your Domain Name purchase/registration e.g. ".com"
  • This article assumes you have not moved the standard OS X / macOS Server web folders directory from it's standard location at /Library/Server/Web/Data/Sites/ - if you have you will need to replace all instances of /Library/Server/Web/Data/Sites/ with the path to your alternate location
  • the ~ character refers to your home directory i.e. usually, Macintosh HD > Users > your home directory (usually a house icon)
  • To get to hidden folders/directories in the Finder e.g. /etc/, in the Finder, go to the Go menu > Go to Folder… > enter the path to the folder/directory you want to go to e.g. "/etc/"
  • Replace "admin_password" with your actual computer administrator account password
You will need the following before you can continue with this configuration article:

Install and setup "Let's Encrypt" (Certbot) with Homebrew

To install Homebrew vist http://brew.sh then return to here. Go to Macintosh HD > Applications > Terminal > and enter the following commands brew update
sudo mkdir /etc/letsencrypt
sudo mkdir /var/lib/letsencrypt
sudo mkdir /var/log/letsencrypt
brew install letsencrypt
git clone https://github.com/letsencrypt/letsencrypt
If everything went okay, you should see the following folders in:
  • ~/letsencrypt
  • /etc/letsencrypt
UPDATE 09/03/2020: From 01/06/2020 Let's Encrypt will stop supporting the old ACMEv1 protocol. You must have an ACMEv2 compatible client. If you have already installed Let's Encrypt's Certbot you can easily update it via the command: brew upgrade certbot If you are running an outdated version it will update. If you are running the current version it will let you know that it does not need to be updated.

Create required (hidden) directories

Using the Terminal, create two folders/directories for automated scripts: mkdir ~/letsencrypt/my_script
mkdir ~/letsencrypt/my_script/logs
You need to create two (hidden) folders/directories in the website for each domain that you want certificates for: sudo mkdir /Library/Server/Web/Data/Sites/your_domain_name's website folder/.well-known/
sudo mkdir /Library/Server/Web/Data/Sites/your_domain_name's website folder/.well-known/acme-challenge
Files in these folders must be publicly accessible via the normal internet. To test this put a quick and dirty html file named "test.html" in each of the folders then make sure you can access them via a browser at:
  • http://www.your_domain_name.tld/.well-known/test.html
  • http://www.your_domain_name.tld/.well-known/acme-challenge/test.html

Obtain the initial domain certificate manually

Using the Terminal, enter the following command:
NOTE: As wildcard certificates are not available yet, you can add multiple, additional sub-domain cerificates with "-d additional.your_domain_name.tld" on the end of the command below e.g. "-d mail.your_domain_name.tld"
UPDATE 19/03/2018: Let's Encrypt - ACME v2 and Wildcard Certificate Support is Live sudo certbot certonly --webroot -w /Library/Server/Web/Data/Sites/your_domain_name's website folder -d your_domain_name.tld -d www.your_domain_name.tld Follow the on-screen instructions. If successful your certificate (a "cert.pem" file) will appear in /etc/letsencrypt/live/your_domain_name.tld/

Manually convert the certificate for use with OS X / macOS

Using the Terminal, enter the following command: sudo openssl pkcs12 -export -inkey /etc/letsencrypt/live/your_domain_name.tld/privkey.pem -in /etc/letsencrypt/live/your_domain_name.tld/cert.pem -certfile /etc/letsencrypt/live/your_domain_name.tld/fullchain.pem -out /etc/letsencrypt/live/your_domain_name.tld/letsencrypt_sslcert.p12 -passout pass:"admin_password"

Import the certificate into the OS X / macOS Keychain

Using the Terminal, enter the following command: sudo security import /etc/letsencrypt/live/your_domain_name.tld/letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P "admin_password" -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd Check the certificate has been installed successfully (into the OS X / macOS Keychain) by going to Server app > Certificates - you should see the certificate for your domain listed as Issuer: "Let's Encrypt Authority X3". Quit and relaunch the Server application if it was open while you were doing the above.

Configure your website(s) to use https

Open the Server application and for each website:
  1. Click on "Websites" on the left
  2. Make sure the domain already has a non-secure website entry using port 80 - do not delete this or edit this to be a secure entry
  3. Create a new website entry for the website and set:
    • 'Domain name' to "your_domain_name.tld"
    • 'SSL Certificate' to the one you just installed i.e. "your_domain_name.tld - Let’s Encrypt Authority X3" and check that the port number automatically changes to "443"
    • 'Store Site Files In' to the directory for your website files
    • Click the "Edit…" button to the right of 'Additional Domains' and add "www.your_domain_name.tld"
    • Click the "Edit…" button to the right of 'Index Files' and set accordingly
    • Click "OK" to return to the main Websites list window
  4. Optional - update the domain's non-secure website entry with a redirect so that all web page accesses go to https:
  5. NOTE: See also the considerations of moving to https section below for some important implications of moving your web site to https.
    • Edit the non-secure website entry
    • Click the "Edit…" button to the right of 'Redirects'
    • Set 'Source' to "/" (everything)
    • Set 'Destination' to "https://www.your_domain_name.tld/" with status "permanent 301" (redirection)
    • Click "OK"
    • Click "OK" to return to the main Websites list window

Manual certificate renewal

Using the Terminal, enter the following command:
NOTE: As wildcard certificates are not available yet, you can add multiple, additional sub-domain cerificates with "-d additional.your_domain_name.tld" on the end of the command below e.g. "-d mail.your_domain_name.tld". This should be the same as the initial certificate but if they are different you should get a special "update configuration" prompt when doing the following command.
UPDATE 19/03/2018: Let's Encrypt - ACME v2 and Wildcard Certificate Support is Live sudo certbot certonly --webroot -w /Library/Server/Web/Data/Sites/your_domain_name's website folder -n -d your_domain_name.tld -d www.your_domain_name.tld Follow the on-screen instructions. If successful your certificate (a "cert.pem" file) will appear in /etc/letsencrypt/live/your_domain_name.tld/ with a current date and time creation date

Automate certificate renewal

Using the Terminal, enter the following command and note the output result: echo $PATH For each domain/website, create a command text file using your favourite text editor e.g. BBEdit in ~/letsencrypt/my_script:

#!/bin/sh


DOMAIN_DEFAULT="your_domain_name.tld"
PEM_FOLDER="/etc/letsencrypt/live/${DOMAIN_DEFAULT}/"
LOG_FOLDER="/Users/replace_with_your_home_directory_name/letsencrypt/my_script/logs"
DATE=$(date +"%d-%m-%y")
LOG_FILE="${LOG_FOLDER}/${DATE}.log"
PATH=replace_with_result_of_echo_$PATH_command_performed_above

# Retrieve certificate
sudo certbot certonly --webroot -w /Library/Server/Web/Data/Sites/your_domain_name's website folder -n -d your_domain_name.tld -d www.your_domain_name.tld

# Check that everything went fine
LE_STATUS=$?

if [ "$LE_STATUS" != 0 ]; then
echo Automated Get certificate failed:
cat $LOG_FILE
exit 1
fi

# Generate a passphrase
PASS=$(openssl rand -base64 45 | tr -d /=+ | cut -c -30)

# Transform the pem files into an OS X / macOS Valid p12 file
sudo openssl pkcs12 -export -inkey "${PEM_FOLDER}privkey.pem" -in "${PEM_FOLDER}cert.pem" -certfile "${PEM_FOLDER}fullchain.pem" -out "${PEM_FOLDER}letsencrypt_sslcert.p12" -passout pass:$PASS

# import the p12 file into the OS X / macOS keychain
sudo security import "${PEM_FOLDER}letsencrypt_sslcert.p12" -f pkcs12 -k /Library/Keychains/System.keychain -P $PASS -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd
Use a launchd editor e.g. Lingon X to add a launchd automated task, running as root, to run the script you just created and pick a regular day and/or time. For example to trigger your automated certificate renewal script to run every Tuesday at 08:00:
  • Create a new task
  • TICK "Enabled"
  • Set 'User' to "root"
  • Name = "com.your_domain_name.cert_renewal_tuesday.plist"
  • Run = "/Users/replace_with_your_home_directory_name/letsencrypt/my_script/cert_renewal_your_domain_name_tuesday.sh"
  • NOTE: The .sh filename should match the name of the script you created above.
  • When tab > TICK "Scheduled"
  • Set schedule to "Day of week" + "Tuesday" + "08:00"
  • Click "Save"
Example automated script via lingon To test it works, select it and click the "Test" button - if there are no error messages you can check the script has run correctly by checking:
  • A new, converted certificate titled "letsencrypt_sslcert.p12" will appear in /etc/letsencrypt/live/your_domain_name.tld/ with a current date and time creation date.
  • If (and only if) the certificate has been renewed a new, updated certificate titled "cert.pem" will appear in /etc/letsencrypt/live/your_domain_name.tld/ with a current date and time creation date.
  • If (and only if) the certificate has been renewed a new, updated certificate will have been imported successfully into the OS X / macOS Keychain - go to the Server application > Certificates - you should see the new certificate for your domain listed as Issuer: "Let's Encrypt Authority X3" and an updated "Expiration Date". Quit and relaunch the Server application if it was open while you were doing the above.
  • Old certificates will still show in the Server application - you can manually delete them and services should automatically switch over to using the renewed/new certificate.

Considerations of moving to https

References

The following pages were extremely useful in compiling this set of instructions:

Article Keywords: OS X OSX 1010 1011 macOS 1012 1013 1014 Yosemite El Capitan Sierra High Sierra Mojave Server 4 5 internet web email SMTP POP PO3 IMAP secure SSL certificate free domain domains name names plist cron job cronjob launchd automate automatic regular renew Let's Encrypt letsencrypt certbot

This article is © MacStrategy » a trading name of Burning Helix. As an Amazon Associate, employees of MacStrategy's holding company (Burning Helix sro) may earn from qualifying purchases. Apple, the Apple logo, and Mac are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc.


If this information helped you or saved you time and/or money why not donate a little to us via PayPal?
All proceeds go directly to MacStrategy / Burning Helix to help fund this web site.
If this information helped you or saved you time and/or money why not donate a little to us via PayPal?
All proceeds go directly to MacStrategy / Burning Helix to help fund this web site.

Go to this
web page
to donate to us.