How To Setup Let's Encrypt For OS X / macOS + Server 5.x
Article ID = 211Article Title = How To Setup Let's Encrypt For OS X / macOS + Server 5.x
Article Author(s) = Graham Needham (BH)
Article Created On = 23rd November 2017
Article Last Updated = 9th March 2020
Article URL = https://www.macstrategy.com/article.php?211
Article Brief Description:
How to setup and configure Let's Encrypt secure certificates with OS X / macOS and Server 5.x
How To Setup Let's Encrypt For OS X / macOS + Server 5.x
WARNING: As of September 2018 Apple has gutted macOS Server and removed most/all of the useful Server features!Instructions for installing Let's Encrypt website secure SSL certificates for OS X / macOS with websites hosted by OS X / macOS Server.
- Preparation
- Install and setup "Let's Encrypt" (Certbot) with Homebrew
- Create required (hidden) directories
- Obtain the initial domain certificate manually
- Manually convert the certificate for use with OS X / macOS
- Import the certificate into the OS X / macOS Keychain
- Configure your website(s) to use https
- Manual certificate renewal
- Automate certificate renewal
- Considerations of moving to https
- References
Preparation
In this article:- Replace all instances of "your_domain_name" with your actual Domain Name
- Replace all instances of ".tld" with the appropriate |Top-Level Domain" code applicable to your Domain Name purchase/registration e.g. ".com"
- This article assumes you have not moved the standard OS X / macOS Server web folders directory from it's standard location at /Library/Server/Web/Data/Sites/ - if you have you will need to replace all instances of /Library/Server/Web/Data/Sites/ with the path to your alternate location
- the ~ character refers to your home directory i.e. usually, Macintosh HD > Users > your home directory (usually a house icon)
- To get to hidden folders/directories in the Finder e.g. /etc/, in the Finder, go to the Go menu > Go to Folder… > enter the path to the folder/directory you want to go to e.g. "/etc/"
- Replace "admin_password" with your actual computer administrator account password
- Basic skills at using the Terminal command line - iMore has a good introduction to it here
- A decent text editor that is better than TextEdit e.g. BBEdit (US$49.99)
- A launchd plist editor e.g. Lingon X (US$10.99)
- Apple Mac computer running OS X 10.10 or later:
- macOS 10.15 Catalina Frequently Asked Questions (FAQ)
- macOS 10.14 Mojave Frequently Asked Questions (FAQ)
- macOS 10.13 High Sierra Frequently Asked Questions (FAQ)
- macOS 10.12 Sierra Frequently Asked Questions (FAQ)
- OS X 10.11 El Capitan Frequently Asked Questions (FAQ)
- OS X 10.10 Yosemite Frequently Asked Questions (FAQ)
- OS X / macOS Server:
- macOS Server 5.9.x Frequently Asked Questions (FAQ)
- macOS Server 5.7.x Frequently Asked Questions (FAQ)
- macOS Server 5.4-5.6.3 Frequently Asked Questions (FAQ)
- macOS Server 5.2-5.3.1 Frequently Asked Questions (FAQ)
- OS X Server 5 Frequently Asked Questions (FAQ)
- OS X Server 4 Frequently Asked Questions (FAQ)
- At least one domain name and website configured via OS X / macOS Server. We have some articles that may help with this:
- macOS 10.14 Mojave + Server 5.7.x - coming soon
- macOS 10.13 High Sierra + Server 5.4-5.6.3 - coming soon
- OS X / macOS + Server 4/5
- The domain(s) you want to obtain certificates for must be configured in OS X / macOS Server and publicly accessible via the normal internet
- Consider the timing - Let's Encrypt issues 90 day certificates that can be renewed with less than 30 days to go - so 90 days is the max renewal via manual methods, 60 days is the auto renewal timeframe - so think about when those dates will fall after the initial setup and that you will be around/available to perform the manual renewal or check that the auto renewal method has worked!
- You will need a contact/registration email address for each domain certificate that you initially request - this is also used for renewal/problem emails so it might be worth setting up a special email address for this sort of thing if you haven't already got one
Install and setup "Let's Encrypt" (Certbot) with Homebrew
To install Homebrew vist http://brew.sh then return to here. Go to Macintosh HD > Applications > Terminal > and enter the following commands brew updatesudo mkdir /etc/letsencrypt
sudo mkdir /var/lib/letsencrypt
sudo mkdir /var/log/letsencrypt
brew install letsencrypt
git clone https://github.com/letsencrypt/letsencrypt If everything went okay, you should see the following folders in:
- ~/letsencrypt
- /etc/letsencrypt
Create required (hidden) directories
Using the Terminal, create two folders/directories for automated scripts: mkdir ~/letsencrypt/my_scriptmkdir ~/letsencrypt/my_script/logs You need to create two (hidden) folders/directories in the website for each domain that you want certificates for: sudo mkdir /Library/Server/Web/Data/Sites/your_domain_name's website folder/.well-known/
sudo mkdir /Library/Server/Web/Data/Sites/your_domain_name's website folder/.well-known/acme-challenge Files in these folders must be publicly accessible via the normal internet. To test this put a quick and dirty html file named "test.html" in each of the folders then make sure you can access them via a browser at:
- http://www.your_domain_name.tld/.well-known/test.html
- http://www.your_domain_name.tld/.well-known/acme-challenge/test.html
Obtain the initial domain certificate manually
Using the Terminal, enter the following command:NOTE:
UPDATE 19/03/2018: Let's Encrypt - ACME v2 and Wildcard Certificate Support is Live sudo certbot certonly --webroot -w /Library/Server/Web/Data/Sites/your_domain_name's website folder -d your_domain_name.tld -d www.your_domain_name.tld Follow the on-screen instructions. If successful your certificate (a "cert.pem" file) will appear in /etc/letsencrypt/live/your_domain_name.tld/
Manually convert the certificate for use with OS X / macOS
Using the Terminal, enter the following command: sudo openssl pkcs12 -export -inkey /etc/letsencrypt/live/your_domain_name.tld/privkey.pem -in /etc/letsencrypt/live/your_domain_name.tld/cert.pem -certfile /etc/letsencrypt/live/your_domain_name.tld/fullchain.pem -out /etc/letsencrypt/live/your_domain_name.tld/letsencrypt_sslcert.p12 -passout pass:"admin_password"Import the certificate into the OS X / macOS Keychain
Using the Terminal, enter the following command: sudo security import /etc/letsencrypt/live/your_domain_name.tld/letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P "admin_password" -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd Check the certificate has been installed successfully (into the OS X / macOS Keychain) by going to Server app > Certificates - you should see the certificate for your domain listed as Issuer: "Let's Encrypt Authority X3". Quit and relaunch the Server application if it was open while you were doing the above.Configure your website(s) to use https
Open the Server application and for each website:- Click on "Websites" on the left
- Make sure the domain already has a non-secure website entry using port 80 - do not delete this or edit this to be a secure entry
- Create a new website entry for the website and set:
- 'Domain name' to "your_domain_name.tld"
- 'SSL Certificate' to the one you just installed i.e. "your_domain_name.tld - Let’s Encrypt Authority X3" and check that the port number automatically changes to "443"
- 'Store Site Files In' to the directory for your website files
- Click the "Edit…" button to the right of 'Additional Domains' and add "www.your_domain_name.tld"
- Click the "Edit…" button to the right of 'Index Files' and set accordingly
- Click "OK" to return to the main Websites list window
- Optional - update the domain's non-secure website entry with a redirect so that all web page accesses go to https: NOTE: See also the considerations of moving to https section below for some important implications of moving your web site to https.
- Edit the non-secure website entry
- Click the "Edit…" button to the right of 'Redirects'
- Set 'Source' to "/" (everything)
- Set 'Destination' to "https://www.your_domain_name.tld/" with status "permanent 301" (redirection)
- Click "OK"
- Click "OK" to return to the main Websites list window
Manual certificate renewal
Using the Terminal, enter the following command:NOTE:
UPDATE 19/03/2018: Let's Encrypt - ACME v2 and Wildcard Certificate Support is Live sudo certbot certonly --webroot -w /Library/Server/Web/Data/Sites/your_domain_name's website folder -n -d your_domain_name.tld -d www.your_domain_name.tld Follow the on-screen instructions. If successful your certificate (a "cert.pem" file) will appear in /etc/letsencrypt/live/your_domain_name.tld/ with a current date and time creation date
Automate certificate renewal
Using the Terminal, enter the following command and note the output result: echo $PATH For each domain/website, create a command text file using your favourite text editor e.g. BBEdit in ~/letsencrypt/my_script:
#!/bin/sh
DOMAIN_DEFAULT="your_domain_name.tld"
PEM_FOLDER="/etc/letsencrypt/live/${DOMAIN_DEFAULT}/"
LOG_FOLDER="/Users/replace_with_your_home_directory_name/letsencrypt/my_script/logs"
DATE=$(date +"%d-%m-%y")
LOG_FILE="${LOG_FOLDER}/${DATE}.log"
PATH=replace_with_result_of_echo_$PATH_command_performed_above
# Retrieve certificate
sudo certbot certonly --webroot -w /Library/Server/Web/Data/Sites/your_domain_name's website folder -n -d your_domain_name.tld -d www.your_domain_name.tld
# Check that everything went fine
LE_STATUS=$?
if [ "$LE_STATUS" != 0 ]; then
echo Automated Get certificate failed:
cat $LOG_FILE
exit 1
fi
# Generate a passphrase
PASS=$(openssl rand -base64 45 | tr -d /=+ | cut -c -30)
# Transform the pem files into an OS X / macOS Valid p12 file
sudo openssl pkcs12 -export -inkey "${PEM_FOLDER}privkey.pem" -in "${PEM_FOLDER}cert.pem" -certfile "${PEM_FOLDER}fullchain.pem" -out "${PEM_FOLDER}letsencrypt_sslcert.p12" -passout pass:$PASS
# import the p12 file into the OS X / macOS keychain
sudo security import "${PEM_FOLDER}letsencrypt_sslcert.p12" -f pkcs12 -k /Library/Keychains/System.keychain -P $PASS -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd
- Create a new task
- TICK "Enabled"
- Set 'User' to "root"
- Name = "com.your_domain_name.cert_renewal_tuesday.plist"
- Run = "/Users/replace_with_your_home_directory_name/letsencrypt/my_script/cert_renewal_your_domain_name_tuesday.sh" NOTE: The .sh filename should match the name of the script you created above.
- When tab > TICK "Scheduled"
- Set schedule to "Day of week" + "Tuesday" + "08:00"
- Click "Save"
- A new, converted certificate titled "letsencrypt_sslcert.p12" will appear in /etc/letsencrypt/live/your_domain_name.tld/ with a current date and time creation date.
- If (and only if) the certificate has been renewed a new, updated certificate titled "cert.pem" will appear in /etc/letsencrypt/live/your_domain_name.tld/ with a current date and time creation date.
- If (and only if) the certificate has been renewed a new, updated certificate will have been imported successfully into the OS X / macOS Keychain - go to the Server application > Certificates - you should see the new certificate for your domain listed as Issuer: "Let's Encrypt Authority X3" and an updated "Expiration Date". Quit and relaunch the Server application if it was open while you were doing the above.
- Old certificates will still show in the Server application - you can manually delete them and services should automatically switch over to using the renewed/new certificate.
Considerations of moving to https
- Redirecting all http accesses to https - there are several ways to do this (one is listed above in our configure your website(s) to use https section above)
- Canonical links in page headers
- Robots
- Google page ranking (a https link may be treated differently to a http link)
- Mixed content on your page i.e. content server up from other servers e.g. adverts - this will cause browsers to show users that your site is not totally secure
- Useful information:
References
The following pages were extremely useful in compiling this set of instructions:- Certbot instructions for macOS users - running Apache (instructions also available for Nginx, Haproxy, Plesk, other)
- The Complete Guide To Switching From HTTP To HTTPS — Smashing Magazine
- FAQ - Let's Encrypt - Free SSL/TLS Certificates
- Let's Encrypt - ACME v2 and Wildcard Certificate Support is Live
- Install SSL certificate on your mac server [renewal procedure updated]
- Complete guide to install SSL certificate on your OS X server hosted website
- Installing a Let’s Encrypt Certificate on macOS Server | Station in the Metro
- http://blog.barijaona.com/web/settingup_letsencrypt.html
- OSX / unauthorized & invalid response from
- [OS X Server 10.11.4] [crontab] certbot renew
- User Guide - Certbot 0.19.0.dev0 documentation - Renewing Certificates
- macOS Sierra 10.12.6 LE cert for Apple Wiki
- Securing websites with LetsEncrypt on macOS Server
- Redirecting HTTP to HTTPS on OS X 10.6 Server Snow Leopard
If this information helped you or saved you time and/or money why not donate a little to us via PayPal?
All proceeds go directly to MacStrategy / Burning Helix to help fund this web site.
All proceeds go directly to MacStrategy / Burning Helix to help fund this web site.
If this information helped you or saved you time and/or money why not donate a little to us via PayPal?
All proceeds go directly to MacStrategy / Burning Helix to help fund this web site.
Go to this
web page
to donate to us.
All proceeds go directly to MacStrategy / Burning Helix to help fund this web site.
Go to this
web page
to donate to us.