A script for cleanly installing/renewing letsencrypt certs on macOS Server


#1

If you want to use letsencrypt certificates on macOS Server, actually installing is complicated. macOS has its own ideology on security and its own tools and interfaces. Add Server to the mix, and getting a letsencrypt cert functional in macOS Server is hand work, not something you want to do every 60-90 days.

There have been instructions on how to do this, but these were never complete. For instance, they do not remove the old no longer used certs so slowly your environment gets filled with outdated certs.

Based on what was already there I’ve created a richer script that can be installed as deploy-hook in /etc/letsencrypt/renewal-hooks/deploy/ so it gets called automatically on renewal. It is smart enough for instance to wait patiently until certain background actions have been completed (macOS Server does a lot of configuration in background processes) before taking the correct action. From the script:

# Actual normal use:
# 1. Install as /etc/letsencrypt/renewal-hooks/deploy/certbot-macosserver-deploy.sh
#    and it will be automatically run by certbot after installation of a new cert
# 2. Run once by hand to install the cert the first time (example for two domains):
#        sudo certbot certonly \
#            --webroot -w /Library/Server/Web/Data/Sites/www.example.com \
#            -d www.example.com,foo.example.com
#    This installs the cert for the first time
# 3. Add a line to the root crontab, such as
#        10 5 * * * /usr/local/bin/certbot renew >>/var/log/certbot.log 2>&1
#    This keeps your cert valid. Renewal is logged in /var/log/certbot.log
#    (which technically will grow endlessly, so for perfection, this log file should be trimmed)