Automating Certbot for OSX Server error and stuck with generating the necessary renewal of LetsEncrpyt SSL

Original Post - https://unix.stackexchange.com/questions/391731/automating-certbot-for-osx-server-error-in-get-cert-sh-script

=====================================================

Hello Folks and Gurus,

Apologies if i am posting at the wrong place. Please direct me to the right place as I am really new at all of this.
I am currently facing a problem with my Mac OS-X El Capitan machine when running certbot (or basically letsencrypt).

My machine is a mac mini, that is supposedly running an MDM solution with letsencrypt as its SSL certificate. My MDM is working fine, and i just want to automate the renewal of SSL certificate via certbot.

I followed this guide for the entire set-up - Joshua Jung, Medium.com - setting up mac mini OSX as MDM
https://medium.com/@JoshuaAJung/managing-your-mobile-devices-in-the-cloud-using-apples-own-mdm-solution-8a588d9724b6

This is my script file - get-cert.sh

#!/bin/sh
DOMAIN=“mdm.school.domain"
PEM_FOLDER=”/etc/letsencrypt/live/${DOMAIN}/"

Renew the certificate

sudo certbot renew --quiet # old way, didn’t work.

new way below -

sudo certbot renew —-cert-name ${DOMAIN} -q

Generate a passphrase

echo starting password
PASS=$(openssl rand -base64 45 | tr -d /=+ | cut -c -30)
echo finish password - looks like no problem.

Transform the pem files into a p12 file

echo start openssl
sudo openssl pkcs12 -export -inkey “${PEM_FOLDER}privkey.pem” -in “${PEM_FOLDER}cert.pem” -certfile “${PEM_FOLDER}fullchain.pem” -out “${PEM_FOLDER}letsencrypt_sslcert.p12” -passout pass:$PASS
echo end openssl

Import the p12 file into the keychain

echo start security import
sudo security import “${PEM_FOLDER}letsencrypt_sslcert.p12” -f pkcs12 -k /Library/Keychains/System.keychain -P $PASS -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd
echo end security import

I have 2x issues actually.

First, while i can renew the certificate manually, meaning, if i enter “sudo certbot renew”, the certificate gets renewed successfully. However, if I were to run the command through the script, the error occurs stating that there’s an argument error.

-q/–quiet: ignored explicit argument ‘\r’.

second, i encounter error with the openssl import, whereby the error shows:

cert.pemening input file /etc/letsencrypt/live/mdm.school.domain cert.pem: No such file or directoryg

i do have a 3rd issue, where the error occur as per below -

letsencrypt_sslcert.p12: no such file or directoryve/mdm.school.domain but i think this error is related to the second one.

I am stumped at the moment. I have the directories all set properly. I have given 0755 or 0777 permission to the required files in the “live” folder to all the files (.pem and .p12).

when I run = sudo certbot certificates, i got the info that expiry date is set to 89 days later. certificate path and private key path are correct to the location that is stored at - /etc/letsencrypt/live/mdm.school.domain/fullchain.pem and privkey.pem

Having said that, the content of the live folder, as i checked using finder, is essentially a symlink to the archive folder.

I have also ensured that the archive folder access is given 0755 for privileges.

Hope to pick on the brains of the gurus here.

If I can’t automate the process using the script, then how can I proceed with a manual renewal? I can’t seem to get past the process to generate a certificate that is ‘readable’ for OS-X certificate repository.

Thank You all in advance!

Even thou you use the DOMAIN variable elsewhere, try the PEM_FOLDER variable explicitly without it:
#!/bin/sh
DOMAIN=“mdm.school.domain"
PEM_FOLDER=”/etc/letsencrypt/live/mdm.school.domain/"

I say that because:
"input file /etc/letsencrypt/live/mdm.school.domain cert.pem: No such file or directory"
Appears to have a space between domain and cert instead of the expected slash.

Are you using a Windows machine somewhere in this process to create these text files? What text editor are you using?

It seems like you might be getting carriage return (’\r’) characters into your script somewhere in addition to the Unix-style line feeds (’\n’). If you run hexdump -c get-cert.sh, do you see any \r characters in that file?

Personally I would re-write the whole script to take the trailing / out of PEM_FOLDER and add it in after each invocation of that variable. The way its written is kinda against convention anyway, and for good reason.

There’s another issue that certbot renew is meant to do a renewal check for each installed certificate and usually not renew each certificate, unless it’s less than 30 days from expiry. It does not mean “renew this certificate now”, it means “check what needs to be renewed”. It’s probably not appropriate to use in your script in this particular way. (We have a different mechanism called renew-hook which is meant for use when you want to run a particular script after a certificate has been renewed.) However, I don’t believe this is the reason for the particular problems that you’re experiencing.

Hi, apologies for my late reply on the matter. I have been away. Let me attempt to answer all the questions:

  1. I was using a windows notepad and I also tried using TextEdit from Mac OS X.
  2. I am not sure how to detect carriage return, can I do it via the shell through ‘vi’ editor? What should I be looking for?
  3. is it a possibility that my dns server config is at fault thus causing this problem?

Hmm, I can try. But to be honest, I tried to enter the command on my shell command prompt and it worked.

I am really puzzled why it doesn’t work as a script, but works as a typed-in command.

Yes I will try this out tonight or tomorrow.

It’s possible that vi would show carriage returns as ^M. However, I would suggest using hexdump -c, which I mentioned above. If you have only Unix-style end-of-line, the output would look something like

0000000   T   h   i   s       i   s       a       f   i   l   e       c
0000010   o   n   t   a   i   n   i   n   g       o   n   l   y       L
0000020   F       (   U   n   i   x       e   n   d   -   o   f   -   l
0000030   i   n   e   )  \n   c   h   a   r   a   c   t   e   r   s   .
0000040  \n                                                            

where you see \n displayed at the end of each line. If you also have some carriage returns, they will be displayed as \r, like

0000000   T   h   i   s       i   s       a       f   i   l   e       c
0000010   o   n   t   a   i   n   i   n   g       C   R   L   F       (
0000020   D   O   S   /   W   i   n   d   o   w   s       e   n   d   -
0000030   o   f   -   l   i   n   e   )  \r  \n   c   h   a   r   a   c
0000040   t   e   r   s   .  \r  \n                                    

vim will usually display such files normally, but it will display [dos] in the status line.

I always use cat -A (fast and clean) :wink:

$ cat -A win.txt
one^M$
two^M$
three⏎                                                                                                                                                    

$ cat -A unix.txt
one$
two$
three$
2 Likes

hi everyone, thank you for the help. Really-really grateful.
The issue is like what you guys described as real simple.
the problem was indeed carriage return.
Unfortunately, I couldn’t see it in vi editor on the Mac OSX.

for some weird reasons, I couldn’t follow @sahsanu method of using cat -A command. the error stated that i am using cat the wrong way. I think it’s the shell compatibility.

i used @Patches’s info and i used vim. vim shows the carriage return as ^M.

thanks to @schoen’s help and information in detailing the issue with the carriage return.

i also followed @jared.m and @rg305 's advise and remove the need to to have declaration and usage of ${DOMAIN} since there’s only 2x that the variable is used. I am okay with making domain changes twice in a short script file like this. :slight_smile:

all in all, I am really thankful and grateful for the help rendered by the community. I have now a working, automatically renewing, MDM solution for the school!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.