Certbot OS X Server Support?


#1

I’ve not been here for a few months, but I see lots of progress has been made!

I see on the official site that you can choose OS X and apache. Does that include OS X Server and it’s version of apache?


#2

I believe so. @bmw can confirm.


#3

Encouraging - if so, does the renew update the cert in Server.app as well? I’m on 10.12 with Server 5.2 if that helps. Thanks!


#4

Theoretically yes, however, I’ll concede up front that we haven’t done a ton of testing on OS X with Apache. Certbot has a pretty robust backup mechanism though. The worst thing that should happen if you try it is Certbot will error out saying it doesn’t know how to handle something and leave your Apache files unmodified.

EDIT: With that said, it never hurts to make your own backup :slight_smile:

As for Server.app, I can’t say I’m familiar with it. If this is something Certbot would have to do manually and modifying Apache’s configuration files isn’t enough, then no, Server.app would not be updated.


#5

Thanks, I’d probably try it in a VM first. I’m not incredibly confident it will work since it would have to know that when Server is installed on OS X the apache files are actually located in: /Library/Server/Web/Config/apache2 and sites within apache2 directory there.

Server.app assumes a bit of control over these and has it’s own GUI cert mechanism and GUI for the websites. In looking around, I found some info right here in between replies on the topic and automating the import of the certs to Server.app:

I may give that a whirl, I admit while I can handle it, it’d be nice for a production/home server to have a lot of this rolled in to certbot itself. That’s just a wish on my part, of course. :smiley:

Thank you both for the quick replies and info!


#6

Hello majorsl,

I am new and attempting to complete the installation for my website. While “JeffTheRocker,s” tutorial is exceptional, I find myself with a few questions, only because Mavericks and it’s corresponding Server.app are slightly different form our configurations and I hope we can compare notes.

I’m hosting my own website with the following configuration:
macOS Sierra v10.12
Mac Mini (Late 2014)
Server.app v5.2

On the tutorial JeffTheRocker instructs:

"Step 2 (test and) generate the certificate
First locate your website directory (the web root). If you didn’t change anything it should be under /Library/Server/Web/Data/Default. There, you must create the folders .well-known and acme-challenge inside .well-known. In order to do so launch :

mkdir PATH_TO_WEB_FOLDER/.well-known

and

mkdir PATH_TO_WEB_FOLDER/.well-known/acme-challenge"

Which I understood it to be:

“mkdir /Library/Server/Web/Data/Default/.well-known”

and

“mkdir /Library/Server/Web/Data/Default/.well-known/acme-challenge”

However, I do not find a “Default” directory inside the “Data” directory, only the “Sites” and “WebApps” directories. On the other hand, I found a “/Library/Server/Web/Data/Sites/Default” directory. In addition I also have 2 additional directories:
"/Library/Server/Web/Data/Sites/server.local" which I use for design, development and testing and “/Library/Server/Web/Data/Sites/‘www.example.com’” where I store the actual website file.

I believe that my PATH_TO_WEB_FOLDER should be “/Library/Server/Web/Data/Sites/www.example.com”

My questions are:
a. Did you successfully complete the installation in your server with the above configuration?
b. Where did you mkdir the “.well-known” and the “.well-known/acme-challenge”?
c. Did you create the “Default” directory inside the “Data” directory?

Your response will be most appreciated.

Kindly

Edwin


#7

Hi, no I’ve not anything yet, but get the general concept. The path with 5.2 should be:

/Library/Server/Web/Data/Sites/Default/

However, you would make the .well-known at the root of your sites you listed like:

/Library/Server/Web/Data/Sites/www.example.com/.well-known

This would allow you use a different cert for each of your domains. The tutorial assumes one, but you could modify the process to support any number of domains.

I have another year before my current cert expires. I’m probably going to:

  1. hope support is formally added for OS X Server.
  2. probably fire up a VM if I have time and try the tutorial as a proof of concept on a test Domain.

Let’s Encrypt is pretty solid as a concept and I love the idea, but as always, it’s the implementation for so many unique and differing systems that will take awhile. They are doing an awesome job getting there, in my opinion. OS X Server is going to be a little lower on the priority list - if it makes it at all.


#8

Hello majosl,

Exactly what I thought.

I’ll try it in my virtual environment first and let you know what happened.

Thanks for your prompt response.

Kindly

Edwin


#9

Hello majorsl,

It worked. With your answer, I had to merge Jeff’s, Scott’s, wiku’s, ChristopherRaymond,s & hklages’s comments to the different community support entries and Voila’ my site is secured now.

Wanted you to be the first to know. Well, aside from my better half. You can safely visit me now at: Edwin’s Tech Blog. Yup, another tech blog. LOL!

I wrote a Tutorial/Job Aide and I will like for you to take a look at it and provide me your feedback. That is if you have time and before I go ahead and make a fool of myself. Let me warn you that the tutorial is geared towards the beginner.

Thank you for your help. Let me catch up with some of my updates.

Kindly

Edwin
Let’s Encrypt for macOS Sierra v10_12 and Server.app v5_2.txt (2.7 KB)


#10

Hello, well done! That will be helpful for me. I’m also looking to automate the renewal.

The get_cert.sh looks to do the trick. A launchd job for every 70 days would auto-renew the cert so you wouldn’t have to do the manual process.


#11

Howdy,

I’m planing on building a script that will automatically update and hopefully an application that will automate the entire process. Kind off like GPGTools for mail, but we’ll see how it goes.

Thank you for your feedback.

Kindly

Edwin

“…you cannot automate empathy” George Anders


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.