Clarification About Renewals of Certificates and Script Behaviour on MAC OS X Server


#1

Running MacOS El Captain with Server.app 5.2. I have followed this guide:

This works a treat and I have a certificate imported into server app.

However when proceeding to the last step in the guide and creating the renew script I run into trouble. Rather than renewing my certificate it just seem to generate new certificates and import these into server.app.

Any pointers as to where things may be going wrong for me? Not sure what information that I should additionally post as I have followed the above guide to the letter.


#2

However when proceeding to the last step in the guide and creating the renew script I run into trouble. Rather than renewing my certificate it just seem to generate new certificates and import these into server.app.

You are aware there is no such thing as renewals in SSL Certificates. It’s called a renewal for understanding but once a cetificate is issued it cannot be altered in any way (including adding a new valid date range).

So in fact what the script is doing is correct i.e. issuing a new certificate that is valid for 90 days.

Have a read of this chain which describes the behavior. Although it talks about expand the renewal concept is the same.

Andrei


#3

A real world metaphor may be useful here. In a few weeks I must “renew” my driving license. Well, of course the driving license is physically a piece of plastic with a photograph and ID number permanently marked on it, they will not be “renewing” this at all. Instead what they will do is take a new photograph, and print a new plastic license and send me that. Even if you don’t have driving licenses like this (most places do but not everywhere) doubtless you have other documents of this sort which are said to be “renewed” though in fact the original is not “renewed” but instead replaced, and X.509 certiifcate documents work the same way.

You can’t easily look at it directly, but to a machine the X.509 certificate for your server is a series of related statements, just like my driving license, it identifies a subject (by the Fully Qualified Domain Name like www.example.com) and it says that Let’s Encrypt has issued this certificate to that subject, and there’s a way to tell that’s who this is you’re talking to (a Public Key value, which cryptography allows you to check if somebody has the corresponding Private Key, if they do then they presumably must be www.example.com) and then it’s all signed. The signed document includes a start and end date (notBefore and notAfter) and you can’t change those because you’d damage the signature and then it’s worthless, so instead you just Let’s Encrypt to issue you a new one every few months.


#4

Thanks for the helpful analogy, @tialaramex!


#5

yes it was one of the best ones I have seen to date :smiley:


#6

Dear mtjoernelund

To be completely honest with you, I have the same issue.
I thought I had it working when i wrote the tutorial but I quickly found
out that it was not completely automatised.
I didn’t have time to investigate this issue, but I intend to do so in the
near future.
Currently I run the script manually.

If you want I will let you know as soon as I have a solution.

Best regards,

Jeff

http://luxdev.lu/

Jean-François LA ROCCA
Assistant IT
+352 29 58 58 218
Skype: jean-francois.larocca.luxdev
www.luxdev.lu http://luxdev.lu/fr

AVERTISSEMENT
Les opinions exprimées dans cet e-mail sont uniquement celles de
l’expéditeur et ne sauraient constituer un engagement formel de LuxDev.
L’information contenue dans ce document est exclusivement destinée à
l’attention du destinataire et peut être confidentielle. Copier, divulguer
ou utiliser le contenu de cet e-mail peut être illégal.
Pensez à l’environnement avant d’imprimer cet e-mail.
Be GREEN, keep it on the SCREEN


#7

Jeff, your scripts work flawlessly to renew. The problem I have is that the server app still clings to the expired certificate despite a new renewed certificate being there.

This means that I have to go manually to server app, and apply the new renewed certificate to the services.

If I don’t go do that, or cannot, then the services have expired certs, even though a renewed certificate is there!

Something makes me think that the command that adds the cert to server needs to tell server that the renewed cert is replacing the former. OR, an additional command needs to run on renewal that deletes the old cert and tells server to use the new.


#8

Most server software, certainly in the Unix world has the idea of “reloading” which would usually include reading updated configuration files or certificates. You should be able to find instructions on how to tell your preferred server to reload, and it is likely this is sufficient.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.