Compatibility certbot-OSX Server

First I confess not understanding any of the jargon, be warned.
I run a website on a Mac mini in my basement. It is configured exclusively using the OSX Server program (which is not a server but just a graphic interface to some of the actual servers, like Apache, CalDAV etc.)
So far I have used self-signed certificates as made by the OSX Server program, but this inconveniences readers because they are not trusted by their browsers.
I understand certbot installs browser-trusted certificates from Let’s Encrypt, and tries to do it all without me having to know the details of secure connections, certificates, keys, doing the renewal, and so on.
After installation of certbot (which needed installation of Homebrew which needed installation of command line tools which needed enabling the root user on OSX) I get this message:

No vhost exists with servername or alias of: No vhost was selected.
Please specify servernames in the Apache config
Error while running apachectl configtest.
Syntax error on line 9 of /etc/letsencrypt/options-ssl-apache.conf: This version of openssl does not support configuring compression within sections.

I suspect there is some incompatibility between what the OSX Server application does with Apache’s configuration and what certbot needs.
The machine runs OSX 10.9.5 and Server 3.2.2

Thanks for any suggestion.

Hello Robert,

If I understood you correctly, you are running the Lion’s on Mavericks. I do not remember the file configuration and I just finished configuring my certificates using “Let’s Encrypt” for my site using the 5.2 on macOS Sierra 10.12.

I’m using “Let’s Encrypt” and the command line tools; because I wasn’t able to get CertBot to work with my configuration either. I do not expect the support to catch up with the Apple releases just yet so I wrote down the steps and created a job aide. Take a look at it and let me know if you have any questions. Warning: the file paths may be different for your configuration.

Let me know if you have any questions and/or if I can assist you any further.


Let’s Encrypt for macOS Sierra v10_12 and v5_2.txt (2.7 KB)



I get stuck on the following line

sudo letsencrypt certonly --webroot -w /Library/Server/Web/Data/Sites/example -d example.tld -d www.example.tld

I have replaced example with the folder name for the default folder as I am trying to get the actual server to have a valid certificate, so for me it would be:

sudo letsencrypt certonly --webroot -w /Library/Server/Web/Data/Sites/default -d server.example.tld

I have replaced example.tld with my domain name.

When I run the command I get the following:


I have tried giving everyone read/write access to the .well-known folder but that doesn’t change anything. Am I doing something wrong?


Hi Emandino,
Thanks for your set of steps which I will try asap (I was away for a while) and I’ll report the results.
I may also upgrade to Sierra and erver5.2 first.

Hello Henry,

Question: are you attempting to generate a certificate for “server.folder_name.local”?

If the answer is yes, I believe that you can generate an SSL certificate for neither .local nor .private tld’s.

The certificate is generated to encrypt the data transmission for the domain name that you purchased or host not the server. It is a way to keep us web developers/masters/publishers honest and let our audience know that there is no funny business going on behind their backs when they visit us. Different kinds of services (ftp, smtp, etc) will require different types of certificates and you will need to either generate or acquire those separately.

Hope this answer helps.



Hello Robert,

After I upgraded from Yosemite to El Capitan and had to format and recreate my entire hard drive, it is always scary when Apple comes up with an OS upgrade. My advice: it is always good to stay on top of the latest updates/upgrades however do not make the same mistakes I had made in the past. Keep a current backup of all your most important data on an isolated drive or partition, create a bootable installer for macOS and install it on a separate testing drive or partition. Once you are happy with the new software, move it to production.

I learned my lesson the hard way. Good luck to you and let me know if I can assist you in any way.



Hi Edwin,

I am actually trying generate an SSL certificate for a tld. I own the domain and have set the necessary DNS settings in the authoritative DNS host and internally.


Hello Henry,

Did you try to generate the certificate for: “” and/or “”?


Hi Edwin,

I keep backups meticulously, there is much to say about this but it is another subject.

I made the step to Sierra, found that it was impossible to upgrade certain files because their upgrade path goes obligatorily through Yosemite or El Capitan, and these intermediate versions are no longer available for download…
I bought again. Most worked, but CalDAV does not. Possibly because of the missing intermediate steps. Trying to delete all calendars and then restoring them from a backup file did not work (could not make Calendar behave at all).
Too many files hidden away in dark places.
I also saw a process “secd” taking 90% CPU, but have no recollection of ever installing anything that used it. Did it come in through the stuff from homebrew, ruby, … ? I don’t know.
After wasting more than a day on Sierra I finally gave up and rolled back the entire server
system to its state before Sierra.
I think I’ll stick to Mavericks until Apple and the certbot guys get their act together.
It’s far too complex. For example, why is a ruby installation necessary to get a certificate?

This is also another subject, but the push to upgrade incessantly is very annoying.
My wife installed Sierra and now she can’t use the printer and scanner anymore.
I finally gave in to the constant nagging of my iPhone to upgrade to the next iOS version (impossible to say “NO”), with the result that I needed a new version of iTunes, which fortunately still just runs on Mavericks on my laptop.
If I change to Sierra there, I will lose Adobe CS6, and need to fork out 66USD a month, when in fact I was perfectly happy with CS2 which was killed by Lion.
And so on.

I’ll come back somewhat later.

Hi Henry,

I am not an expert at this either. (I am using OS X 10.12.1 and Server 5.2)

I was receiving the same error until I went back through Edwin’s instructions, and finally I was able to get it to work. So I can verify they work at least on Server 5.2.

The only two things I can think to say that you may want to try are:

  1. the “Default” website folder on my computer uses a capital “D” you did not type a capital D in your post above. Maybe that matters. I made a new folder that was my domain name to store my files in; my new folder was all lowercase.

  2. I did not have “Enable Python” checked, and have since checked it. His instructions on Step 2 say to Navigate to Server/Help/Server Tutorials Lesson 2. Under “Lesson 2: Create a public, encrypted website” - Step 5 - the screen shot shows “Enable Python” checked. So I checked mine.

Don’t know if either of those help. Good luck.

I will double check that although I am sure that I did copy and paste.

I also did not have python enabled. What I will do is try the instructions with that enabled first then will check the case of the letters.


Hi Henry,
I think enabling Python may be the trick for the Mac Server. After a little more research I noticed on the certbot about page ( one of the old names for certbot was “the Let’s Encrypt Python client.”

I tried recreating the error this morning, but was unable to do so. Python may only have to be enabled the first time. So, when you have a chance definitely let us know if it worked.


OK so, I enabled python but was still experiencing the same problem. I resolved it in the end, I needed to make the Sites folder executable using chmod -x.

This may be something new in the latest versions of MacOS and Server.

Thank you. Found tons of stuff but nothing for Server App so was missing the conversion step. A few hours wasted looking for the solution but you provided the right information to finally give me the win!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.