Well, that does feel like kind of an old tutorial.

If you see the part where they say [server root] in the tutorial, they were assuming that you knew the directory that your Apache server serves files from, and that you would type that path in place of [server root]. (They don’t mean “running this command on the server as the root user”, despite the extreme similarity of these words.)

Anyway, why don’t you try sudo ./certbot-auto --apache and see if that works more easily?

Actually, I looked at some other macOS-related threads on this forum and saw that macOS probably does not put Apache configuration in /etc/apache2… but it might be worth trying sudo ./certbot-auto --apache first just in case it works. If it doesn’t work, it should be possible to use --webroot, which will still require figuring out where the web root directory is.

it showing
sudo : ./certbot-auto command not found

i’ll check where the root directory is

Don’t forget to cd letsencrypt first, like you did with ./letsencrypt-auto.

According to other threads about macOS here, it may be somewhere within /Library/Server/Web.

grep -r DocumentRoot /etc/apache2
/etc/apache2/extra/httpd-ssl.conf:DocumentRoot “/Library/WebServer/Documents”
/etc/apache2/extra/httpd-ssl.conf~orig:DocumentRoot “/Library/WebServer/Documents”
/etc/apache2/extra/httpd-ssl.conf~previous:DocumentRoot “/Library/WebServer/Documents”
/etc/apache2/extra/httpd-vhosts.conf~orig: DocumentRoot “/usr/docs/dummy-host.example.com”
/etc/apache2/extra/httpd-vhosts.conf~orig: DocumentRoot “/usr/docs/dummy-host2.example.com”
/etc/apache2/extra/httpd-vhosts.conf~previous: DocumentRoot “/usr/docs/dummy-host.example.com”
/etc/apache2/extra/httpd-vhosts.conf~previous: DocumentRoot “/usr/docs/dummy-host2.example.com”
/etc/apache2/httpd.conf:# DocumentRoot: The directory out of which you will serve your
/etc/apache2/httpd.conf:DocumentRoot “/Library/WebServer/Documents”
/etc/apache2/httpd.conf: # access content that does not live under the DocumentRoot.
/etc/apache2/httpd.conf.pre-update:# DocumentRoot: The directory out of which you will serve your
/etc/apache2/httpd.conf.pre-update:DocumentRoot “/Library/WebServer/Documents”
/etc/apache2/httpd.conf.pre-update: # access content that does not live under the DocumentRoot.
/etc/apache2/httpd.conf~previous:# DocumentRoot: The directory out of which you will serve your
/etc/apache2/httpd.conf~previous:DocumentRoot “/Library/WebServer/Documents”
/etc/apache2/httpd.conf~previous: # access content that does not live under the DocumentRoot.
/etc/apache2/original/extra/httpd-ssl.conf:DocumentRoot “/Library/WebServer/Documents”
/etc/apache2/original/extra/httpd-vhosts.conf: DocumentRoot “/usr/docs/dummy-host.example.com”
/etc/apache2/original/extra/httpd-vhosts.conf: DocumentRoot “/usr/docs/dummy-host2.example.com”
/etc/apache2/original/httpd.conf:# DocumentRoot: The directory out of which you will serve your
/etc/apache2/original/httpd.conf:DocumentRoot “/Library/WebServer/Documents”
/etc/apache2/original/httpd.conf: # access content that does not live under the DocumentRoot.

letsencrypt admin$ sudo ./certbot-auto --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel): semler-jenkins.moduscreate.com
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for semler-jenkins.moduscreate.com
No vhost exists with servername or alias of semler-jenkins.moduscreate.com. No vhost was selected. Please specify ServerName or ServerAlias in the Apache config, or split vhosts into separate files.
Falling back to default vhost *:443…
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. semler-jenkins.moduscreate.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: semler-jenkins.moduscreate.com
  Type: connection
  Detail: Connection refused

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you’re using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

as you said I ran the following commands and that is the output

Well, it looks like your web root is probably /Library/WebServer/Documents !

You could try using

cd letsencrypt

sudo ./certbot-auto certonly --webroot -w /Library/WebServer/Documents -d semler-jenkins.moduscreate.com -d www.semler-jenkins.moduscreate.com

awesome , I think these work

Hey, that’s terrific!

Sorry this took so many steps. I guess one challenge is that we don’t have a good authoritative guide for macOS and the one that you followed is a little unclear and a little out-of-date. So we should probably produce an official guide with more up-to-date information.

Please do keep in mind that you’ll have to do some kind of configuration in Apache (or possibly in Jenkins?) in order to use this certificate. The certificate has been issued by the certificate authority and it exists on your system, but there will be an additional step to configure the server software to actually make use of it, because right now the other applications simply don’t know that you have a certificate at all!

Also, there’s the renewal step that the software mentioned, which has to be done regularly or else the certificate will expire.

You sent me a message asking about how to do this. There should be lots of tutorials online that explain it. The official one from the Apache project is

https://httpd.apache.org/docs/current/ssl/ssl_howto.html

In Certbot’s terms, the SSLCertificateFile should refer to the fullchain.pem file at the location that Certbot told you, while the SSLCertificateKeyFile should refer to the privkey.pem file at the location that Certbot told you.

If you had used certbot --apache successfully, it would have installed the certificate by creating a new HTTPS virtual host, in a new Apache site configuration file like the following:

<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	ServerName semler-jenkins.moduscreate.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
SSLCertificateFile /etc/letsencrypt/live/semler-jenkins.moduscreate.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/semler-jenkins.moduscreate.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/semler-jenkins.moduscreate.com/chain.pem
</VirtualHost>
</IfModule>

You might have /etc/letsencrypt/options-ssl-apache.conf (I’m not sure if it was created), but you would also have to set the DocumentRoot appropriately here because it’s not /var/www/html.

I don’t know anything about Jenkins and I don’t know whether it directly speaks HTTPS or uses a server like Apache as a proxy. For advice about setting up Jenkins, you’ll have to ask specifically on this this forum or on another forum dedicated to Jenkins, or look online for a tutorial.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.