My domain is: dbk.libertyhaven.net
I ran this command: certbot -v certonly --preferred-challenges=http --manual --config-dir ~/lets-encrypt --work-dir ~/lets-encrypt --logs-dir ~/lets-encrypt
It produced this output: a well-formed lets-encrypt tree, with the files cert.pem, chain.pem, fullchain.pem, and privkey.pem under live/certname, just like it should.
The operating system my web server runs on is (include version): Mac OS Sierra
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): certbot 2.2.0
My problem isn't getting the certificates -- it took me a long while (I wasted time fighting with brew, which no longer works on Sierra) but I finally succeeded by running from a more modern machine.
My problem is that I can't use the files. Mac OS Server is rejecting them. I realize that Mac OS Server is antique software, but it's what we use.
When I drag the "privkey1.pem" file into the box that says "Drag a file containing your private key here," I get an error dialog box saying that the contents are unrecognizable. It surely looks well-formed to me in Text Edit. (See image.)
Do I perhaps have a suffix issue? I see a lot of hints on the web that talk about installing files to OS Server that end in .crt and .p12 . I did notice that although Server doesn't outright reject the other three files, it bundles them in as "extra non-identity certificates" and doesn't recognize the public certificate file for what it is.
As a test, I dragged all these files into Keychain Access. The fullchain.pem file seemed to create a well-formed certificate, and the other two at least weren't rejected, though I'm not sure where they went, if anywhere... but the privkey1.pem file got rejected. For giggles, I exported the resulting certificate, which created a .crt file (hm!). I tried feeding that into Server, but it stuck it under "extra non-identity certificates" again.
I'd appreciate help from anyone who has used (or is still using) Let's Encrypt certificates and keys with Mac OS Server.