Importing certificates into MacOS Server

My domain is:

I ran this command: certbot -v certonly --preferred-challenges=http --manual --config-dir ~/lets-encrypt --work-dir ~/lets-encrypt --logs-dir ~/lets-encrypt

It produced this output: a well-formed lets-encrypt tree, with the files cert.pem, chain.pem, fullchain.pem, and privkey.pem under live/certname, just like it should.

The operating system my web server runs on is (include version): Mac OS Sierra

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.2.0

My problem isn't getting the certificates -- it took me a long while (I wasted time fighting with brew, which no longer works on Sierra) but I finally succeeded by running from a more modern machine.

My problem is that I can't use the files. Mac OS Server is rejecting them. I realize that Mac OS Server is antique software, but it's what we use.

When I drag the "privkey1.pem" file into the box that says "Drag a file containing your private key here," I get an error dialog box saying that the contents are unrecognizable. It surely looks well-formed to me in Text Edit. (See image.)

Do I perhaps have a suffix issue? I see a lot of hints on the web that talk about installing files to OS Server that end in .crt and .p12 . I did notice that although Server doesn't outright reject the other three files, it bundles them in as "extra non-identity certificates" and doesn't recognize the public certificate file for what it is.

As a test, I dragged all these files into Keychain Access. The fullchain.pem file seemed to create a well-formed certificate, and the other two at least weren't rejected, though I'm not sure where they went, if anywhere... but the privkey1.pem file got rejected. For giggles, I exported the resulting certificate, which created a .crt file (hm!). I tried feeding that into Server, but it stuck it under "extra non-identity certificates" again.

I'd appreciate help from anyone who has used (or is still using) Let's Encrypt certificates and keys with Mac OS Server.

Certbot 2.0+ uses ECDSA certificates by default. Some (mostly ancient legacy) software does not support ECDSA certificates. You can try whether RSA certificates work:

--key-type rsa

And... that's all she wrote!
Server ate those up like Hershey Kisses.
Thanks so much!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.