Mac OS Server Unable to renew cert for first time

Hey guys, the Mac OS Server just runs for the profilemanager to administrate apple clients. Now i want to renew my lets encrypt cert for the first time, but it doesn`t work. So maybe you can help me? That would be really nice.

My domain is:

I ran this command: sudo certbot renew -i apache -a webroot -w /etc/apache2

It produced this output:

My web server is (include version): Apache/2.4.41

The operating system my web server runs on is (include version): 10.15 - Catalina

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.8.0

Where does that command come from? Because that’s not the standard renew command… Normally, running just sudo certbot renew will suffice.

I just google it…

The error message with sudo certbot renew:
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

It seems your renewal configuration has been damaged. Normally, this should not have happened. Did you modify it by any chance? And could you paste the output here?

I dont have renewal configuration. I just try it actually manually and for the first time.

That’s the renewal configuration file.

oh well - sorry, i am not professionell in that! :slight_smile:

#renew_before_expiry = 30 days
version = 1.5.0
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

#Options used in the renewal process
account = e1d020d3ac2dc7058a077fd3dbd87f2d
authenticator = webroot
server =

No, my fault, it is obvious to me, but I can understand it’s not for someone who doesn’t have much experience with certbot.

So it seems your renewal configuration file is missing the actual webroot setting for the webroot plugin. It also doesn’t specify the apache plugin as an installer. Do you remember (or have it stored somewhere) the original command you’ve used to get the cert? (Maybe history | grep certbot might still have it remembered.)

Thank you!

I think i used the following command: certbot certonly --standalone -d

Maybe this will help:

From the point

Two more steps to take…

Ah, well, the --standalone option should not be used unless it’s really necessary for the situation IMO. It seems you want to “move over” to the apache plugin, which I can understand.

However, if you used that command, why does the renewal configuration file say you’ve used the webroot authenticator previously? Still doesn’t really add up…

But if you want to change to the apache plugin, why not let that plugin authenticate the hostname too? Why use the webroot anyway? I read the How To… It’s horrible… Just horrible…

I would try sudo certbot renew --apache without any other arguments and see what happens.

I dont need apache, because i dont want hosting any website. I just want to use the profilemanager and this works for the moment.

    sudo certbot renew --apache

Processing /etc/letsencrypt/renewal/

Cert is due for renewal, auto-renewing…
Could not find ssl_module; not disabling session tickets.
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

1 renew failure(s), 0 parse failure(s)

OK, so now I’m puzzled… You say you’re using Apache. But that guide about MacOS MDM Server doesn’t mention Apache at all? Not sure if the apache plugin would work… It most certainly won’t work if there isn’t any Apache in play of course.

Well, I was majorly confused as you told us in your first post your webserver was Apache? Without a “normal” webserver like Apache this is very out of my league. I have no MacOS experience what so ever, so I’m not the right person to help you with that… I thought you were actually using Apache.

I would recommend following the guide again, because it seems you haven’t done what the guide told you. Your renewal configuration file is missing critical information, which is included in the guide you mentioned. The webroot_path and [[webroot_map]] parts are missing.

I am confused as well. When i start following command:

sudo brew services start httpd

Error: Formula httpd is not installed.

So apache is not running? Because MacOS MDM Server got an own webservices?

ok thank you for your time, i will try that!

Should it? It isn’t mentioned in the guide you posted above an earlier you said you didn’t need Apache! I’m getting more and more confused here.

okay, this was pretty easy:

in this file: /etc/letsencrypt/renewal/

i added following like posted in the tutorial:

webroot_path = /Library/Server/Web/Data/Sites/Default,
[[webroot_map]] = /Library/Server/Web/Data/Sites/Default

and now it works fine…

Thank you really much @Osiris for your help and time. I am very sorry about confusing you!!! :wink:


So maybe having used that webroot path:

Instead of the the one you googled:

Might have worked all along…

1 Like

Yes, it would have. 


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.