Mac OSX (Server): import LE certificate?


#1

Using a Mac (OSX Server, El Capitan).
I have successfully created my certificate (letsencrypt-auto certonly --manual),
and the certificate files are in /etc/letsencrypt/live/…

How do I import them on my Mac?
Related: how do I add them to OSX Server?
I can not drag+drop the files because the /etc/letsencrypt/live folder is not accessible in the Finder,
plus I wonder what happens after the certificates are renewed.


Support for Mac OS X Server
Complete guide to install SSL certificate on your OS X server hosted website
#2

Ah! A fellow user of OSX Server. I’d like to ride along with you as you get the cert installed. I haven’t tried yet, but I’m encouraged to see that you succeeded with the script installation.

When you say it’s not accessible, that could mean several things.

Can’t find the directory

– can you see the directory at all? if not, you may need to make hidden files visible in Finder. http://osxdaily.com/2009/02/25/show-hidden-files-in-os-x/

– have you tried a search on “letsencrypt” in Finder and it’s not showing up? Try including system files in the search. https://support.apple.com/en-us/HT202121

Don’t have permission to view the directory

– is the directory there, but it’s greyed out? or do you get an error when you double-click the folder saying that you don’t have permission?

  • Make sure you’re logged in as an administrator
  • Add “Administrators” to the list of users that have permission to access the folder (be careful…) [rats, I’m a new user so I can only put 2 links in a post, I’ll post this section in another reply]

Do any of these things help? Sorry if these are too basic…

Mike


#3

Here’s that link I couldn’t post before…

  • Make sure you’re logged in as an administrator
  • Add “Administrators” to the list of users that have permission to access the folder (be careful…) http://www.macinstruct.com/node/415

I went ahead and ran the script on a local Mac, just to see what would happen. Did you see this when you ran it? It’s doing a fair amount of mucking about with permissions (and has that “very experimental” warning right at the top).

I decided not to actually run the script after seeing the permissions-changes it’s proposing. Most of those directories are currently system-owned on my machine.

macbook:letsencrypt $ ./letsencrypt-auto --help

grep: /etc/os-release: No such file or directory
WARNING: Mac OS X support is very experimental at present...
if you would like to work on improving it, please ensure you have backups
and then run this script again with the --debug flag!

macbook:letsencrypt $ ./letsencrypt-auto --help --debug

grep: /etc/os-release: No such file or directory
Bootstrapping dependencies for Mac OS X...
Homebrew Not Installed
Downloading...

==> This script will install:
/usr/local/bin/brew
/usr/local/Library/...
/usr/local/share/man/man1/brew.1

==> The following directories will be made group writable:
/usr/local/.
/usr/local/bin
/usr/local/include
/usr/local/lib
/usr/local/lib/pkgconfig

==> The following directories will have their owner set to mikeoconnor:
/usr/local/.
/usr/local/bin
/usr/local/include
/usr/local/lib
/usr/local/lib/pkgconfig

==> The following directories will have their group set to admin:
/usr/local/.
/usr/local/bin
/usr/local/include
/usr/local/lib
/usr/local/lib/pkgconfig

#4

Yes, with “not accessible” I meant: regular users can not read the /etc/letsencrypt/live folder.
I could log in as administrator and then drag and drop the files into the Server app.
But, I am hoping there is a command line way of doing it.
Also because I have the feeling this needs to be repeated every time the certificates are renewed.


#5

I used the manual creation (letsencrypt-auto certonly --manual), and ran the standalone Python server on a different system. The reason: even when you switch off the OSX Server webserver, it will continue to run the http proxy server. Have not found a simple way to switch that one off temporarily.

I am already a homebrew user, so the /usr/local permissions were already taken care of.
During the installation the brew package virtualenv was installed. The installation is pretty straightforward.

So, a bit of a hassle to change the router port forwarding to another system, and manually run the Python server + create the temp files. But that’s ok for now, I am sure it will improve over time.

My question is about how to get my newly created certificates to be read by the Server app and/or used by my websites. I have used the Server app to configure my sites.


#6

Ah! I was talking wildly below your level. Sorry about that. Here’s a little writeup I did to remind myself how to load multi-domain certs (from Godaddy) on to my OSX Server. I use this post once a year. Imagine you’re Godaddy – so you’ve created the files that they send and now you’re dragging and dropping. Not automated/command-line, but maybe it’ll help…

https://www.haven2.com/index.php/archives/godaddy-ucc-cert-in-osx-server


#7

No worries, all ideas are welcome!
Useful writeup. Exactly why I am looking for a command line way. Would not want to do that every 90 days.


#8

For OS X Server, does it store the items in the system keychain? If so, look at the “security” command, specifically “security import” which can import a pkcs12 file. You can get one of these by using OpenSSL to take the individual pem files generated via letsencrypt and converting them to a single pkcs12 file.


#9

thanks @motoko , yes I have the feeling I could be using security import, possibly using openssl pkcs12 -export to get a single file.

But, getting there has been trial and (only) error so far.

My efforts so far:

  • verifying using security: security verify-cert -c fullchain.pem -p ssl results in: ...certificate verification successful. This suggests I don’t have to use openssl to export single file?
  • importing using security: security -v import fullchain.pem results in import "fullchain.pem". 2 certificates imported. However: where can I find these? Also tried security import cert.pem with same result: 1 certificate imported.
  • Trying to find the imported keychain I used the Keychain Access tool (searched for “Let’s” in all items). Also tried security find-certificate which shows one certificate: “Apple Code Signing Certification Authority”.
  • Just in case, I also tried creating p12 file using openssl: echo "mypassword" | openssl pkcs12 -export -inkey privkey.pem -in cert.pem -certfile chain.pem -out letsencrypt_sslcert.p12 -name "Let's Encrypt" -passout stdin . I believe a password is required? The verification fails (which I can understand because I can not provide password details). Then tried to import that file security -v import sslcert.p12 -P "mypassword" which also results in 1 certificate imported.

The information I have been using:


#10

Best result so far is with certtool:

certtool i fullchain.pem k=/Library/Keychains/System.keychain v x=S

The certificate is added to Keychain Access, with green check-mark. So: looking good!
But it does not show up in the Server app. In the example with the manual Keychain Access import it does show up in the Server app.

Edit:
Same result with (tried both with and without -w):

security import fullchain.pem -k /Library/Keychains/System.keychain

Edit:
Makes sense I guess, there was no private key linked to the certificate.
In Keychain Access, for a correctly installed certificate I could click the small triangle and see the associated private key.
For my newly imported certificate there was no triangle.

I tried adding the private key (using relative or absolute path/file):

certtool i fullchain.pem k=/Library/Keychains/System.keychain v x=S r=privkey.pem

I then get:

***Error finding size of key : CSSM_QueryKeySizeInBits: CSSMERR_CSP_INVALID_KEY
***Error importing private key. Aborting : importPrivateKey: CSSMERR_CSP_INVALID_KEY

Before using certtool i again I (had to) remove the Let’s Encrypt certificate:

security delete-certificate -c "<mydomain>"

#11

If you’re keeping the pkcs12 local, you don’t need to provide a password, just leave it blank. Importing the pkcs12 file is probably the best way to get the key and associated certificate imported together.


#12

Thanks @motoko ! Your tips helped me find the magic combination.
It is working now. Great!

# openssl pkcs12 -export -inkey privkey.pem -in cert.pem -certfile fullchain.pem -out letsencrypt_sslcert.p12 -passout pass:topsecret

# security import letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P topsecret 
1 identity imported.
2 certificates imported.

In Keychain Access it creates the expected certificates (“Let’s Encrypt Authority X1”, and “mydomain.com” with the private key). And in the Server app the “mydomain.com” certificate appears.

I had to provide a password after all.
What is the official way to use openssl without a password?
I tried -passout pass: (without a string), but when I verify (security verify-cert -c letsencrypt_sslcert.p12) it still did expect me to press enter when prompted for the password. And the security import did not work then.

Next challenges:

  • How to delete the certificate using command line? I tried security delete-certificate -c "mydomain.com". The result "mydomain.com" is ambiguous, matches more than one certificate. I guess because there also is a certificate for www.mydomain.com. I could use -Z with the SHA-1 hash value, but how to determine that using the command line?
  • How to delete the certificate using Keychain Access? When I delete the “mydomain.com” certificate I get an error message “An invalid record was encountered”. A bug? The workaround: quit Keychain Access and delete again. The “Let’s Encrypt Authority X1” certificate can be deleted without an issue.
  • How to replace the certificate? The goal of the above is to automatically “update” the certificate in Keychain Access and Server. The documentation I found is old and very manual.

#13

Hello, you got a lot further than I thought someone had! I was about to start reinventing this wheel. Did you every get the removal/replacement of the cert figured out?

Fantastic work!


#14

Unfortunately not. There’s also a permission issue when I try to use the private key.
I have put the experimenting on hold.


#15

I did find this post which works as a solution to the apache2 proxy problem you saw (see the last post to use the custom proxy site by DDJarod).

I tried it and it works like a charm, I just needed to change the proxy port to 34580 for regular http. After that I no longer had to use a separate machine to run the python web server.


#16

Interesting! Thanks for sharing.


#17

I’m running an OS X server with Let’s Encrypt certificates installed. I ran into the problems discussed earlier and ended up getting the certificate in manual mode while temporarily redirecting the name to a Ubuntu box. Hopefully when it comes to renewal I can figure out the command-line flow.
I do have a tip for opening arbitrary directories in Finder: the open command-line tool. For example, to open the current directory, open ., or in this case, open /etc/letsencrypt/live.


#18

I was able to solve the permission issues by importing the certificate with the -A option.

security import /etc/letsencrypt/live/$1/letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P topsecret -A

However I then block at the procedure to add this certificate to a web site. There seem to be a way using serveradmin but I haven’t figured it out yet (not to speak from the renewal).


#19

I don’t prefer the -A option (It allows access for all applications to the private Key) Instead i would prefer:

security import /etc/letsencrypt/live/$1/letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P topsecret -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgr

which only give access to servermgr.

While doing this i run into Problems with the keychain access. The System Log showes

1/7/16 11:03:15.278 AM SecurityAgent[2110]: Ignoring user action since the dialog has received events from an untrusted source

Workaround is to do this locally at the server, not remote via ARD.


#20

hello folks, fantastic work!!!
(special thank´s to majorsl post > “[Solved] Apple server proxy blocks access to .well-known”)
i´m actually at the same point like wiku… (i think…)
my certificates are in /etc/letsencrypt and added to os x server keychain, also i can see the certificate in server-app but i can´t use it…
if i want to use the certificate for a webpage i can sign it, but the server-app still turns it back to the previous one.
any ideas?
(sorry about my english, i´m not a native speaker… :sweat_smile: )