Mac OSX (Server): import LE certificate?

Using a Mac (OSX Server, El Capitan).
I have successfully created my certificate (letsencrypt-auto certonly --manual),
and the certificate files are in /etc/letsencrypt/live/…

How do I import them on my Mac?
Related: how do I add them to OSX Server?
I can not drag+drop the files because the /etc/letsencrypt/live folder is not accessible in the Finder,
plus I wonder what happens after the certificates are renewed.

2 Likes

Ah! A fellow user of OSX Server. I’d like to ride along with you as you get the cert installed. I haven’t tried yet, but I’m encouraged to see that you succeeded with the script installation.

When you say it’s not accessible, that could mean several things.

Can’t find the directory

– can you see the directory at all? if not, you may need to make hidden files visible in Finder. http://osxdaily.com/2009/02/25/show-hidden-files-in-os-x/

– have you tried a search on “letsencrypt” in Finder and it’s not showing up? Try including system files in the search. https://support.apple.com/en-us/HT202121

Don’t have permission to view the directory

– is the directory there, but it’s greyed out? or do you get an error when you double-click the folder saying that you don’t have permission?

  • Make sure you’re logged in as an administrator
  • Add “Administrators” to the list of users that have permission to access the folder (be careful…) [rats, I’m a new user so I can only put 2 links in a post, I’ll post this section in another reply]

Do any of these things help? Sorry if these are too basic…

Mike

Here’s that link I couldn’t post before…

  • Make sure you’re logged in as an administrator
  • Add “Administrators” to the list of users that have permission to access the folder (be careful…) http://www.macinstruct.com/node/415

I went ahead and ran the script on a local Mac, just to see what would happen. Did you see this when you ran it? It’s doing a fair amount of mucking about with permissions (and has that “very experimental” warning right at the top).

I decided not to actually run the script after seeing the permissions-changes it’s proposing. Most of those directories are currently system-owned on my machine.

macbook:letsencrypt $ ./letsencrypt-auto --help

grep: /etc/os-release: No such file or directory
WARNING: Mac OS X support is very experimental at present...
if you would like to work on improving it, please ensure you have backups
and then run this script again with the --debug flag!

macbook:letsencrypt $ ./letsencrypt-auto --help --debug

grep: /etc/os-release: No such file or directory
Bootstrapping dependencies for Mac OS X...
Homebrew Not Installed
Downloading...

==> This script will install:
/usr/local/bin/brew
/usr/local/Library/...
/usr/local/share/man/man1/brew.1

==> The following directories will be made group writable:
/usr/local/.
/usr/local/bin
/usr/local/include
/usr/local/lib
/usr/local/lib/pkgconfig

==> The following directories will have their owner set to mikeoconnor:
/usr/local/.
/usr/local/bin
/usr/local/include
/usr/local/lib
/usr/local/lib/pkgconfig

==> The following directories will have their group set to admin:
/usr/local/.
/usr/local/bin
/usr/local/include
/usr/local/lib
/usr/local/lib/pkgconfig

Yes, with “not accessible” I meant: regular users can not read the /etc/letsencrypt/live folder.
I could log in as administrator and then drag and drop the files into the Server app.
But, I am hoping there is a command line way of doing it.
Also because I have the feeling this needs to be repeated every time the certificates are renewed.

I used the manual creation (letsencrypt-auto certonly --manual), and ran the standalone Python server on a different system. The reason: even when you switch off the OSX Server webserver, it will continue to run the http proxy server. Have not found a simple way to switch that one off temporarily.

I am already a homebrew user, so the /usr/local permissions were already taken care of.
During the installation the brew package virtualenv was installed. The installation is pretty straightforward.

So, a bit of a hassle to change the router port forwarding to another system, and manually run the Python server + create the temp files. But that’s ok for now, I am sure it will improve over time.

My question is about how to get my newly created certificates to be read by the Server app and/or used by my websites. I have used the Server app to configure my sites.

Ah! I was talking wildly below your level. Sorry about that. Here’s a little writeup I did to remind myself how to load multi-domain certs (from Godaddy) on to my OSX Server. I use this post once a year. Imagine you’re Godaddy – so you’ve created the files that they send and now you’re dragging and dropping. Not automated/command-line, but maybe it’ll help…

https://www.haven2.com/index.php/archives/godaddy-ucc-cert-in-osx-server

No worries, all ideas are welcome!
Useful writeup. Exactly why I am looking for a command line way. Would not want to do that every 90 days.

For OS X Server, does it store the items in the system keychain? If so, look at the “security” command, specifically “security import” which can import a pkcs12 file. You can get one of these by using OpenSSL to take the individual pem files generated via letsencrypt and converting them to a single pkcs12 file.

thanks @motoko , yes I have the feeling I could be using security import, possibly using openssl pkcs12 -export to get a single file.

But, getting there has been trial and (only) error so far.

My efforts so far:

  • verifying using security: security verify-cert -c fullchain.pem -p ssl results in: ...certificate verification successful. This suggests I don’t have to use openssl to export single file?
  • importing using security: security -v import fullchain.pem results in import "fullchain.pem". 2 certificates imported. However: where can I find these? Also tried security import cert.pem with same result: 1 certificate imported.
  • Trying to find the imported keychain I used the Keychain Access tool (searched for “Let’s” in all items). Also tried security find-certificate which shows one certificate: “Apple Code Signing Certification Authority”.
  • Just in case, I also tried creating p12 file using openssl: echo "mypassword" | openssl pkcs12 -export -inkey privkey.pem -in cert.pem -certfile chain.pem -out letsencrypt_sslcert.p12 -name "Let's Encrypt" -passout stdin . I believe a password is required? The verification fails (which I can understand because I can not provide password details). Then tried to import that file security -v import sslcert.p12 -P "mypassword" which also results in 1 certificate imported.

The information I have been using:

Best result so far is with certtool:

certtool i fullchain.pem k=/Library/Keychains/System.keychain v x=S

The certificate is added to Keychain Access, with green check-mark. So: looking good!
But it does not show up in the Server app. In the example with the manual Keychain Access import it does show up in the Server app.

Edit:
Same result with (tried both with and without -w):

security import fullchain.pem -k /Library/Keychains/System.keychain

Edit:
Makes sense I guess, there was no private key linked to the certificate.
In Keychain Access, for a correctly installed certificate I could click the small triangle and see the associated private key.
For my newly imported certificate there was no triangle.

I tried adding the private key (using relative or absolute path/file):

certtool i fullchain.pem k=/Library/Keychains/System.keychain v x=S r=privkey.pem

I then get:

***Error finding size of key : CSSM_QueryKeySizeInBits: CSSMERR_CSP_INVALID_KEY
***Error importing private key. Aborting : importPrivateKey: CSSMERR_CSP_INVALID_KEY

Before using certtool i again I (had to) remove the Let’s Encrypt certificate:

security delete-certificate -c "<mydomain>"

If you’re keeping the pkcs12 local, you don’t need to provide a password, just leave it blank. Importing the pkcs12 file is probably the best way to get the key and associated certificate imported together.

Thanks @motoko ! Your tips helped me find the magic combination.
It is working now. Great!

# openssl pkcs12 -export -inkey privkey.pem -in cert.pem -certfile fullchain.pem -out letsencrypt_sslcert.p12 -passout pass:topsecret

# security import letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P topsecret 
1 identity imported.
2 certificates imported.

In Keychain Access it creates the expected certificates (“Let’s Encrypt Authority X1”, and “mydomain.com” with the private key). And in the Server app the “mydomain.com” certificate appears.

I had to provide a password after all.
What is the official way to use openssl without a password?
I tried -passout pass: (without a string), but when I verify (security verify-cert -c letsencrypt_sslcert.p12) it still did expect me to press enter when prompted for the password. And the security import did not work then.

Next challenges:

  • How to delete the certificate using command line? I tried security delete-certificate -c "mydomain.com". The result "mydomain.com" is ambiguous, matches more than one certificate. I guess because there also is a certificate for www.mydomain.com. I could use -Z with the SHA-1 hash value, but how to determine that using the command line?
  • How to delete the certificate using Keychain Access? When I delete the “mydomain.com” certificate I get an error message “An invalid record was encountered”. A bug? The workaround: quit Keychain Access and delete again. The “Let’s Encrypt Authority X1” certificate can be deleted without an issue.
  • How to replace the certificate? The goal of the above is to automatically “update” the certificate in Keychain Access and Server. The documentation I found is old and very manual.
1 Like

Hello, you got a lot further than I thought someone had! I was about to start reinventing this wheel. Did you every get the removal/replacement of the cert figured out?

Fantastic work!

Unfortunately not. There’s also a permission issue when I try to use the private key.
I have put the experimenting on hold.

I did find this post which works as a solution to the apache2 proxy problem you saw (see the last post to use the custom proxy site by DDJarod).

I tried it and it works like a charm, I just needed to change the proxy port to 34580 for regular http. After that I no longer had to use a separate machine to run the python web server.

1 Like

Interesting! Thanks for sharing.

I’m running an OS X server with Let’s Encrypt certificates installed. I ran into the problems discussed earlier and ended up getting the certificate in manual mode while temporarily redirecting the name to a Ubuntu box. Hopefully when it comes to renewal I can figure out the command-line flow.
I do have a tip for opening arbitrary directories in Finder: the open command-line tool. For example, to open the current directory, open ., or in this case, open /etc/letsencrypt/live.

I was able to solve the permission issues by importing the certificate with the -A option.

security import /etc/letsencrypt/live/$1/letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P topsecret -A

However I then block at the procedure to add this certificate to a web site. There seem to be a way using serveradmin but I haven’t figured it out yet (not to speak from the renewal).

I don’t prefer the -A option (It allows access for all applications to the private Key) Instead i would prefer:

security import /etc/letsencrypt/live/$1/letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P topsecret -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgr

which only give access to servermgr.

While doing this i run into Problems with the keychain access. The System Log showes

1/7/16 11:03:15.278 AM SecurityAgent[2110]: Ignoring user action since the dialog has received events from an untrusted source

Workaround is to do this locally at the server, not remote via ARD.

hello folks, fantastic work!!!
(special thank´s to majorsl post > “[Solved] Apple server proxy blocks access to .well-known”)
i´m actually at the same point like wiku… (i think…)
my certificates are in /etc/letsencrypt and added to os x server keychain, also i can see the certificate in server-app but i can´t use it…
if i want to use the certificate for a webpage i can sign it, but the server-app still turns it back to the previous one.
any ideas?
(sorry about my english, i´m not a native speaker… :sweat_smile: )