Mac OSX (Server): import LE certificate?

I’ve encountered nasty bug when importing certificate to keychain. I’ve submited radar to Apple.

Basically it looks like this:

  1. There is a letencrypt cert and some website is configured via to use it. Everything is happy.
  2. Cert is automatically renewed and imported via security command to keychain
  3. Some Server daemon notices new certificate and updates configuration files.
  4. Apache web proxy gets misconfigured with duplicate entries in /Library/Server/Web/Config/Proxy/apache_serviceproxy_customsites.conf
  5. Webserver is broken.

BTW I noticed @cyrilpic scripts uses certupdate. According to man page:

When the System Keychain changes, certupdate will be called with the remove or replace command. 
certupdate will in turn call each of the helper tools and return the highest numbered exit status from the helper tools

From what I see and read in man pakge invoking certupdate manually should not be required as it is automatically invoked when cert is imported into keychain.