Many thanks to the folks that have posted here and the related thread regarding the .well-known issue.
I have successfully installed several letsencrypt certs on my Mac running OS X 10.11.4 + Server.app 5.1. I thought I would post my steps here in one concise post to help anyone else that might be struggling with this.
UPDATE YOUR MAC:
Update to OS X 10.11.4
Update Server.app to 5.1
SET UP / INSTALL LETSENCRYPT
sudo mkdir /etc/letsencrypt
sudo mkdir /var/lib/letsencrypt
sudo mkdir /var/log/letsencrypt
brew install letsencrypt
Please note: I already had homebrew installed. Visit the homebrew site for instructions on installing homebrew or use a different method to install letsencrypt.
You want to make sure that it succeeds at creating and verifying a test certificate first, otherwise you might hit a rate limit at letsencrypt for your domain.
sudo letsencrypt certonly --webroot -w /Library/Server/Web/Data/Sites/SiteRootDirectory/PublicDirectory** -d example.com -d www.example.com **--test-cert**
ONCE THE TEST SUCCEEDS:
sudo letsencrypt certonly --webroot -w /Library/Server/Web/Data/Sites/SiteRootDirectory/PublicDirectory -d example.com -d www.example.com
It will ask if you want to replace/renew and you want to say yes because the successful test cert won’t be verified
CONVERT CERT FOR OS X:
sudo openssl pkcs12 -export -inkey /etc/letsencrypt/live/example.com/privkey.pem -in /etc/letsencrypt/live/example.com/cert.pem -certfile /etc/letsencrypt/live/example.com/fullchain.pem -out /etc/letsencrypt/live/example.com/letsencrypt_sslcert.p12 -passout pass:topsecret
VERIFY CERT (OPTIONAL/MIGHT FAIL):
sudo security verify-cert -c /etc/letsencrypt/live/example.com/letsencrypt_sslcert.p12
This failed for me but after importing into the keychain and applying the cert to the site in Server.app, it worked like a charm.
IMPORT CERT TO OS X KEYCHAIN:
sudo security import /etc/letsencrypt/live/example.com/letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P topsecret -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd
Once the cert has been added to the OS X keychain open (or quit and relaunch) Server.app and apply the cert to your site. If you had Server.app open while adding the cert to the keychain, Server.app will not see the new cert until you quit and relaunch Server.app
I replaced instances of “topsecret” with my own password. Instances of example.com should be replaced with your domain. SiteRootDirectory is the directory that your project lives in, PublicDirectory is the directory that apache points to for serving files. In some cases these may be the same directory depending on your web site is organized.
There may be things I haven’t done entirely perfectly here and I welcome any comments / revisions.