Did you check the authorizations for the private key (Keychain Access, double click on the key and check Access Control) ? You need to make sure that the Server app can use the private key from the Keychain.
thanks cyrilpic, i think youâre right it´s a permissions problemâŚ
if i clicked at the key i can see that only âsystemâ can use it.
but if wan´t to change os x ask
1st for admin (because change the keychain)
and
2nd for another admin? could this be root?
at the end i can´t change the permissions for this key⌠(i think it´s a problem because i´ve put the *.p12 file by root (sudo tcsh) in keychain⌠right?)
Iâm sorry. I canât directly help you further. I have had no problems changing the permissions of the key (even though I imported it with root user).
Many thanks to the folks that have posted here and the related thread regarding the .well-known issue.
I have successfully installed several letsencrypt certs on my Mac running OS X 10.11.4 + Server.app 5.1. I thought I would post my steps here in one concise post to help anyone else that might be struggling with this.
UPDATE YOUR MAC:
Update to OS X 10.11.4
Update Server.app to 5.1
SET UP / INSTALL LETSENCRYPT
brew update
sudo mkdir /etc/letsencrypt
sudo mkdir /var/lib/letsencrypt
sudo mkdir /var/log/letsencrypt
brew install letsencrypt
Please note: I already had homebrew installed. Visit the homebrew site for instructions on installing homebrew or use a different method to install letsencrypt.
TEST FIRST:
You want to make sure that it succeeds at creating and verifying a test certificate first, otherwise you might hit a rate limit at letsencrypt for your domain.
sudo letsencrypt certonly --webroot -w /Library/Server/Web/Data/Sites/SiteRootDirectory/PublicDirectory** -d example.com -d www.example.com **--test-cert**
ONCE THE TEST SUCCEEDS:
sudo letsencrypt certonly --webroot -w /Library/Server/Web/Data/Sites/SiteRootDirectory/PublicDirectory -d example.com -d www.example.com
It will ask if you want to replace/renew and you want to say yes because the successful test cert wonât be verified
CONVERT CERT FOR OS X:
sudo openssl pkcs12 -export -inkey /etc/letsencrypt/live/example.com/privkey.pem -in /etc/letsencrypt/live/example.com/cert.pem -certfile /etc/letsencrypt/live/example.com/fullchain.pem -out /etc/letsencrypt/live/example.com/letsencrypt_sslcert.p12 -passout pass:topsecret
VERIFY CERT (OPTIONAL/MIGHT FAIL):
sudo security verify-cert -c /etc/letsencrypt/live/example.com/letsencrypt_sslcert.p12
This failed for me but after importing into the keychain and applying the cert to the site in Server.app, it worked like a charm.
IMPORT CERT TO OS X KEYCHAIN:
sudo security import /etc/letsencrypt/live/example.com/letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P topsecret -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd
Once the cert has been added to the OS X keychain open (or quit and relaunch) Server.app and apply the cert to your site. If you had Server.app open while adding the cert to the keychain, Server.app will not see the new cert until you quit and relaunch Server.app
NOTES:
I replaced instances of âtopsecretâ with my own password. Instances of example.com should be replaced with your domain. SiteRootDirectory is the directory that your project lives in, PublicDirectory is the directory that apache points to for serving files. In some cases these may be the same directory depending on your web site is organized.
There may be things I havenât done entirely perfectly here and I welcome any comments / revisions.
2 Likes
Hi ChristopherRaymond,
Thanks for posting this walkthrough, it's been very helpful getting Let's Encrypt working on my Mac Server running 10.11.6 and Server.App 5.1.7. I just had a couple of quick questions.
First, when it comes to renewal time, does the renewed cert need to be manually imported into the Server app via the terminal each time, or will it automatically detect the renewal after running
certbot renew --quiet
Have you put together any scripts to handle renewal that you might be willing to share?
Second, have you had any success with a reverse proxy setup? I have two http reverse proxies setup based on the instructions at Precursor Systems OS X Server 5 Reverse Proxy . I've gotten your instructions to work with the main domain and www, but when I try to use it to provide certs with my two other subdomains (sub1 on the same server and sub2 on another server on the local network), I'm getting the following error:
IMPORTANT NOTES: - The following errors were reported by the server:
Domain: sub1.example.com Type: connection Detail: Could not connect to http://sub1.example.com/.well-known/acme-challenge/CkNKHFlhIiedd9wTgsjNcjXigaT2XmlFr3VmS8rZ0r0
Domain: sub2.example.com Type: connection Detail: Could not connect to http://sub2.example.com/.well-known/acme-challenge/EWhvY-IE_n5FvTDZJkk1r1s3A55sEQwRc5dNg83dQlo
To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webfoot path you provided.
Would you happen to have any suggestions? Thanks in advance!
Hi fkick,
Yes, you need to do the conversion and import step at every renewal.
Here is a small script that I wrote for automating the process : https://gist.github.com/cyrilpic/4504527de3a7b08ed84e
When renewing, it asks certbox to renew the certificates, insert new certificates in the keychain, ask the server app to use the new certificates (through certupdate) and remove the old certificates from the keychain.
Use at your own risks 
(You need to sudo to use it.)
As for the reverse proxy part, updating to Server 5.1.7 solved all issues for me. Maybe try to delete the sub-domain and recreate itâŚ
Thanks cyrllpic,
Just to make sure I understand what needs to happen, I need to run certbox4osx with sudo, passing in either renew or new, my domain name, and my -w pathway.
Does it accept certificates with multiple subdomains? i.e. example.com and www.example.com and sub1.example.com?
The script is very basic.
To renew:
sudo certbot4osx renew
To get a new certificate:
sudo certbot4osx new my.domain.com /path/to/site/folder
The get a new certificate part only works for a single domain (lack of time to implement a full and nice interface), but you could easily change the script to fit your needs.
You donât need to use the ânewâ command to be able to use the ârenewâ command, but it assumes that the pkcs12 version of the certificate is called letsencrypt_sslcert.p12. I would expect the renew command to work also for multiple subdomains but I havenât tested it.
Again, the script is not very user friendly, but it does what I need. Iâll gladly accept improvement suggestions!
Reading your post: does it imply that certbot might not work on OSX earlier than 10.11 ?
This appears to mostly work. I am able to create & use certs for websites hosted by my mini.
However, when attempting to use a LE cert for Server.app itself, I receive the following error:
Server cannot access the private key for this certificate. To grant access, click Continue and enter your user name and password when prompted.
When I click continue, nothing happens.
Any ideas what I've done wrong?
Update: apparently "nothing happens" because it Just Works⢠but you can't tell that unless you click into the "custom..." menu.
Iâve encountered nasty bug when importing certificate to keychain. Iâve submited radar to Apple.
Basically it looks like this:
- There is a letencrypt cert and some website is configured via Server.app to use it. Everything is happy.
- Cert is automatically renewed and imported via
securitycommand to keychain - Some Server daemon notices new certificate and updates configuration files.
- Apache web proxy gets misconfigured with duplicate entries in
/Library/Server/Web/Config/Proxy/apache_serviceproxy_customsites.conf - Webserver is broken.
BTW I noticed @cyrilpic scripts uses certupdate. According to man page:
When the System Keychain changes, certupdate will be called with the remove or replace command.
certupdate will in turn call each of the helper tools and return the highest numbered exit status from the helper tools
From what I see and read in man pakge invoking certupdate manually should not be required as it is automatically invoked when cert is imported into keychain.
The workaround I use is to switch the website to a self-signed cert (any one will work, just used as a place holder). Delete the old LE cert(s), let the scripts import the renewed cert(s) and the select the right cert(s) for each website. A pain, but you donât have to start from scratch each time. At least until they fix the issue. Same problems exists in 5.3.
Iâm having kind of the same issue as you report.
And yes using certupdate is messing things up. I havenât had much time to dig into this.
Currently, I run my script and then I manually reset the certificates in the Server.app. Definitely not ideal!
If you see similiar problems please file radars with Apple.
Feel free to reference my radar (rdar://30991727)
I would like to create fully automated setup I donât have to worry about breaking 