macOS server userdir site

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I have macOS Sierra 10.12.5
using Server 5.3.1

I have enabled userdirs for making my website - uncomment

LoadModule apple_userdir_module ${SERVER_INSTALL_PATH_PREFIX}/usr/libexec/apache2/

in the file /Library/Server/Web/Config/apache2/httpd_server_app.conf

In this case, my webroot is /Users/walkloud/Sites where I created .well-known/acme-challenge.

Has anyone set up a certificate for such a scenario? I have failed so far. I first tried

sudo certbot certonly --webroot -w /Users/walkloud/Sites -d

but got the error Invalid character in DNS name. I then tried

sudo certbot certonly --webroot -w /Users/walkloud/Sites -d

but get the error: Invalid response from
So - clearly, I am not setting it up correctly. I know people using regular apache can also have userdir webpages, so I am looking for help that way - but thought someone here might know as well.

You cannot issue a certificate like this. Certificates belong to entire domains or subdomains, such as, not individual resources on those domains, like You would need to work with whomever manages the domain to obtain a certificate, as you don’t seem to have the proper administrative access to control the entire domain.

Thanks for the quick reply! This is a desktop in my office. I do have the entire domain I have root access to the computer. This is the first time I have ever set up a certificate, so I am not sure where to put the .well-known/acme-challenge folder. Following the other comments on macOS server, I now tried

mkdir -p /Library/Server/Web/Data/Sites/Default/.well-known/acme-challenge

and then

sudo certbot certonly --webroot -w /Library/Server/Web/Data/Sites/Default -d

which registered with success - Congratulations! Your certificate and chain have been saved at:.

BUT - looking at other posts, I wonder if I should have made a folder here
where I then would have made the .well-known/acme-challenge folder?

OK - I followed the instructions on this post

which almost worked perfectly.
1 - I had to update to use certbot instead of letsencrypt-auto.
2 - I used a homebrew installation of certbot, so some of the executable paths were not the same


brew install certbot
sudo mkdir -p /Library/Server/Web/Data/Default/.well-known/acme-challenge
mkdir -p lets_encrypt/my_script/logs
cd lets_encrypt

I then made the cert.ini and files replacing YOUR_EMAIL, LIST_OF_DOMAINS_AND_SUBDOMAINS and WEB_ROOT_FOLDER.
In I have to change the path in the very first command from

sudo /Users/YOUR_USER/letsencrypt/letsencrypt-auto certonly -c cert.ini --dry-run 


sudo /usr/local/bin/certbot -c cert.ini --dry-run

My Homebrew is installed in /usr/local which is why that is the path (in case yours is not). I ran into one problem - I tried this a couple times, and did not realize each time you create a domain with this script, it creates an archive copy - specifically in /etc/letsencrypt/archive/, so when I tried again, instead of creating my domain, it created MY_DOMAN-0001, so I had to use

sudo certbot delete --cert-name MY_DOMAIN
sudo certbot delete --cert-name MY_DOMAIN-0001

etc. and redo to get it set up properly. I then verified that my certificate was loaded in OSX Server, and I created a new webpage with MY_DOMAIN and told it to use the new certificate I created. Now my userdir site works properly without telling people to avoid my site at all costs cause of false https protocol! The script should work as well (haven’t tried it) with the same directory fixes for using certbot instead of the older letsencrypt

For the, it uses sudo so make sure the crontab is set up as root

`sudo crontab -e`

then add the command to use your script.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.