macOS server userdir site

walkloud · November 30, 2017, 6:40pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
c51.lbl.gov/~walkloud

I have macOS Sierra 10.12.5
using Server 5.3.1

I have enabled userdirs for making my website - uncomment

LoadModule apple_userdir_module ${SERVER_INSTALL_PATH_PREFIX}/usr/libexec/apache2/mod_userdir_apple.so

in the file /Library/Server/Web/Config/apache2/httpd_server_app.conf

In this case, my webroot is /Users/walkloud/Sites where I created .well-known/acme-challenge.

Has anyone set up a certificate for such a scenario? I have failed so far. I first tried

sudo certbot certonly --webroot -w /Users/walkloud/Sites -d c51.lbl.gov/~walkloud

but got the error Invalid character in DNS name. I then tried

sudo certbot certonly --webroot -w /Users/walkloud/Sites -d c51.lbl.gov

but get the error: Invalid response from http://c51.lbl.gov/.well-known/acme-challenge/axM1OCTjyN9k5rlIXoa303dVxQnDNDAgdQ4mS-Jd6vg:
So - clearly, I am not setting it up correctly. I know people using regular apache can also have userdir webpages, so I am looking for help that way - but thought someone here might know as well.

jared.m · November 30, 2017, 6:45pm

You cannot issue a certificate like this. Certificates belong to entire domains or subdomains, such as c51.lbl.gov, not individual resources on those domains, like c51.lbl.gov/~walkoud. You would need to work with whomever manages the domain to obtain a certificate, as you don’t seem to have the proper administrative access to control the entire domain.

walkloud · November 30, 2017, 8:08pm

Thanks for the quick reply! This is a desktop in my office. I do have the entire domain c51.lbl.gov. I have root access to the computer. This is the first time I have ever set up a certificate, so I am not sure where to put the .well-known/acme-challenge folder. Following the other comments on macOS server, I now tried

mkdir -p /Library/Server/Web/Data/Sites/Default/.well-known/acme-challenge

and then

sudo certbot certonly --webroot -w /Library/Server/Web/Data/Sites/Default -d c51.lbl.gov

which registered with success - Congratulations! Your certificate and chain have been saved at:.

BUT - looking at other posts, I wonder if I should have made a folder here
/Library/Server/Web/Data/Sites/Default/c51.lbl.gov
where I then would have made the .well-known/acme-challenge folder?

walkloud · November 30, 2017, 9:42pm

OK - I followed the instructions on this post

https://community.letsencrypt.org/t/complete-guide-to-install-ssl-certificate-on-your-os-x-server-hosted-website/15005

which almost worked perfectly.
1 - I had to update to use certbot instead of letsencrypt-auto.
2 - I used a homebrew installation of certbot, so some of the executable paths were not the same

explicitly:

brew install certbot
sudo mkdir -p /Library/Server/Web/Data/Default/.well-known/acme-challenge
cd
mkdir -p lets_encrypt/my_script/logs
cd lets_encrypt

I then made the cert.ini and get_cert.sh files replacing YOUR_EMAIL, LIST_OF_DOMAINS_AND_SUBDOMAINS and WEB_ROOT_FOLDER.
In get_cert.sh I have to change the path in the very first command from

sudo /Users/YOUR_USER/letsencrypt/letsencrypt-auto certonly -c cert.ini --dry-run

to

sudo /usr/local/bin/certbot -c cert.ini --dry-run

My Homebrew is installed in /usr/local which is why that is the path (in case yours is not). I ran into one problem - I tried this a couple times, and did not realize each time you create a domain with this script, it creates an archive copy - specifically in /etc/letsencrypt/archive/, so when I tried again, instead of creating my domain, it created MY_DOMAN-0001, so I had to use

sudo certbot delete --cert-name MY_DOMAIN
sudo certbot delete --cert-name MY_DOMAIN-0001

etc. and redo to get it set up properly. I then verified that my certificate was loaded in OSX Server, and I created a new webpage with MY_DOMAIN and told it to use the new certificate I created. Now my userdir site works properly without telling people to avoid my site at all costs cause of false https protocol! The renew.sh script should work as well (haven’t tried it) with the same directory fixes for using certbot instead of the older letsencrypt

For the renew.sh, it uses sudo so make sure the crontab is set up as root

`sudo crontab -e`

then add the command to use your renew.sh script.

system · December 30, 2017, 9:42pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Renewal issue mac osx https Help	42	3931	November 15, 2021
Certificate needs to be changed from Self Signed Help	8	998	February 10, 2022
Certbot on Mac, certificate permissions Help	5	1542	December 30, 2021
MacOS X and iOS rejecting Cert Help	13	1397	October 30, 2021
Firewall Issues Help	18	3668	July 12, 2022

macOS server userdir site

Related topics