Hello all! I’m back with a new question. I had a previous post on problems I had with getting an LE cert downloaded and working with the company Wiki on a Mac Pro running MacOS server. Fortunately, with the help of the community, I was able to get the LE cert downloaded and working!
Well, I’m back. I had to perform a fresh install of the OS and Server. I’m following the same guide as I did before and encountering an issue on the first step. After installing brew and attempting to install the LE client, I’m finding that the /etc/letsencrypt folder is not being created. When I run:
~/letsencrypt/letsencrypt-auto --help --debug
I get the following output:
server:~ administrator$ ~/letsencrypt/letsencrypt-auto --help --debug
Requesting to rerun /Users/administrator/letsencrypt/letsencrypt-auto with root privileges...
Bootstrapping dependencies for macOS... (you can skip this with --no-bootstrap)
Using Homebrew to install dependencies...
Error: Running Homebrew as root is extremely dangerous and no longer supported. As Homebrew does not drop privileges on installation you would be giving all build scripts full access to your system.
I am uncertain if this is what is causing the mentioned folder to not be created, but I don’t want to continue following the guide until I resolve this issue.
Good idea, @ahaw021! @JeffTheRocker Hi there! Do you have any advice? @schoen You helped me considerably with my previous setup. Could you assist again?
I was able to create the missing folder, however I am seeing the following error frequently when attempt to run commands pertaining to certbot:
WARNING: certbot-auto support for this macOS is DEPRECATED!
Please visit certbot.eff.org to learn how to download a version of
Certbot that is packaged for your system. While an existing version
of certbot-auto may work currently, we have stopped supporting updating
system packages for your system. Please switch to a packaged version
as soon as possible.
Are we at a point where these guides are no longer valid? I did attempt to get the current version of certbot, but I still get these errors.
When I use the option to create cert files in the webroot, it creates the files. However, the Server app doesn’t see the newly created cert and I’m unable to use them for the Wiki.
Figured it out. When the .pem files are created, Finder shows them as alias’s. I found that if I copied the files to another location, the files are no longer alias’s. After that, just go into Server, Certificates, click the +, and Import a Certificate Identity. Then drag and drop the files to the pop-up window and Certificates should accept the LE cert.
Thanks to the info here for helping with the issue.
I’m glad you were able to get your certificate imported. The process that you had to follow suggests that Certbot’s integration with macOS is not that great because the design of Certbot is to update these files automatically when your certificate is near expiry (if you regularly run certbot renew from cron or another scheduling tool). The aliases (symbolic links) are part of that design because their targets get updated automatically to point to the renewed certificates, so that a server application can point to the link instead of to a particular version of the certificate, and can receive the new version of the certificate automatically upon renewal.
But, if you have to use “Import a Certificate Identity”, it’s not very plausible that Certbot’s renewal will also perform this step automatically; it will probably have to be repeated manually. That’s not the experience we would prefer for Certbot users to have, because one goal of Let’s Encrypt is to try to make certificates renew automatically without human intervention each time.
I don’t know if someone has found a way to make Certbot run a command-line version of the import process automatically.
@Patches That is the guide I followed the first time and attempted to follow this time around. I encountered several errors which lead me to make this post and eventually figure out a work around. I’m not sure that guide works in Sierra and High Sierra.
Did you get an error when you ran either of those commands?
If not, the proper way to do that as a deploy hook should be:
#!/bin/sh
set -e
for domain in $RENEWED_DOMAINS; do
case $domain in
example.com)
# Make sure the new pfx file we create is
# never world readable, even just for an instant
umask 077
openssl pkcs12 -export -inkey "$RENEWED_LINEAGE/privkey.pem" -in "$RENEWED_LINEAGE/cert.pem" -certfile "$RENEWED_LINEAGE/chain.pem" -out "$RENEWED_LINEAGE/keystore.p12" -passout pass:s3cr3t
security import "$RENEWED_LINEAGE/keystore.p12" -f pkcs12 -k /Library/Keychains/System.keychain -P s3cr3t -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd
;;
esac
done
I’m presuming you have this fixed?
I noted that you tried to install homebrew as root. Don’t do it… it causes all sorts of problems down the track. OSX is very picky now about what appears on the system. Anyway, after some hickups I had, I have certbot running fine and created my certs. I did it the NON automatic way, and left them in the /etc directory where they were put.
I then edited my vhosts.conf file and pointed the SSL setup to the certs. That way, when the auto-update plist script runs, if there is an update, it simply updates the certs, it knows where to put them, and it’s all hands free,
I put a copy of the plist file on this board just previously.
