macOS Sierra 10.12.6 LE cert for Apple Wiki


#1

Hello all! I’m back with a new question. I had a previous post on problems I had with getting an LE cert downloaded and working with the company Wiki on a Mac Pro running MacOS server. Fortunately, with the help of the community, I was able to get the LE cert downloaded and working!

Well, I’m back. I had to perform a fresh install of the OS and Server. I’m following the same guide as I did before and encountering an issue on the first step. After installing brew and attempting to install the LE client, I’m finding that the /etc/letsencrypt folder is not being created. When I run:

  ~/letsencrypt/letsencrypt-auto --help --debug

I get the following output:

server:~ administrator$ ~/letsencrypt/letsencrypt-auto --help --debug
Requesting to rerun /Users/administrator/letsencrypt/letsencrypt-auto with root privileges...
Bootstrapping dependencies for macOS... (you can skip this with --no-bootstrap)
Using Homebrew to install dependencies...
Error: Running Homebrew as root is extremely dangerous and no longer supported. As Homebrew does not drop privileges on installation you would be giving all build scripts full access to your system.

I am uncertain if this is what is causing the mentioned folder to not be created, but I don’t want to continue following the guide until I resolve this issue.


Instructions for macOS Server don't work
#2

why not ping the person who wrote the guide see if he has any advise :stuck_out_tongue:


#3

Good idea, @ahaw021!
@JeffTheRocker Hi there! Do you have any advice?
@schoen You helped me considerably with my previous setup. Could you assist again?

I was able to create the missing folder, however I am seeing the following error frequently when attempt to run commands pertaining to certbot:

WARNING: certbot-auto support for this macOS is DEPRECATED!
Please visit certbot.eff.org to learn how to download a version of
Certbot that is packaged for your system. While an existing version
of certbot-auto may work currently, we have stopped supporting updating
system packages for your system. Please switch to a packaged version
as soon as possible.  

Are we at a point where these guides are no longer valid? I did attempt to get the current version of certbot, but I still get these errors.


#4

Hi @WilhelmSturmer,

I’m afraid I don’t know much about macOS.

Did you follow the instructions at

using brew install certbot?


#5

@schoen Here is the output when running the command brew install certbot

server:~ administrator$ brew install certbot
Updating Homebrew…
==> Auto-updated Homebrew!
Updated 1 tap (homebrew/core).
==> Updated Formulae
httpd

Warning: certbot 0.18.2 is already installed


#6

When I use the option to create cert files in the webroot, it creates the files. However, the Server app doesn’t see the newly created cert and I’m unable to use them for the Wiki.


#7

Figured it out. When the .pem files are created, Finder shows them as alias’s. I found that if I copied the files to another location, the files are no longer alias’s. After that, just go into Server, Certificates, click the +, and Import a Certificate Identity. Then drag and drop the files to the pop-up window and Certificates should accept the LE cert.

Thanks to the info here for helping with the issue.


#8

I’m glad you were able to get your certificate imported. The process that you had to follow suggests that Certbot’s integration with macOS is not that great because the design of Certbot is to update these files automatically when your certificate is near expiry (if you regularly run certbot renew from cron or another scheduling tool). The aliases (symbolic links) are part of that design because their targets get updated automatically to point to the renewed certificates, so that a server application can point to the link instead of to a particular version of the certificate, and can receive the new version of the certificate automatically upon renewal.

But, if you have to use “Import a Certificate Identity”, it’s not very plausible that Certbot’s renewal will also perform this step automatically; it will probably have to be repeated manually. That’s not the experience we would prefer for Certbot users to have, because one goal of Let’s Encrypt is to try to make certificates renew automatically without human intervention each time.

I don’t know if someone has found a way to make Certbot run a command-line version of the import process automatically.


#9

Someone has:

It would probably be better done as a deploy hook, though. :wink:


#10

@Patches That is the guide I followed the first time and attempted to follow this time around. I encountered several errors which lead me to make this post and eventually figure out a work around. I’m not sure that guide works in Sierra and High Sierra.


#11

There’s a lot of extraneous stuff in that guide, but AFAICT the portion about importing the certificate is still accurate with Sierra, e.g.:

sudo openssl pkcs12 -export -inkey /path/to/letsencrypt/live/yourdomain.com/privkey.pem -in /path/to/letsencrypt/live/yourdomain.com/cert.pem -certfile /path/to/letsencrypt/live/yourdomain.com/chain.pem -out /path/to/letsencrypt/live/yourdomain.com/keystore.p12 -passout pass:s3cr3t
sudo security import /path/to/letsencrypt/live/yourdomain.com/keystore.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P s3cr3t -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd

Did you get an error when you ran either of those commands?

If not, the proper way to do that as a deploy hook should be:

#!/bin/sh

set -e

for domain in $RENEWED_DOMAINS; do
        case $domain in
        example.com)
                # Make sure the new pfx file we create is
                # never world readable, even just for an instant
                umask 077

                openssl pkcs12 -export -inkey "$RENEWED_LINEAGE/privkey.pem" -in "$RENEWED_LINEAGE/cert.pem" -certfile "$RENEWED_LINEAGE/chain.pem" -out "$RENEWED_LINEAGE/keystore.p12" -passout pass:s3cr3t
                security import "$RENEWED_LINEAGE/keystore.p12" -f pkcs12 -k /Library/Keychains/System.keychain -P s3cr3t -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd
                ;;
        esac
done

#12

I’m presuming you have this fixed?
I noted that you tried to install homebrew as root. Don’t do it… it causes all sorts of problems down the track. OSX is very picky now about what appears on the system. Anyway, after some hickups I had, I have certbot running fine and created my certs. I did it the NON automatic way, and left them in the /etc directory where they were put.
I then edited my vhosts.conf file and pointed the SSL setup to the certs. That way, when the auto-update plist script runs, if there is an update, it simply updates the certs, it knows where to put them, and it’s all hands free,
I put a copy of the plist file on this board just previously.


#13

The issues is indeed resolved. When the time comes to renew the cert, I’ll be trying your method. Thank you all for your assistance.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.