Multiple domains with OS X

I have just set up and deployed letsencrypt on my home server running OS X 10.11.6 and server 5.2.
I followed this handy guide, Complete guide to install SSL certificate on your OS X server hosted website
I was able to create a certificate that works correctly for the domain and 2 subdomains that live in the same web root folder.
I also have a site that is a subdomain of the first but it lives in a different web root. I created .well-known and .well-known/acme-challenge in this other root but it doesn’t pass muster when I run the command.
What is the least resource intensive way to make this work?

Can all be accessed @ /Library/Server/Web/Data/Sites/ is accessed at /Library/Server/Web/Data/Sites/Default

Do I create an entire new instance of the scripts called for each web root, or… ?


Hi @tknospdr, which client software are you using? If it’s Certbot, it is possible to specify a different webroot for each domain and get a single certificate that covers all of them.

No client software as I’m using OS X Server. Please see posted link in OP. If you can help me create the correct commands to pass via the included script that would be great.
Or better yet, make certbot work with OSX Server! :slight_smile:
I’m pretty proficient with the OS in general having used Macs for over 28 years at this point. Happy to help where I can.

From that link it sounds like you’re trying to use letsencrypt, which is client software and which is actually the same as Certbot (Certbot is its new name and the git repository that it tells you to clone is our Certbot repository).

So in that case it appears you would already be using Certbot under its old name!

Oh, I see.
So the question remains.
Can you help clean up / improve these scripts so that I can accomplish what I’d like to do?


Could you let us know what command you ran and what kind of error message you saw? It might be possible just to make a tiny change to the command to make it work properly, but we'll need to know which command you were using.

This file is called technospider1-cert.ini

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
# Register with the specified e-mail address
email =
# Generate certificates for the specified domains.
domains =,,,
# Uncomment to use a text interface instead of ncurses
# text = True
# To use the webroot authenticator.
authenticator = webroot
webroot-path = /Library/Server/Web/Data/Sites/

This file is called

DATE=$(date +"%d-%m-%y")

# Retrieve certificate - DELETE --dry-run AFTER THE TEST RUN WORKED
sudo /Users/tknospdr/letsencrypt/letsencrypt-auto certonly -c technospider1-cert.ini

# Check that everything went fine

if [ "$LE_STATUS" != 0 ]; then
    echo Automated Get certificate failed:
    cat $LOG_FILE
    exit 1

PASS=$(openssl rand -base64 45 | tr -d /=+ | cut -c -30)

# Transform the pem files into a OS X Valid p12 file - UNCOMMENT THE NEXT LINE AFTER THE TEST RUN WORKED
sudo openssl pkcs12 -export -inkey "${PEM_FOLDER}privkey.pem" -in "${PEM_FOLDER}cert.pem" -certfile "${PEM_FOLDER}fullchain.pem" -out "{PEM_FOLDER}letsencrypt_sslcert.p12" -passout pass:$PASS

# import the p12 file in keychain - UNCOMMENT THE NEXT LINE AFTER THE TEST RUN WORKED
sudo security import "${PEM_FOLDER}letsencrypt_sslcert.p12" -f pkcs12 -k /Library/Keychains/System.keychain -P $PASS -T /Applications/

I just call the shell file and it retrieves the certificate, then changes it’s format for use in OS X keychain, then installs in in the Server app.
The issue is that webfoot for starfleet is not the same as the other 3 domains called in the script.

The errors were 404, no authentication, or similar. I don’t have it in my terminal buffer anymore.

I don’t think you can easily use multiple different webroot paths with webroot-path directives in an .ini file. However, you can do so when specifying the webroot on the command line. The pattern looks something like

letsencrypt-auto certonly --webroot -w /var/www/ -d -d -w /var/www/ -d -d

In this case, each time you specify a -w, that is the new webroot path that should be used for domains that are specified from that point on—until reaching a new -w, which will set a new webroot path.

(There is a feature called webroot-map which should also be able to do what you want in the .ini file more directly, but I don’t remember the syntax because I haven’t used it or seen someone use it recently. But that’s another alternative you can look at. It is meant to say “these webroots go with these domains, and these with these domains”.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.