OS X automatic certificate renewal

Server
1

Hello!

I have been reading the different posts and struggling to get cerbot working on OS X. In my case, because I run multiple sites on my machine, it seems to work best if I spin up a temporary server to get the certification going. I think I finally got it running, except that for some reason sometimes I have more than one certificate in the Server App. Could be that this is just the GUI fooling me, but I thought I’d share my progress and also see if someone encountered the same problem. Based on input from some awesome folks on this site, I cooked up this script:

#!/bin/sh
  
DOM=$1
PEM_FOLDER="/opt/local/etc/letsencrypt/live/${DOM}/"

serveradmin stop web

/opt/local/bin/certbot certonly -n -d $DOM              \
    --force-renewal                                     \
    --standalone                                        \
    --rsa-key-size 4096                                 \
    --email me@lala.com                       \
    --manual-public-ip-logging-ok                       \
    --agree-tos

PASS=$(openssl rand -base64 45 | tr -d /=+ | cut -c -30)

sudo security delete-certificate -c $1

sudo openssl pkcs12 -export -inkey "${PEM_FOLDER}privkey.pem" \
         -in "${PEM_FOLDER}cert.pem" -certfile "${PEM_FOLDER}fullchain.pem" \
         -out "${PEM_FOLDER}letsencrypt_sslcert.p12" -passout pass:$PASS

sudo security import "${PEM_FOLDER}letsencrypt_sslcert.p12" \
         -f pkcs12 -k /Library/Keychains/System.keychain -P $PASS \
         -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd

sudo serveradmin start web

The way to use this is to place it in root’s cron via

sudo su
crontab -e

If you want to know how to set up a cron entry (and a reminder of the different fields, simply type)

man crontab -s5

To call for site1.domain.com simply run

/path/to/script/script.sh site1.domain.com

For more domains,

/path/to/script/script.sh site2.domain.com
/path/to/script/script.sh site3.domain.com
/path/to/script/script.sh site4.domain.com
...

Note that I prefer to place all options for certbot as command line options to avoid any additional .ini files.

As you can see, I start by stopping web services, renewing the certificate, removing the current certificate from the keychain, adding the renewed certificate, restarting web services.

Thoughts?

2

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.