OS X automatic certificate renewal


I have been reading the different posts and struggling to get cerbot working on OS X. In my case, because I run multiple sites on my machine, it seems to work best if I spin up a temporary server to get the certification going. I think I finally got it running, except that for some reason sometimes I have more than one certificate in the Server App. Could be that this is just the GUI fooling me, but I thought I’d share my progress and also see if someone encountered the same problem. Based on input from some awesome folks on this site, I cooked up this script:


serveradmin stop web

/opt/local/bin/certbot certonly -n -d $DOM              \
    --force-renewal                                     \
    --standalone                                        \
    --rsa-key-size 4096                                 \
    --email me@lala.com                       \
    --manual-public-ip-logging-ok                       \

PASS=$(openssl rand -base64 45 | tr -d /=+ | cut -c -30)

sudo security delete-certificate -c $1

sudo openssl pkcs12 -export -inkey "${PEM_FOLDER}privkey.pem" \
         -in "${PEM_FOLDER}cert.pem" -certfile "${PEM_FOLDER}fullchain.pem" \
         -out "${PEM_FOLDER}letsencrypt_sslcert.p12" -passout pass:$PASS

sudo security import "${PEM_FOLDER}letsencrypt_sslcert.p12" \
         -f pkcs12 -k /Library/Keychains/System.keychain -P $PASS \
         -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd

sudo serveradmin start web

The way to use this is to place it in root’s cron via

sudo su
crontab -e

If you want to know how to set up a cron entry (and a reminder of the different fields, simply type)

man crontab -s5

To call for site1.domain.com simply run

/path/to/script/script.sh site1.domain.com

For more domains,

/path/to/script/script.sh site2.domain.com
/path/to/script/script.sh site3.domain.com
/path/to/script/script.sh site4.domain.com

Note that I prefer to place all options for certbot as command line options to avoid any additional .ini files.

As you can see, I start by stopping web services, renewing the certificate, removing the current certificate from the keychain, adding the renewed certificate, restarting web services.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.