I’ve been using LE for several months now and it’s working great. I have renewals basically completely automated at this point, except for the last step.
The last step is telling macOS to use the new certificates, and to either delete or at least ignore the old ones.
What I’ve been doing so far is opening the “Server.app” in macOS, and going through each domain and selecting the new certificate for each domain.
That’s not difficult, but it’s tedious and obviously something that should be automated, but I can’t find other examples of people explaining how to solve this.
I’m pretty sure that’s the post that I used to get things set up, so it covers all of the parts that I have working, but that does not include replacing old certificates with new ones so that the OS knows to use the new ones.
which I had seen previously but had ignored because it only works for High Sierra and I'm using Catalina, but then I realized that the server where I'm managing these certificates is running High Sierra, so I'm going to give that a try.
It explicitly indicates that it will remove keys and certs that are no longer in use, so maybe that's what I've been missing.
Will report back if it works, hopefully to help others who might need/want the same thing.
Let me know how it goes. I have moved to a Mojave server with MacPorts (unfinished full migration, but most of it works and is in production). I did adapt the script to work with Mojave but then stopped using it as I’m not using letsencrypt certs yet for macOS Server stuff (will though later).