Setup LetsEncrypt with macOS 10.11.4+ and Server.app 5.1


#1

This requires Homebrew (available at http://brew.sh/)

Install and Setup LetsEncrypt (Certbot)

brew update

sudo mkdir /etc/letsencrypt
sudo mkdir /var/lib/letsencrypt
sudo mkdir /var/log/letsencrypt

brew install letsencrypt

Create a Certificate:

sudo letsencrypt certonly --webroot -w /Library/Server/Web/Data/Sites/SiteRootDirectory -d pretendco.com -d www.pretendco.com

Convert and Import for Server.app

Save the following as a file on your server. It is a bash script to import the certificate into Keychain Access and make it available for Server.app

#!/bin/bash
RED='\033[0;31m'
YELLOW='\033[0;33m'
NC='\033[0m' # No Color

if [[ $UID != 0 ]]; then
    echo "Please run this script with sudo:"
    echo "sudo $0 $*"
    exit 1
fi

read -r -p "Type the domain name you would like to import (example.com), followed by [ENTER]: " thedomain

# bash generate random 32 character alphanumeric string (upper and lowercase)
TEMP_PASS=$(cat /dev/urandom | env LC_CTYPE=C tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)

echo "\n\n${YELLOW}Temp password created for import to Keychain Access: ${RED}"$TEMP_PASS"${NC}\n\n"

read -p "Export the $thedomain LetsEncrypt Cert to Keychain Access Format (.p12) [Y or N]: " -n 1 -r
echo    # (optional) move to a new line
if [[ ! $REPLY =~ ^[Yy]$ ]]
then
    exit 1
fi

eval openssl pkcs12 -export -inkey /etc/letsencrypt/live/$thedomain/privkey.pem -in /etc/letsencrypt/live/$thedomain/cert.pem -certfile /etc/letsencrypt/live/$thedomain/fullchain.pem -out /etc/letsencrypt/live/$thedomain/letsencrypt_sslcert.p12 -passout pass:$TEMP_PASS

read -p "Import the $thedomain LetsEncrypt Cert to Keychain Access [Y or N]: " -n 1 -r
echo    # (optional) move to a new line
if [[ ! $REPLY =~ ^[Yy]$ ]]
then
    exit 1
fi

eval security import /etc/letsencrypt/live/$thedomain/letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P $TEMP_PASS -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd

Choose the Cert in Server.app

  1. Quit Server.app if open
  2. Open Server.app
  3. Go to websites
  4. Select your site and click the Edit button
  5. Choose your LetsEncrypt certificate
  6. Click Ok

Problem updating cert-bot OSX
#2

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.