My thoughts:
I think that the system is still trying to use and needs the new certificate to use the old private key.
I have no idea how to create a cert using the old private key. I listed all the steps I took to get to where i’m at now.
Where I need help:
Could someone help me write a command to create a cert using the old private key?
Review above maybe I did something wrong in the process
Step 6 below is where i’m stuck
What i’ve done:
Combed through web / forums and either i don’t know enough or can’t seem to find help in what i need.
Thanks appreciate anything at this point and I hope the steps / thread will help someone in the future in need.
I ran these steps below
Step 1: Make sure certbot is up-to-date
Command - brew upgrade certbot
Step 2: To renew expired cert I ran
Command - sudo certbot certonly --webroot -w /Library/Server/Web/Data/Sites/Default/ -n -d sub.mysite.com
Result - Success new cert with new private key created
Step 3: Import into Mac OS Keychain
Command - sudo security import /etc/letsencrypt/live/sub.mysite.com/letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P “my_admin_password” -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd
Result - 1 identity imported. // 2 certificates imported.
Step 4: Allow MAC OS Server to read recently entered private key
Right click on Keychain new certificate > private key line, right click > get info > Access control tab Click radio box Allow all applications to access this item > save changes
Step 5: Restart Apache or Computer
I restarted computer
------- Problem Here --------
Step 6: MAC OS Server
I Opened Server app and changed the “Secure services using” to recently imported. Then I try to push to devices and nothing gets pushed. I still see the expired certificate in the list, I also tried removing the expired certificate and still nothing. I also created a CSR from the old certificate and created certificate from that and still nothing.
When using the CSR, Mac OS server puts a pending certificate line where it looks like it’s waiting for the correct certificate files, I dropped cert files with the newly renewed cert but it says “The imported certificate does not match any private key in the keychain - The certificate will not be available for securing services”
To generate Certificate using CSR using certbot for renewal - I understand there are limitations when running --csr command.
Command - certbot --csr /Users/admin/Desktop/Certs/CSR_from_4_14_20/sub.mysite.com.csr certonly
Ran command - certbot certificates
Results show only the newly created certificate with new private key
My web server is (include version): MAC OS Server 5.9 Build 19S1079 // Over Catalina OS