Trouble Renewing Mac OS Server Certificate // Expired certificate - Need help

My thoughts:
I think that the system is still trying to use and needs the new certificate to use the old private key.
I have no idea how to create a cert using the old private key. I listed all the steps I took to get to where i’m at now.

Where I need help:
Could someone help me write a command to create a cert using the old private key?
Review above maybe I did something wrong in the process
Step 6 below is where i’m stuck

What i’ve done:
Combed through web / forums and either i don’t know enough or can’t seem to find help in what i need.

Thanks appreciate anything at this point and I hope the steps / thread will help someone in the future in need.

I ran these steps below
Step 1: Make sure certbot is up-to-date
Command - brew upgrade certbot

Step 2: To renew expired cert I ran
Command - sudo certbot certonly --webroot -w /Library/Server/Web/Data/Sites/Default/ -n -d
Result - Success new cert with new private key created

Step 3: Import into Mac OS Keychain
Command - sudo security import /etc/letsencrypt/live/ -f pkcs12 -k /Library/Keychains/System.keychain -P “my_admin_password” -T /Applications/

Result - 1 identity imported. // 2 certificates imported.

Step 4: Allow MAC OS Server to read recently entered private key
Right click on Keychain new certificate > private key line, right click > get info > Access control tab Click radio box Allow all applications to access this item > save changes

Step 5: Restart Apache or Computer
I restarted computer

------- Problem Here --------
Step 6: MAC OS Server
I Opened Server app and changed the “Secure services using” to recently imported. Then I try to push to devices and nothing gets pushed. I still see the expired certificate in the list, I also tried removing the expired certificate and still nothing. I also created a CSR from the old certificate and created certificate from that and still nothing.

When using the CSR, Mac OS server puts a pending certificate line where it looks like it’s waiting for the correct certificate files, I dropped cert files with the newly renewed cert but it says “The imported certificate does not match any private key in the keychain - The certificate will not be available for securing services”

To generate Certificate using CSR using certbot for renewal - I understand there are limitations when running --csr command.
Command - certbot --csr /Users/admin/Desktop/Certs/CSR_from_4_14_20/ certonly

Ran command - certbot certificates
Results show only the newly created certificate with new private key

My web server is (include version): MAC OS Server 5.9 Build 19S1079 // Over Catalina OS


This command will issue a new certificate instead of renewing the old one.
You can try to use sudo certbot renew, which will renew the certificate and place it to the same file.

Please also show the output of sudo certbot certificates

I think this is also not updated.
certbot by default will create .pem files, and you need to convert it to p12. So the current p12 file might contain the old certificate.

Reusing key is not suggested, and i don’t think it’s the issue here. (The issue is your imported file didn’t change at all)

Thank you

1 Like

Thanks for your response,
sudo certbot renew - will do that

P12 having old certificate YES!! your right

That worked thanks!!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.