I have had a hell of a time finding a way to install a Let’s Encrypt certificate on macOS Server the Right Way™, due to how Server customizes the Apache config in weird and annoying ways.
For the moment, I am going to use this way to “trick” certbot into issuing the cert to a different server temporarily running on the same machine. Adapted from the very helpful instructions at Denis Gladkikh’s blog.
Set up certbot
|
1 2 |
brew install certbot |
Get your first certificate
Start a temporary python web server on port 9000.
|
1 2 3 4 |
$ mkdir -p /tmp/certbot/public_html/ $ cd /tmp/certbot/public_html $ python -m SimpleHTTPServer 9000 |
Then change the port forwarding on the AirPort router:
- Launch AirPort Utility
- Select Basement Extreme
- Edit
- Network tab
- Port Settings:
- Select the port forwarding entry for your server
- Edit
- Change Private TCP Ports: from
80, 443to9000, 443 - Save and restart the router.
|
1 2 |
sudo certbot certonly --webroot -w /tmp/certbot/public_html -d example.com |
As part of the output of this command should be a notice like:
|
1 2 |
- Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2017-07-14. |
As above, change the AirPort settings back to the ports 80, 443, and restart the router.
Kill ^C the python server.
- Launch the Server app
- Go to the Certificates tab
- Click +
- Select Import a Certificate Identity…
Server requires you to drag-n-drop instead of selecting from a file dialog, so copy the certificates to the Desktop (or someplace handy where you have permissions to deal with them in the Finder).
|
1 2 |
sudo cp -r /etc/letsencrypt/live/example.com/ ~/Desktop/certbot/ |
- Select all of the
.pemfiles and drag them onto the import dialog. Server will work out which ones it needs. - Click Import
- At the top of the Certificates window, for the Secure services using: pop-up, select the new cert.
- Go to the Websites tab
- Under Websites:, select Server Website (SSL)
- Click the pencil button to edit
- Under SSL Certificate:, select the new cert.
- Select OK.
- Go back to the Certificates tab
- Select the old certificate, and click – then Delete to delete the old certificate.
Renew Certificate
I haven't actually done this yet, so take this as tentative.
- Run the python server and reconfigure the router as above.
- This time, we don't need to specify the domain; just renew:
|
1 2 |
sudo certbot renew --webroot -w /tmp/certbot/public_html |
- Restore the router settings and stop the python server, as above
- Copy the new
.pemfiles and install them into the Server app, as above. - Repeat every ten weeks. (It expires every three months, but give yourself a deadline with time to get it done so it doesn't expire if you get delayed.)
Need to figure out a way to make this more automated, but that will wait until the pain of doing this every ten weeks has settled in. 😉