Installing a Let’s Encrypt Certificate on macOS Server

Posted on by Mark Boszko
This post was published more than a few years ago (on 2017-04-15) and may contain inaccurate technical information, outmoded thoughts, or cringe takes. Proceed at your own risk.

I have had a hell of a time finding a way to install a Let’s Encrypt certificate on macOS Server the Right Way™, due to how Server customizes the Apache config in weird and annoying ways.

For the moment, I am going to use this way to “trick” certbot into issuing the cert to a different server temporarily running on the same machine. Adapted from the very helpful instructions at Denis Gladkikh’s blog.

Set up certbot

brew install certbot

Get your first certificate

Start a temporary python web server on port 9000.

$ mkdir -p /tmp/certbot/public_html/
$ cd /tmp/certbot/public_html
$ python -m SimpleHTTPServer 9000

Then change the port forwarding on the AirPort router:

  • Launch AirPort Utility
  • Select Basement Extreme
  • Edit
  • Network tab
  • Port Settings:
  • Select the port forwarding entry for your server
  • Edit
  • Change Private TCP Ports: from 80, 443 to 9000, 443
  • Save and restart the router.
sudo certbot certonly --webroot -w /tmp/certbot/public_html -d example.com

As part of the output of this command should be a notice like:

 - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2017-07-14.

As above, change the AirPort settings back to the ports 80, 443, and restart the router.

Kill ^C the python server.

  • Launch the Server app
  • Go to the Certificates tab
  • Click +
  • Select Import a Certificate Identity…

Server requires you to drag-n-drop instead of selecting from a file dialog, so copy the certificates to the Desktop (or someplace handy where you have permissions to deal with them in the Finder).

sudo cp -r /etc/letsencrypt/live/example.com/ ~/Desktop/certbot/
  • Select all of the .pem files and drag them onto the import dialog. Server will work out which ones it needs.
  • Click Import
  • At the top of the Certificates window, for the Secure services using: pop-up, select the new cert.
  • Go to the Websites tab
  • Under Websites:, select Server Website (SSL)
  • Click the pencil button to edit
  • Under SSL Certificate:, select the new cert.
  • Select OK.
  • Go back to the Certificates tab
  • Select the old certificate, and click then Delete to delete the old certificate.

Renew Certificate

I haven't actually done this yet, so take this as tentative.

  • Run the python server and reconfigure the router as above.
  • This time, we don't need to specify the domain; just renew:
sudo certbot renew --webroot -w /tmp/certbot/public_html
  • Restore the router settings and stop the python server, as above
  • Copy the new .pem files and install them into the Server app, as above.
  • Repeat every ten weeks. (It expires every three months, but give yourself a deadline with time to get it done so it doesn't expire if you get delayed.)

Need to figure out a way to make this more automated, but that will wait until the pain of doing this every ten weeks has settled in. 😉