Real SSL Certificates for OS X Server

Real SSL Certificates for OS X Server



LetsEncrypt (https://letsencrypt.org) has a mission of moving unencrypted Internet traffic to encrypted Internet traffic. They do this through relatively short lived SSL certificates. So an automated process for setting up and maintaining them is vital.

On shifting my web site to OS X server I also adopted LetsEncrypt and its Certbot.

Certbot with OS X server



The easiest and recommended mechanism for installing Certbot (https://certbot.eff.org) for OS X is to use Homebrew (https://brew.sh). Once Homebrew is set up the instruction:

brew install certbot



will install the software.

Although there are some resources that describe the rest of the process:
they were all a bit dated, over complex or did not quite work for me.

I chose to use the running web server approach.

certbot --webroot certonly --webroot-path /Library/Server/Web/Data/Sites/Main/ -d atum-ra.castro.aus.net -d www.castro.aus.net -d atum-ra.castro.id.au


Please note that I do not use the default site directory (/Library/Server/Web/Data/Sites/Default). It has been changed on my instance of OS X server and my site is known by several names.

Once you have successfully generated you certificates you need to be able renew them. This is tested with the command:

certbot renew --dry-run



The certificates need to be installed and automatically renewed. I adapted code by JeffTheRocker at (https://community.letsencrypt.org/t/complete-guide-to-install-ssl-certificate-on-your-os-x-server-hosted-website/15005) and called it from /etc/crontab. The shell script is installed as /usr/local/bin/renew.sh:

#!/bin/bash
PEM_FOLDER=/etc/letsencrypt/live/www.castro.aus.net/
certbot renew# Generate a passphrase
PASS=$(openssl rand -base64 45 | tr -d /=+ | cut -c -30)
# Transform the pem files into a OS X Valid p12 file
openssl pkcs12 -export -inkey "${PEM_FOLDER}privkey.pem" -in "${PEM_FOLDER}cert.pem" -certfile "${PEM_FOLDER}fullchain.pem" -out "${PEM_FOLDER}letsencrypt_sslcert.p12" -passout pass:$PASS
# import the p12 file in keychain
security import "${PEM_FOLDER}letsencrypt_sslcert.p12" -f pkcs12 -k /Library/Keychains/System.keychain -P $PASS -T \
/Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd

And run the script twice a day by inserting a line into /etc/crontab:

25 11,23 * * * root /usr/local/bin/renew.sh > /dev/null