Real SSL Certificates for OS X Server
28/07/17 17:05 Filed in: OS X | Systems Administation
Real SSL Certificates for OS X Server
LetsEncrypt (https://letsencrypt.org) has a mission of moving unencrypted Internet traffic to encrypted Internet traffic. They do this through relatively short lived SSL certificates. So an automated process for setting up and maintaining them is vital.
On shifting my web site to OS X server I also adopted LetsEncrypt and its Certbot.
Certbot with OS X server
The easiest and recommended mechanism for installing Certbot (https://certbot.eff.org) for OS X is to use Homebrew (https://brew.sh). Once Homebrew is set up the instruction:
brew install certbot
will install the software.
Although there are some resources that describe the rest of the process:
- https://certbot.eff.org/#osx-apache
- https://community.letsencrypt.org/t/complete-guide-to-install-ssl-certificate-on-your-os-x-server-hosted-website/15005
I chose to use the running web server approach.
certbot --webroot certonly --webroot-path /Library/Server/Web/Data/Sites/Main/ -d atum-ra.castro.aus.net -d www.castro.aus.net -d atum-ra.castro.id.au
Please note that I do not use the default site directory (/Library/Server/Web/Data/Sites/Default). It has been changed on my instance of OS X server and my site is known by several names.
Once you have successfully generated you certificates you need to be able renew them. This is tested with the command:
certbot renew --dry-run
The certificates need to be installed and automatically renewed. I adapted code by JeffTheRocker at (https://community.letsencrypt.org/t/complete-guide-to-install-ssl-certificate-on-your-os-x-server-hosted-website/15005) and called it from /etc/crontab. The shell script is installed as /usr/local/bin/renew.sh:
#!/bin/bash
PEM_FOLDER=/etc/letsencrypt/live/www.castro.aus.net/
certbot renew# Generate a passphrase
PASS=$(openssl rand -base64 45 | tr -d /=+ | cut -c -30)
# Transform the pem files into a OS X Valid p12 file
openssl pkcs12 -export -inkey "${PEM_FOLDER}privkey.pem" -in "${PEM_FOLDER}cert.pem" -certfile "${PEM_FOLDER}fullchain.pem" -out "${PEM_FOLDER}letsencrypt_sslcert.p12" -passout pass:$PASS
# import the p12 file in keychain
security import "${PEM_FOLDER}letsencrypt_sslcert.p12" -f pkcs12 -k /Library/Keychains/System.keychain -P $PASS -T \
/Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd
And run the script twice a day by inserting a line into /etc/crontab:
25 11,23 * * * root /usr/local/bin/renew.sh > /dev/null