Securing websites with LetsEncrypt on macOS Server

Lets Encrypt is a provider of SSL certificates primarily used for securing websites (giving you to green part in your browser). For most needs, a certificate from Lets Encrypt provides an extremely cost effective means of taking advantage of HTTPS. This is a brief rundown on how to get this up and running on macOS Server.

Lets Encrypt certificates expire after 90 days and need to be renewed manually, this is one of the checks and balances imposed by Lets Encrypt to ensure their service stays trustworthy. Consequently, Lets Encrypt isn’t suitable in all use cases. In our installations, we do use it where appropriate in conjunction with an additional piece of software called certbot to automatically renew the certificate.

On Linux the process of getting this up and running is widely documented, so we won’t be going over that process here. The documentation we encountered for macOS isn’t as easy to find.

We were tasked with replacing a certificate for an internal server that was running on macOS Server 5.3. This server was running the web based change password service which allowed users to change their Open Directory passwords without visiting IT. The client was using a paid certificate that had expired and consequently, their users were getting confused and thinking the site was hacked or blocked.

One option to restore HTTPS trust would be to purchase a certificate from a third party and upload that to the server, and this would work and provide the functionality requested, however, we suggested Lets Encrypt as an option as this would provide an ongoing certificate with little ongoing maintenance and most importantly, zero cost.

On macOS server we need to install xcode and the homebrew toolkit. Xcode can be installed via the app store and Homebrew can be obtained from https://brew.sh/

Install via the following command:

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Update Brew:

brew update

Create the Lets Encrypt directories:

sudo mkdir /etc/letsencrypt

sudo mkdir /var/lib/letsencrypt

sudo mkdir /var/log/letsencrypt


Install Lets Encrypt:

brew install letsencrypt

Obtain a certificate for your website:

sudo letsencrypt certonly --webroot -w /Library/Server/Web/Data/Sites/WEB_ROOT_FOLDER -d WEBSITE_ADDRESS

This should result in the following: 

Congratulations! Your certificate and chain have been saved at
 /etc/letsencrypt/live/DOMAIN/fullchain.pem. Your cert
 will expire on [3 months]. To obtain a new or tweaked version of
 this certificate in the future, simply run certbot again. To
 non-interactively renew *all* of your certificates, run "certbot
 renew"

Now that we have obtained a certificate, we will need to generate a certificate to add into the macOS keychain.

sudo openssl pkcs12 -export -inkey /etc/letsencrypt/live/DOMAIN/privkey.pem -in /etc/letsencrypt/live/DOMAIN/cert.pem -certfile /etc/letsencrypt/live/DOMAIN/fullchain.pem -out /etc/letsencrypt/live/DOMAIN/letsencrypt_sslcert.p12 -passout pass:"password"

Add the new certificate into the keychain

sudo security import /etc/letsencrypt/live/DOMAIN/letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P "password" -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd

Open Server.app and navigate to the certificates section, you should see a lets encrypt addition there and ready for use.