Install SSL certificate on your mac server [renewal procedure updated]

What is SSL?

SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted connection between a web server and a browser. SSL uses a combination of public key and symmetric key encryption to secure a connection between two machines. Typically, if a website wanted to encrypt data transmission between the server and the client, we need to purchase a SSL certificate that contains an encryption key that is placed on the server.

Why SSL encryption?

A part from security problems discussed above, there are many reasons you would need a SSL encryption.

As of January 1st 2017 SSL Encryption is now a ranking factor in Google’s Algorithm. Furthermore Chrome and Firefox will display a warning for any non secure HTTP page that contains a password field. Chrome’s warning will be more severe – on the left-hand side of the address bar it will read “Not Secure.” As a website owner, you need to consider the effects of your web users seeing that your site is “Not Secure”.

How to migrate from HTTP to HTTPS on your mac?

I will help you to perform a good configuration on your mac server in order to support https on your websites. You don’t need money in order to get this works but you need little knowledge of mac programming an a bit of patience. This procedure was firstly developed by Edwin Andino but here I reported the final working version with slight modifications (especially for certificate conversion and install).

FIRST STEP: Get a SSL certificate

SSL Certificates need to be issued from a trusted Certificate Authority. Usually, browsers and operating systems get a list of trusted CA root certificates.

You can buy certificate from different authority (the cost starts from 30€) such as GlobalSign, DigiCert, and go on. A complete list of trusted certificate authority is also supplied from Apple. Otherwise, you can get it for free from Let’s Encrypt. Let’s Encrypt is a free and open certificate authority brought to you by the non-profit Internet Security Research Group.

SECOND STEP: Install “let’s Encrypt” certificate with Homebrew

In order to install Let’s Encrypt certbot, you need Homebrew configured on your mac. You can find the correct procedure here. Open Terminal app and use following code:

brew update

sudo mkdir /etc/letsencrypt

sudo mkdir /var/lib/letsencrypt

sudo mkdir /var/log/letsencrypt

brew install letsencrypt

THIRD STEP: get certificate from Le’s Encrypt

You have to use these simple codes in order to get the certificate. Please change general website name (example.com) with yours. Take care of folder directory of your web sites (mine is /Library/WebServer/Documents/)

sudo letsencrypt certonly –webroot -w /Library/WebServer/Documents/example.com/ -d example.com

You can also get one certificate for multiple sudomain:

sudo letsencrypt certonly –webroot -w /Library/WebServer/Documents/example.com/ -d example.com -d sub1.example.com -d sub2.example.com

or multiple domain:

sudo letsencrypt certonly –webroot -w /Library/WebServer/Documents/example.com/ -d example.com -w /Library/WebServer/Documents/example1.com/ -d example1.com

Terminal app will ask your email address. Your email will be important in order to register your certificate. Furthermore, you will receive expiry notices when your certificate is coming up for renewal (20 days before your certificate expires, and more notices at 10 days and 1 day before it expires) or  security notices

Then you have to agree Term of service (choose “a”).

——————————————————————————-
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
——————————————————————————-
(A)gree/(C)ancel:

After this, you’ll get the certificate.

NOTE: if something goes wrong you’ll receive and error like “Failed authorization procedure” with a simple description.

FOURTH STEP: Convert and import certificate to Apple Keychain

At this point you have to convert your certificate (.pem to .p12) in order to be Apple Keychain compatible. Use this simple code in terminal Please change general website name (example.com) with yours.

sudo openssl pkcs12 -export -inkey /etc/letsencrypt/live/example.com/privkey.pem -in /etc/letsencrypt/live/example.com/cert.pem -certfile /etc/letsencrypt/live/example.com/fullchain.pem -out /etc/letsencrypt/live/example.com/letsencrypt_sslcert.p12 -passout pass:YOUR_PASSWORD_HERE

after this, install your certificate into Apple Keychain and Server App:

sudo security import /etc/letsencrypt/live/example.com/letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P \YOUR_PASSWORD_HERE -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd

You’ll receive confirmation regarding identity and certificate import

FIFTH STEP: Change your website setting into SSL

Open Server app (or relaunch in case it is open) and click on “websites”. Select your website www.example.com and choose SSL certificate from Let’s Encrypt Authority X3. The port should automatically change to 443. Click OK in order to save changes

 

RENEW YOUR CERTIFICATE [Update April 8, 2017]

You have to remember that Let’s encrypt certificate expires in 3 months. However you’ll receive an email notification upon expiration.

In order to renew your certificate you have to use Terminal:

sudo certbot renew

After this, you have to repeat step 4 in order to load new certificate into your Keychain. Close and open again Server.app. You’ll find two Let’s Encrypt certificates (different expiration date). Choose the new certificate for all your services.

At this point you have to remove old certificate. Open Keychain.app (in Application/Utilities), and find your certificates under “System  keychain”. You have to remove the certificate already expired or is going to expire.

Close and open again Server.app and voilà: new certificate and SSL services correctly working with it.

 

 

admin

Leave a Reply

Your email address will not be published. Required fields are marked *