Automatically Switch to Renewed SSL Certificate

Running OS X Server 5.4 on 10.13 High Sierra.

I've set up a server to use certbot to automatically renew SSL/TLS certificates from Let'sEncrypt for web, mail, and DAV. The LaunchDaemon script is successful in obtaining the new certificates and importing them into the Keychain, but from there I must MANUALLY select the renewed certificates using the Certificates panel in ServerAdmin.

Is there a helper script that that would automate this process since certs from Let'sEncrypt are only valid for 90 days and I do not want to be sitting at a terminal doing this manually every time.

Posted on Jan 11, 2021 10:47 PM

Similar questions

1 reply

RedRhubarb Author

Level 4

1,316 points

Jan 28, 2021 9:39 PM in response to RedRhubarb

Found it.

The solution for the automated switchover of renewed SSL certs seems to be simple but dangerous. One simply deletes the certificate from the keychain. It's counter-intuitive to have to delete a perfectly working certificate, but remember, we're just removing it from the keychain. If you are really scared about it, you would've saved the original .pem file somewhere. And in a few weeks, the old certificate will expire and you preoccupation will be moot.

Once the old certificate's entry is removed from the keychain, servermgrd goes looking for a new certificate covering the same domain; this will activate the new certificate.

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Automatically Switch to Renewed SSL Certificate