Article ID = 211 Article Title = How To Setup Let's Encrypt For OS X / macOS + Server 5.x Article Author(s) = Graham Needham (BH) Article Created On = 23rd November 2017 Article Last Updated = 10th October 2018 Article URL = https://www.macstrategy.com/article.php?211 Article Brief Description: How to setup and configure Let's Encrypt secure certificates with OS X / macOS and Server 5.x
For instance, this thread illustrates what happen in the case where a go build is done outside of GOPATH/src: Looks like your GOPATH is set to ~/go but you ran the go install command on ~/dev/go. See Go Build. The Go path is a list of directory trees containing Go source code. It is consulted to resolve imports that cannot be found in the standard Go tree. Mar 20, 2015 - Looks like your GOPATH is set to ~/go but you ran the go install command on. Go install: no install location for.go files listed on command line (GOBIN not set).
How To Setup Let's Encrypt For OS X / macOS + Server 5.x
WARNING: As of September 2018 Apple has gutted macOS Server and removed most/all of the useful Server features! Instructions for installing Let's Encrypt website secure SSL certificates for OS X / macOS with websites hosted by OS X / macOS Server.
Preparation
In this article:
Replace all instances of 'your_domain_name' with your actual Domain Name
Replace all instances of '.tld' with the appropriate |Top-Level Domain' code applicable to your Domain Name purchase/registration e.g. '.com'
This article assumes you have not moved the standard OS X / macOS Server web folders directory from it's standard location at /Library/Server/Web/Data/Sites/ - if you have you will need to replace all instances of /Library/Server/Web/Data/Sites/ with the path to your alternate location
the ~ character refers to your home directory i.e. usually, Macintosh HD > Users >your home directory (usually a house icon)
To get to hidden folders/directories in the Finder e.g. /etc/, in the Finder, go to the Go menu > Go to Folder… > enter the path to the folder/directory you want to go to e.g. '/etc/'
Replace 'admin_password' with your actual computer administrator account password
You will need the following before you can continue with this configuration article:
Basic skills at using the Terminal command line - iMore has a good introduction to it here
A decent text editor that is better than TextEdit e.g. BBEdit (US$49.99)
A launchd plist editor e.g. Lingon X (US$10.99)
Apple Mac computer running OS X 10.10 or later:
OS X / macOS Server:
At least one domain name and website configured via OS X / macOS Server. We have some articles that may help with this:
macOS 10.14 Mojave + Server 5.7.x - coming soon
macOS 10.13 High Sierra + Server 5.4-5.6.3 - coming soon
The domain(s) you want to obtain certificates for must be configured in OS X / macOS Server and publicly accessible via the normal internet
Consider the timing - Let's Encrypt issues 90 day certificates that can be renewed with less than 30 days to go - so 90 days is the max renewal via manual methods, 60 days is the auto renewal timeframe - so think about when those dates will fall after the initial setup and that you will be around/available to perform the manual renewal or check that the auto renewal method has worked!
You will need a contact/registration email address for each domain certificate that you initially request - this is also used for renewal/problem emails so it might be worth setting up a special email address for this sort of thing if you haven't already got one
Install and setup 'Let's Encrypt' with Homebrew
To install Homebrew vist http://brew.sh then return to here. Go to Macintosh HD > Applications > Terminal > and enter the following commandsbrew update sudo mkdir /etc/letsencrypt sudo mkdir /var/lib/letsencrypt sudo mkdir /var/log/letsencrypt brew install letsencrypt git clone https://github.com/letsencrypt/letsencryptIf everything went okay, you should see the following folders in:
~/letsencrypt
/etc/letsencrypt
Create required (hidden) directories
Using the Terminal, create two folders/directories for automated scripts:mkdir ~/letsencrypt/my_script mkdir ~/letsencrypt/my_script/logsYou need to create two (hidden) folders/directories in the website for each domain that you want certificates for:sudo mkdir /Library/Server/Web/Data/Sites/your_domain_name's website folder/.well-known/ sudo mkdir /Library/Server/Web/Data/Sites/your_domain_name's website folder/.well-known/acme-challengeFiles in these folders must be publicly accessible via the normal internet. To test this put a quick and dirty html file named 'test.html' in each of the folders then make sure you can access them via a browser at:
Using the Terminal, enter the following command: NOTE: As wildcard certificates are not available yet, you can add multiple, additional sub-domain cerificates with '-d additional.your_domain_name.tld' on the end of the command below e.g. '-d mail.your_domain_name.tld' UPDATE 19/03/2018: Let's Encrypt - ACME v2 and Wildcard Certificate Support is Livesudo certbot certonly --webroot -w /Library/Server/Web/Data/Sites/your_domain_name's website folder -d your_domain_name.tld -d www.your_domain_name.tld
Follow the on-screen instructions. If successful your certificate (a 'cert.pem' file) will appear in /etc/letsencrypt/live/your_domain_name.tld/
Manually convert the certificate for use with OS X / macOS
Using the Terminal, enter the following command:sudo openssl pkcs12 -export -inkey /etc/letsencrypt/live/your_domain_name.tld/privkey.pem -in /etc/letsencrypt/live/your_domain_name.tld/cert.pem -certfile /etc/letsencrypt/live/your_domain_name.tld/fullchain.pem -out /etc/letsencrypt/live/your_domain_name.tld/letsencrypt_sslcert.p12 -passout pass:'admin_password'
Import the certificate into the OS X / macOS Keychain
Using the Terminal, enter the following command:sudo security import /etc/letsencrypt/live/your_domain_name.tld/letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P 'admin_password' -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrdCheck the certificate has been installed successfully (into the OS X / macOS Keychain) by going to Server app > Certificates - you should see the certificate for your domain listed as Issuer: 'Let's Encrypt Authority X3'. Quit and relaunch the Server application if it was open while you were doing the above.
Configure your website(s) to use https
Open the Server application and for each website:
Click on 'Websites' on the left
Make sure the domain already has a non-secure website entry using port 80 - do not delete this or edit this to be a secure entry
Create a new website entry for the website and set:
'Domain name' to 'your_domain_name.tld'
'SSL Certificate' to the one you just installed i.e. 'your_domain_name.tld - Let’s Encrypt Authority X3' and check that the port number automatically changes to '443'
'Store Site Files In' to the directory for your website files
Click the 'Edit…' button to the right of 'Additional Domains' and add 'www.your_domain_name.tld'
Click the 'Edit…' button to the right of 'Index Files' and set accordingly
Click 'OK' to return to the main Websites list window
Optional - update the domain's non-secure website entry with a redirect so that all web page accesses go to https:
NOTE: See also the considerations of moving to https section below for some important implications of moving your web site to https.
Edit the non-secure website entry
Click the 'Edit…' button to the right of 'Redirects'
Set 'Source' to '/' (everything)
Set 'Destination' to 'https://www.your_domain_name.tld/' with status 'permanent 301' (redirection)
Click 'OK'
Click 'OK' to return to the main Websites list window
Manual certificate renewal
Using the Terminal, enter the following command: NOTE: As wildcard certificates are not available yet, you can add multiple, additional sub-domain cerificates with '-d additional.your_domain_name.tld' on the end of the command below e.g. '-d mail.your_domain_name.tld'. This should be the same as the initial certificate but if they are different you should get a special 'update configuration' prompt when doing the following command. UPDATE 19/03/2018: Let's Encrypt - ACME v2 and Wildcard Certificate Support is Livesudo certbot certonly --webroot -w /Library/Server/Web/Data/Sites/your_domain_name's website folder -n -d your_domain_name.tld -d www.your_domain_name.tldFollow the on-screen instructions. If successful your certificate (a 'cert.pem' file) will appear in /etc/letsencrypt/live/your_domain_name.tld/ with a current date and time creation date
Automate certificate renewal
Using the Terminal, enter the following command and note the output result:echo $PATHFor each domain/website, create a command text file using your favourite text editor e.g. BBEdit in ~/letsencrypt/my_script:Use a launchd editor e.g. Lingon X to add a launchd automated task, running as root, to run the script you just created and pick a regular day and/or time. For example to trigger your automated certificate renewal script to run every Tuesday at 08:00:
Create a new task
TICK 'Enabled'
Set 'User' to 'root'
Name = 'com.your_domain_name.cert_renewal_tuesday.plist'
Run = '/Users/replace_with_your_home_directory_name/letsencrypt/my_script/cert_renewal_your_domain_name_tuesday.sh'
NOTE: The .sh filename should match the name of the script you created above.
When tab > TICK 'Scheduled'
Set schedule to 'Day of week' + 'Tuesday' + '08:00'
Click 'Save'
To test it works, select it and click the 'Test' button - if there are no error messages you can check the script has run correctly by checking:
A new, converted certificate titled 'letsencrypt_sslcert.p12' will appear in /etc/letsencrypt/live/your_domain_name.tld/ with a current date and time creation date.
If (and only if) the certificate has been renewed a new, updated certificate titled 'cert.pem' will appear in /etc/letsencrypt/live/your_domain_name.tld/ with a current date and time creation date.
If (and only if) the certificate has been renewed a new, updated certificate will have been imported successfully into the OS X / macOS Keychain - go to the Server application > Certificates - you should see the new certificate for your domain listed as Issuer: 'Let's Encrypt Authority X3' and an updated 'Expiration Date'. Quit and relaunch the Server application if it was open while you were doing the above.
Old certificates will still show in the Server application - you can manually delete them and services should automatically switch over to using the renewed/new certificate.
Considerations of moving to https
Redirecting all http accesses to https - there are several ways to do this (one is listed above in our configure your website(s) to use https section above)
Canonical links in page headers
Robots
Google page ranking (a https link may be treated differently to a http link)
Mixed content on your page i.e. content server up from other servers e.g. adverts - this will cause browsers to show users that your site is not totally secure
Useful information:
References
The following pages were extremely useful in compiling this set of instructions:
Article Keywords: OS X OSX 1010 1011 macOS 1012 1013 1014 Yosemite El Capitan Sierra High Sierra Mojave Server 4 5 internet web email SMTP POP PO3 IMAP secure SSL certificate free domain domains name names plist cron job cronjob launchd automate automatic regular renew Let's Encrypt letsencrypt certbot
If this information helped you or saved you time and/or money why not donate a little to us via PayPal? All proceeds go directly to MacStrategy / Burning Helix Limited to help fund this web site.
If this information helped you or saved you time and/or money why not donate a little to us via PayPal? All proceeds go directly to MacStrategy / Burning Helix Limited to help fund this web site. Go to this web page to donate to us.
Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign up New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Labels
Comments
commented Jul 29, 2017
What version of Go are you using (go version)?
go version go1.8.3 darwin/amd64
What operating system and processor architecture are you using (go env)?
I open /User/beary/go and run go install demo/demo.go. it's work well and generate a demo file on /User/beary/go/bin.
But when I run go install github.com/golang/lint/lint.go, the result is go install: no install location for .go files listed on command line (GOBIN not set)
This is my environment setting
My os is macOS Sierra 10.12.6
commented Jul 29, 2017
But when I run go install github.com/golang/lint/lint.go, the result is go install: no install location for .go files listed on command line (GOBIN not set)
That's expected. The correct command is go install github.com/golang/lint/golint, ie. an import path, not a file path.
commented Jul 29, 2017
@cznic Thank you!
closed this Jul 29, 2017
changed the title`go install` report GOBIN not setAug 2, 2017
locked and limited conversation to collaborators Aug 2, 2018
added the FrozenDueToAge label Aug 2, 2018
Sign up for freeto subscribe to this conversation on GitHub. Already have an account? Sign in.