I am trying to move from Comodo to Let's Encrypt certificates on OS X Server (10.7).

Something in Apple's server.app and ServerAdmin.app is broken. I can see and select newly imported certificates in server.app but after a few seconds and re-opening the dialog the selected certificates are back to the original value. In "Server Admin" > Mail > Advanced tab I can select the new certificates and they stick. However the imap and smtp services still use the old certificate.

I see that for the old certificate there are 4 files in /etc/certificates/: host.domain.tld.SHA1.{key,cert,chain,concat}.pem

I know that the only the old certificate is in /etc/certificates/ because SHA1 of the new certificate, looked up with:

$ openssl x509 -in host.domain.tld.cer -noout -fingerprint -sha1 | cut -f2 -d'=' | sed 's/://g' 

, is showing a different SHA1.

Security import

According to certbot4osx source code, it looks like the security import host.domain.tld.cer -k /Library/Keychains/System.keychain command should

1. import the certificate into the system keychain, and
2. create the /etc/certificates/$1.$SHA_NEW.cert.pem

Reboot

After a reboot only 3 files: .cert, .chain and .concat, are there in /etc/certificates/, not .key. Other times all 4 required files are in /etc/certificates/ after the reboot.

CertsKeychainMonitor

I suspect that the CertsKeychainMonitor plugin is involved in .pem files creation. This as daemon started via com.apple.UserEventAgent-System.plist. Because Console lists at the second of the .pem file :

UserEventAgent: CertsKeychainMonitor: ready to process keychain &
timer events.

How to always get all 4 (Let's Encrypt) certificate files correctly in /etc/certificates/ and without reboot?