I am trying to move from Comodo to Let's Encrypt certificates on OS X Server (10.7).
Something in Apple's server.app and ServerAdmin.app is broken. I can see and select newly imported certificates in server.app but after a few seconds and re-opening the dialog the selected certificates are back to the original value. In "Server Admin" > Mail > Advanced tab I can select the new certificates and they stick. However the imap and smtp services still use the old certificate.
I see that for the old certificate there are 4 files in /etc/certificates/
: host.domain.tld.SHA1.{key,cert,chain,concat}.pem
I know that the only the old certificate is in /etc/certificates/
because SHA1 of the new certificate, looked up with:
$ openssl x509 -in host.domain.tld.cer -noout -fingerprint -sha1 | cut -f2 -d'=' | sed 's/://g'
, is showing a different SHA1.
Security import
According to certbot4osx source code, it looks like the security import host.domain.tld.cer -k /Library/Keychains/System.keychain
command should
- import the certificate into the system keychain, and
- create the
/etc/certificates/$1.$SHA_NEW.cert.pem
Reboot
After a reboot only 3 files: .cert
, .chain
and .concat
, are there in /etc/certificates/
, not .key
. Other times all 4 required files are in /etc/certificates/
after the reboot.
CertsKeychainMonitor
I suspect that the CertsKeychainMonitor plugin is involved in .pem
files creation. This as daemon started via com.apple.UserEventAgent-System.plist
. Because Console lists at the second of the .pem
file :
UserEventAgent: CertsKeychainMonitor: ready to process keychain &
timer events.
How to always get all 4 (Let's Encrypt) certificate files correctly in /etc/certificates/
and without reboot?
Best Answer
1. Also import the .fullchain
Beside the .cer file also import the corresponding .fullchain file into the keychain, like
2. Unload and load UserEventAgent-System
3. Wait
About 1-2 minutes for the 4 certificate files to correctly appear in
/etc/certificates/