Steps to create a new SSL cert with Let's Encrypt

Fully Automated Let’s Encrypt SSL for PaperCut MF/NG on macOS Help! I’m a Systems Administrator trying to renew or create a new SSL certificate for my PaperCut NG or MF server using Let’s Encrypt on macOS. How can I complete this process smoothly and securely? When it comes time to renew your SSL certificate on your PaperCut NG or MF server, you want the process to be smooth and straightforward. Some customers opt to automate this process using Let’s Encrypt, a free, automated, and open certificate authority (CA). This guide walks you through the process of generating a brand new SSL certificate—or renewing an existing one—with Let’s Encrypt on macOS, and setting it up to automatically renew every 90 days. Prerequisites Before we dive in, make sure you have: A DNS name like print.yourcompany.com pointing to your server Access to your DNS provider (e.g. Cloudflare) Homebrew installed on your Mac Admin rights on the macOS machine running PaperCut Install Certbot & Cloudflare Plugin Open Terminal and run: brew install certbot certbot-dns-cloudflare Create a Cloudflare API Token Go to Cloudflare API Tokens Click Create Token Choose the Edit zone DNS template Set permissions: Zone → DNS → Edit Under Zone Resources, select your domain (e.g. yourcompany.com) Save the token—you won’t see it again! Save the API Token Securely In Terminal: mkdir -p ~/.secrets/certbot chmod 700 ~/.secrets/certbot nano ~/.secrets/certbot/cloudflare.ini Paste this into the file: dns_cloudflare_api_token = YOUR_TOKEN_HERE Then: chmod 600 ~/.secrets/certbot/cloudflare.ini Request Your SSL Certificate Replace your domain and email: sudo certbot certonly \ --dns-cloudflare \ --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \ -d print.yourcompany.com \ --non-interactive \ --agree-tos \ --email you@yourcompany.com \ --deploy-hook "/usr/local/bin/update-papercut-cert.sh" Certbot will: Prove domain ownership via Cloudflare DNS Generate your certificate Save it to: /etc/letsencrypt/live/print.yourcompany.com/ Deploy the Cert to PaperCut This script converts the cert into PaperCut’s format and restarts the server. sudo nano /usr/local/bin/update-papercut-cert.sh Paste this: #!/bin/bash DOMAIN="print.yourcompany.com" CERTDIR="/etc/letsencrypt/live/$DOMAIN" TARGET="/Applications/PaperCut MF/server/custom" P12_NAME="my-ssl-keystore-papercutsrv.p12" PASSWORD="changeit" openssl pkcs12 -export \ -inkey "$CERTDIR/privkey.pem" \ -in "$CERTDIR/fullchain.pem" \ -name jetty \ -out "$TARGET/$P12_NAME" \ -passout pass:$PASSWORD chown root:admin "$TARGET/$P12_NAME" chmod 640 "$TARGET/$P12_NAME" launchctl unload /Library/LaunchDaemons/papercut.plist launchctl load /Library/LaunchDaemons/papercut.plist echo "SSL certificate installed and PaperCut restarted." Then: sudo chmod +x /usr/local/bin/update-papercut-cert.sh Automate Renewals Certbot will handle the renewals, but we need to schedule it. Edit the root crontab: sudo crontab -e Add: 0 3 * * 1 certbot renew --quiet This checks for expiring certs every Monday at 3am, renews if needed, and runs the deployment script. That’s It! You’re now running a secure PaperCut server with a Let’s Encrypt SSL certificate that: Automatically renews itself every 90 days Deploys without manual steps Keeps your browser padlock happy at https://print.yourcompany.com:9192 Verify the Certificates Check the certificates using OpenSSL: openssl s_client -connect localhost:9192 -servername papercutsrv.example.com -showcerts Restart PaperCut and validate: sudo launchctl unload /Library/LaunchDaemons/papercut.plist sudo launchctl load /Library/LaunchDaemons/papercut.plist Verify in your browser at https://<your-server-hostname>:9192 check the padlock → certificate details Or run openssl s_client -connect localhost:9192 -showcerts