[Updated 11/17 to reflect deprecation of Let’s Encrypt Mac OSX client.]

While it’s preferrable to install Electronic Frontier Foundation‘s certbot* on your hosting environment (so certificate renewal can be automated via cron), you’ll need root access to do so, in order to install dependencies.

For those situations where that’s not possible, (such as a site hosted on a shared environment), you can install certbot and generate the certificates locally.

Pre-Install Checklist

Make sure you have all of the following installed and updated:

1. Homebrew — Run the following on the command-line to install Homebrew:

   /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

   If you already have brew installed, run brew update and brew upgrade, then run brew doctor and address any issues that come up.

2. Git — brew install git
3. Xcode – Install it via the App Store, then run xcode-select --install to install the command-line tools.
4. Pip – sudo easy_install pip

Install certbot

Thanks to Homebrew, installing certbot is one, simple command:

brew install certbot

Assuming no issues, you’re now ready to generate SSL certificates locally.

*What happened to Let’s Encrypt’s Mac OSX client?

letsencrypt-auto and certbot-auto support for OSX (among others) was never more than “experimental”, hence having to add the --debug flag when installing it. Running either of these commands will now return this error message:

WARNING: certbot-auto support for this macOS is DEPRECATED!
Please visit certbot.eff.org to learn how to download a version of
Certbot that is packaged for your system. While an existing version
of certbot-auto may work currently, we have stopped supporting updating
system packages for your system. Please switch to a packaged version
as soon as possible. 

They’re being phased out in favor of certbot, which has proper OS package support.