How to Use Let’s Encrypt SSL Certificates with FileMaker Server
Let’s Encrypt is a non-profit certificate authority with the mission of spreading the SSL love across the internet. Though they’re not officially supported, we can use Let’s Encrypt to get free SSL certificates to use with FileMaker Server. We will use a PowerShell script and the Windows Task Scheduler on Windows Server 2012 R2 to retrieve and automatically renew SSL certificates through Let’s Encrypt to make sure our connections to FileMaker Server are secure. With this, there’s no reason anyone should have an invalid SSL certificate on their FileMaker Server deployment!
WARNING: FileMaker does not list Let’s Encrypt as a supported SSL vendor. We’ve had no problems with using these SSL certificates, but can’t make any guarantees for you. This is an experimental script and procedure. Please proceed with the use of this PowerShell script and Let’s Encrypt SSL certificates at your own risk.
Here’s a summary of what we’re going to need to do:
- Download the GetSSL.ps1 PowerShell script
- Install the Microsoft PowerShell Package Manager
- Edit the GetSSL.ps1 file
- Change Windows security to allow PowerShell Scripts to run
- Install ACMESharp
- Run the PowerShell Script
- Change the FileMaker Server SSL Connections settings
- Set up a schedule to renew the SSL certificate
Check out the video below for a walkthrough and continue reading for additional instructions.
1. Download the GetSSL.ps1 PowerShell script
First, you’ll need a copy of the GetSSL PowerShell script. Download the file using the link below and save it on your server where you’ll want to get the SSL certificate.
WARNING: This is an experimental script and procedure, and SSL certificates from Let’s Encrypt are not officially supported by FileMaker, Inc. Please download and use this script with the understanding that it comes with no guarantees or warranties, and that you are doing so at your own risk. Blue Feather, Let’s Encrypt, nor anyone else are responsible for what happens to your server or systems when using this script.
2. Install the Microsoft PowerShell Package Manager
Windows Server 2012 R2 does not have the PowerShellGet module installed by default, and so we must download it from Microsoft. Visit Microsoft’s download page or PowerShell Gallery to get the latest version of PowerShell for PS 3 and 4. Download and install the very small file. This will allow us to more easily install the modules we need to make this work.
3. Edit the GetSSL.ps1 file
The script file needs to be edited so that it know the address you wish to get an SSL certificate for. Right-click on the ps1 file and select edit to open a text editor. Change the address, email address, and (if necessary) the FileMaker Server install path variables to reflect your server’s information and your contact information. Let’s Encrypt will use this contact information to reach out to you if there is a problem with the SSL certificate that they have issued to you.
4. Change Windows security to allow PowerShell Scripts to run
Windows Server will not allow you to run PowerShell scripts by default, so you’ll need to modify your security settings to allow this. Open PowerShell or PowerShell ISE as Administrator using the “Run as Administrator” option and enter the command:
Set-ExecutionPolicy -Scope LocalMachine Unrestricted
Enter “y” and press enter to accept the security warnings that appear.
Note: PowerShell must be Run as Administrator for this step and all subsequent steps, or you will receive errors. Be sure you are running PowerShell or the PowerShell ISE as Administrator using the “Run as Administrator” option, not just a user named Administrator.
5. Install ACMESharp
We’ll be using the ACMESharp PowerShell module to communicate with Let’s Encrypt to get our SSL certificate. Install the ACMESharp PowerShell module using the command:
Install-Module -Name ACMESharp
Enter “y” and press enter to accept the security warnings that appear.
6. Run the PowerShell Script
WARNING: Running this PowerShell script will restart your FileMaker Server service, abruptly disconnecting any active users. Make sure that nobody is connected to your server before you run this script.
With ACMESharp installed and our security settings adjusted, we’re now ready to run the PowerShell script. Make sure nobody is connected or using your FileMaker server and then run the GetSSL.ps1 PowerShell script by navigating to the directory you have it copied to in your PowerShell window and entering:
.\GetSSL.ps1
A bunch of text will scroll by in the PowerShell window as the script requests, fetches, and installs your SSL certificate. Your FileMaker Server service will then be stopped and started again automatically.
Your SSL certificate should now be installed! Go to your FileMaker Server admin console to make sure you’re seeing the new SSL certificate. You may need to close and re-open your browser if you had the page open already.
7. Change the FileMaker Server SSL Connections settings
The SSL certificate is installed, but we want to force FileMaker Pro and Go clients to connect securely to our server. Log in to your newly secured FileMaker Server admin console. Select the Database Server options from the list on the left and then the Security tab at the top of the page. Check the “Use SSL for database connections” option (as well as “Use SSL for progressive downloading” if you would like) to force FileMaker Pro and Go clients to use a secure connection when connecting to this server. Save your changes and then restart your FileMaker Server service on your server machine.
Your FileMaker Pro clients should now show the green lock icon when logging in to this server, indicating that the connection is secure.
8. Set up a schedule to renew the SSL certificate
SSL Certificates from Let’s Encrypt are only valid for 90 days and must be renewed before that time. Let’s Encrypt does this purposefully to encourage automation and increase security. In that spirit, we should set up an automatic renewal for our SSL certificates so that we don’t need to manually re-run this every couple of months. This process is similar to setting up a scheduled script in FileMaker Server.
Move the GetSSL.ps1 file to a relatively permanent location on your server and then open the Task Scheduler, which we will use to set up a new scheduled task.
Once you have the Task Scheduler open, right-click on the Task Scheduler Library icon on the left side of the window and select the “Create Basic Task” option.
Give your task a name and description so that you can recognize what is is and then press Next. Select a frequency for this task to run, such as Monthly and enter the times you wish the schedule to run on the next window.
Enter “PowerShell” in the “Program/script:” field. Enter the path to the GetSSL.ps1 script in the “Add arguements (optional)” field. This should be a full path like C:\GetSSL.ps1.
Click the next button to review, and select the “Open Properties” checkbox. Complete the setup and the properties window will open for you to make final adjustments to this schedule. You can edit the triggers and scheduling here, but the important thing we need to do is change the security options.
Select the “Run whether user is logged o nor not” radio button and enter your password to allow the script to run even if you’re not logged into the machine. Also be sure to check the “Run with highest privileges” option to make the script Run as Adminstrator, which is required for the script to work properly.
Done!
That’s all that you need to do! Your script should run automatically at your scheduled time to renew your SSL certificate with Let’s Encrypt. Keep in mind that your FileMaker Server service will be restarted after getting the new SSL certificate, so be sure to schedule it for a time when people will not be active in your system.
This is an early version of this script and there is quite surely room for improvement. Please let me know if you have any suggestions or run into any issues using this scripting. Let’s make the FileMaker community a secure one!
0 Comments
Recommended Comments
There are no comments to display.