How to Use Let's Encrypt to get free SSL certificates for FileMaker Server

[Smef]

Hello Everyone,

 

I've written a PowerShell script to allow you to get a free SSL certificate from Let's Encrypt to use with FileMaker Server. You can schedule this to run every few months and renew your certificate automatically. Now there's no reason to keep using that default certificate. Check out the post for instructions!

 

How to Use Let’s Encrypt SSL Certificates with FileMaker Server | Blue Feather - FileMaker Developer, Android, Web 

EDIT: One compatibility note for everyone - While it looks like it's all compatible with FileMaker Pro 13-15, only FileMaker Go 15 is compatible. FileMaker Go 14 is unable to connect with these certificates installed. I'd recommend using FM Go 15 anyway, but it's something to be aware of if you're still using FM Go 14.

Edited November 11, 2016 by Smef
Added note about FM Go 14 compatibility.

[Wim Decorte]

You make it clear in your article but I want to repeat it here: those certificates are NOT supported by FMI so I would not deploy this to production...

[Smef]

The warning FMI gives about using non-supported SSL certificates is that FileMaker Pro and Go clients won't be able to verify the SSL certificate. I believe we've solved this issue with this solution, and FileMaker clients as early as 13 are able to successfully verify the SSL certificate. There could be other issues lurking somewhere, but we've got this deployed in a number of live servers with no issues so far. It's definitely a good idea to do some testing after deploying this, all the same.

If anyone does encounter any issues, please post them here, on the article's comment section, or send a private message or email to me.

Edited November 10, 2016 by Smef

[Rick Whitelaw]

Any Mac solution?

[Smef]

It's definitely doable in a similar fashion, I just haven't gotten to doing it yet. I may have a Mac server available soon I can do testing on, and will definitely post when I get a script available for Mac.

[dansmith65]

Great job @Smef! I've been wanting to use Let's Encrypt, but didn't think it was compatible with FileMaker.

When I schedule tasks on a FileMaker Server, I prefer to schedule them from within FileMaker Server itself. Since FMS can't run powershell scripts directly, I send this bash script the name of a powershell script to run and any parameters to send to the powershell script, if needed:

:: file name: run_powershell_script.cmd
:: Created by: Daniel Smith http://scr.im/fmconsulting

:: change current directory to script location
@PUSHD %~dp0

:: this is the old method that I disabled because of a bug in powershell.exe
:: powershell.exe -file %*

:: calling powershell.exe with -file option causes exceptions to NOT return an error code to this script
:: I implemented a work-around linked to from here: http://stackoverflow.com/a/15779295
:: I am replacing " with ' because, when using the -command option, " does not group data into a single value
:: FMS reads an errorlevel of 1 as "aborted by user" and only set's the log level to information,
:: I am trapping for uncaught errors and returning 100 so the log level is set as error in FMS
:: Since the actual error returned by the powershell script is lost, I'm sending it to a file.

SET params=%*
SET params=%params:"='%
PowerShell.exe -ExecutionPolicy unrestricted -command "& {trap{Out-File -FilePath "..\Documents\run_powershell_script_errors.log" -Append -InputObject $_ ; exit 100} .\%params%}"

@POPD

EXIT /B %ERRORLEVEL%

 

[Smef]

Will this Run as Administrator? I don't think FileMaker Server normally has permission to edit the CStore folder, which is why "Run as Administrator" is required.

[dansmith65]

Probably not; I hadn't thought of that. I usually don't run scheduled scripts as Administrator, so that hasn't come up.

In that case, I would use a script to create the scheduled task. Here's an example: (the options would need to be changed to get it to run as Administrator)

# https://technet.microsoft.com/en-us/library/jj649816(v=wps.630).aspx

$Action = New-ScheduledTaskAction `
	-Execute powershell.exe `
	-Argument "-ExecutionPolicy Bypass -File C:\GetSSL.ps1"

$Trigger = New-ScheduledTaskTrigger `
	-DaysInterval 85 `
	-At 1:00am

$Settings = New-ScheduledTaskSettingsSet `
	-AllowStartIfOnBatteries `
	-DontStopIfGoingOnBatteries `
	-ExecutionTimeLimit 00:05 `
	-StartWhenAvailable

$Principal = New-ScheduledTaskPrincipal `
	-UserId $([System.Security.Principal.WindowsIdentity]::GetCurrent().Name) `
	-LogonType S4U

$Task = New-ScheduledTask -Action $Action -Trigger $Trigger -Settings $Settings -Principal $Principal `
	-Description "TODO:explain what the task is for"


Register-ScheduledTask -TaskName "TODO:task-name" -TaskPath "TODO:optional-folder-name" -InputObject $Task -Force

 

[Dean Suhr]

Ping ... Has anyone implemented Let's encrypt on a Mac running FileMaker Server?

Edited February 8, 2017 by Dean Suhr

[Smef]

I've got this on my list of things to do as well. It should be a pretty similar process.

[Smef]

I've added a new set of instructions for Let's Encrypt SSL Certificates with FileMaker Server for Mac.

[Motifews]

Hello people, have to say thank a lot for all your tips!

[ggt667]

Will this be the full procedure for FM16S on a Mac?

 

Once

https://brew.sh/

brew install certbot

 

Perpetually; the first of every month or so

sudo certbot certonly -w "/Library/FileMaker Server/HTTPServer/htdocs" -d sub.domain.tld
ln -s /etc/letsencrypt/live/sub.domain.tld/privkey.pem /Library/FileMaker\ Server/CStore/privkey.pem
sudo fmsadmin certificate import /etc/letsencrypt/live/sub.domain.tld/fullkey.pem --keyfile /Library/FileMaker\ Server/CStore/privkey.pem
sudo launchctl stop com.filemaker.fms
sudo launchctl start com.filemaker.fms

 

Here are some examples on how to use certbot for other purposes: https://certbot.eff.org/docs/using.html

[JeffHenry]

Thanks for this article, OP. It worked great for me.

On 2/8/2017 at 3:55 PM, Dean Suhr said:

Ping ... Has anyone implemented Let's encrypt on a Mac running FileMaker Server?

Yes, I did this on Mac. Just tweaked some of the filenames and directories to my liking. You'll need to follow the Mac tutorial though.

https://bluefeathergroup.com/blog/lets-encrypt-ssl-certificates-for-filemaker-server-for-mac/