Jump to content
Smef

How to Use Let's Encrypt to get free SSL certificates for FileMaker Server

Recommended Posts

Hello Everyone,

 

I've written a PowerShell script to allow you to get a free SSL certificate from Let's Encrypt to use with FileMaker Server. You can schedule this to run every few months and renew your certificate automatically. Now there's no reason to keep using that default certificate. Check out the post for instructions!

 

How to Use Let’s Encrypt SSL Certificates with FileMaker Server | Blue Feather - FileMaker Developer, Android, Web 


EDIT: One compatibility note for everyone - While it looks like it's all compatible with FileMaker Pro 13-15, only FileMaker Go 15 is compatible. FileMaker Go 14 is unable to connect with these certificates installed. I'd recommend using FM Go 15 anyway, but it's something to be aware of if you're still using FM Go 14.

Edited by Smef
Added note about FM Go 14 compatibility.
  • Like 2

Share this post


Link to post
Share on other sites

You make it clear in your article but I want to repeat it here: those certificates are NOT supported by FMI so I would not deploy this to production...

Share this post


Link to post
Share on other sites

The warning FMI gives about using non-supported SSL certificates is that FileMaker Pro and Go clients won't be able to verify the SSL certificate. I believe we've solved this issue with this solution, and FileMaker clients as early as 13 are able to successfully verify the SSL certificate. There could be other issues lurking somewhere, but we've got this deployed in a number of live servers with no issues so far. It's definitely a good idea to do some testing after deploying this, all the same.

If anyone does encounter any issues, please post them here, on the article's comment section, or send a private message or email to me.

Edited by Smef

Share this post


Link to post
Share on other sites

It's definitely doable in a similar fashion, I just haven't gotten to doing it yet. I may have a Mac server available soon I can do testing on, and will definitely post when I get a script available for Mac.

Share this post


Link to post
Share on other sites

Great job @Smef! I've been wanting to use Let's Encrypt, but didn't think it was compatible with FileMaker.

When I schedule tasks on a FileMaker Server, I prefer to schedule them from within FileMaker Server itself. Since FMS can't run powershell scripts directly, I send this bash script the name of a powershell script to run and any parameters to send to the powershell script, if needed:

:: file name: run_powershell_script.cmd
:: Created by: Daniel Smith http://scr.im/fmconsulting

:: change current directory to script location
@PUSHD %~dp0

:: this is the old method that I disabled because of a bug in powershell.exe
:: powershell.exe -file %*

:: calling powershell.exe with -file option causes exceptions to NOT return an error code to this script
:: I implemented a work-around linked to from here: http://stackoverflow.com/a/15779295
:: I am replacing " with ' because, when using the -command option, " does not group data into a single value
:: FMS reads an errorlevel of 1 as "aborted by user" and only set's the log level to information,
:: I am trapping for uncaught errors and returning 100 so the log level is set as error in FMS
:: Since the actual error returned by the powershell script is lost, I'm sending it to a file.

SET params=%*
SET params=%params:"='%
PowerShell.exe -ExecutionPolicy unrestricted -command "& {trap{Out-File -FilePath "..\Documents\run_powershell_script_errors.log" -Append -InputObject $_ ; exit 100} .\%params%}"

@POPD

EXIT /B %ERRORLEVEL%

 

Share this post


Link to post
Share on other sites

Will this Run as Administrator? I don't think FileMaker Server normally has permission to edit the CStore folder, which is why "Run as Administrator" is required.

Share this post


Link to post
Share on other sites

Probably not; I hadn't thought of that. I usually don't run scheduled scripts as Administrator, so that hasn't come up.

In that case, I would use a script to create the scheduled task. Here's an example: (the options would need to be changed to get it to run as Administrator)

# https://technet.microsoft.com/en-us/library/jj649816(v=wps.630).aspx

$Action = New-ScheduledTaskAction `
	-Execute powershell.exe `
	-Argument "-ExecutionPolicy Bypass -File C:\GetSSL.ps1"

$Trigger = New-ScheduledTaskTrigger `
	-DaysInterval 85 `
	-At 1:00am

$Settings = New-ScheduledTaskSettingsSet `
	-AllowStartIfOnBatteries `
	-DontStopIfGoingOnBatteries `
	-ExecutionTimeLimit 00:05 `
	-StartWhenAvailable

$Principal = New-ScheduledTaskPrincipal `
	-UserId $([System.Security.Principal.WindowsIdentity]::GetCurrent().Name) `
	-LogonType S4U

$Task = New-ScheduledTask -Action $Action -Trigger $Trigger -Settings $Settings -Principal $Principal `
	-Description "TODO:explain what the task is for"


Register-ScheduledTask -TaskName "TODO:task-name" -TaskPath "TODO:optional-folder-name" -InputObject $Task -Force

 

Share this post


Link to post
Share on other sites

Ping ... Has anyone implemented Let's encrypt on a Mac running FileMaker Server?

Edited by Dean Suhr

Share this post


Link to post
Share on other sites

I've got this on my list of things to do as well. It should be a pretty similar process.

Share this post


Link to post
Share on other sites

Will this be the full procedure for FM16S on a Mac?

 

Once

https://brew.sh/

brew install certbot

 

Perpetually; the first of every month or so

sudo certbot certonly -w "/Library/FileMaker Server/HTTPServer/htdocs" -d sub.domain.tld
ln -s /etc/letsencrypt/live/sub.domain.tld/privkey.pem /Library/FileMaker\ Server/CStore/privkey.pem
sudo fmsadmin certificate import /etc/letsencrypt/live/sub.domain.tld/fullkey.pem --keyfile /Library/FileMaker\ Server/CStore/privkey.pem
sudo launchctl stop com.filemaker.fms
sudo launchctl start com.filemaker.fms

 

Here are some examples on how to use certbot for other purposes: https://certbot.eff.org/docs/using.html

Share this post


Link to post
Share on other sites

Thanks for this article, OP. It worked great for me.

On 2/8/2017 at 3:55 PM, Dean Suhr said:

Ping ... Has anyone implemented Let's encrypt on a Mac running FileMaker Server?

Yes, I did this on Mac. Just tweaked some of the filenames and directories to my liking. You'll need to follow the Mac tutorial though.

https://bluefeathergroup.com/blog/lets-encrypt-ssl-certificates-for-filemaker-server-for-mac/

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×

Important Information

By using this site, you agree to our Terms of Use.