LetsEncrypt renewal - require server restart?

Questions
1

I was playing around with Lets Encrypt SSL certificates on my FMS server and got this email after running the script manually:

Schedule "Let's Encrypt Renewal Script" completed. The certificate renewed successfully. Restart the FileMaker Server service (Windows) or FileMaker Server background processes (macOS or Linux) to apply the change.

This is running FMS 22.0.4 on macOS.

When this script runs automatically, does this mean that I will need to manually restart the FMS server process(es) in order to have the new certificate take effect?

2

To the best of my knowledge this is still the case, sadly. I hope Claris has good reasons to keep this nuisance of a “forced outage”, but it will be getting worse with the shorter lifetimes of certificates.

1 Like
3

I wonder if it’s possible to script this so it’s all automated? I’m thinking something like this:

  1. shut down databases
  2. update the LetsEncrypt certificate
  3. stop the FMS processes; wait a few seconds, then restart them

?

4

Doing some tests. This is on FMS 22.0.4.427 on macOS 15.7.3.

First, can we automate updating the SSL Certificate for FMS / FMPro?

  • Manually run the Let’s Encrypt Renewal script from the FMS Server Admin webpage.
    Result: successimage

  • on Configuration/ 'SSL Certificate' check the Expires date:

    image
    image1304Ă—186 29.1 KB

  • from the macOS Terminal command-line, restart the FileMaker database server:

    fmsadmin restart SERVER

  • open a database from FileMaker Pro, click the lock icon to see the SSL status. Result: the new SSL certificate is being used:

    image
    image600Ă—134 16.3 KB

Conclusion: running the Sys_Default_RenewLetsEncryptCertificate system script schedule, then restarting the FMS Database server using fmsadmin restart SERVER works to start using the new SSL certificate for FileMaker Pro connections.

Next, can we automate updating the SSL certificate for Apache / WebDirect?

# use CURL to get the SSL certificate dates

curl --insecure -vvI https://example.com  2>&1 | grep -e "start date:" -e "expire date:"

# Results:
*  start date: Oct 24 18:11:32 2025 GMT
*  expire date: Jan 22 18:11:31 2026 GMT

# this is the old certificate. The new one is not being used.

#  What happens if we restart Apache?

fmsadmin restart HTTPSERVER

# test again
curl --insecure -vvI https://example.com  2>&1 | grep -e "start date:" -e "expire date:"

# Results:
*  start date: Oct 24 18:11:32 2025 GMT
*  expire date: Jan 22 18:11:31 2026 GMT

# still using the old certificate

# what if we STOP, then START the HTTPSERVER?
fmsadmin STOP HTTPSERVER
fmsadmin START HTTPSERVER

# test again
curl --insecure -vvI https://example.com  2>&1 | grep -e "start date:" -e "expire date:"

# Results:
*  start date: Dec 20 13:58:40 2025 GMT
*  expire date: Mar 20 13:58:39 2026 GMT

# Success!

Conclusion - it seems as if fmsadmin RESTART HTTPSERVER does not put the new SSL certificate into use, but issuing fmsadmin STOP HTTPSERVER followed by fmsadmin START HTTPSERVER does work.

This suggests it should be possible to set up a FMS Schedule using a Script Sequence that does these three steps.

3 Likes
5

Additional issues

  1. the command fmsadmin RESTART SERVER requires username and password and asks you to confirm this action by typing the “y” key. Although the fmsadmin help command doesn’t mention it, there are command-line options to pass username and password and answer “y” to prompts. See fmsadmin command line reference for details.

Thus, for fully-automated scripting, the command would be as follows:

# restart the FMS database server without requiring user interaction:

fmsadmin --yes --username Username --password Password RESTART SERVER

You could also add a specific timeout and a message:

# restart the FMS database server without requiring user interaction
# and providing a specific message and timeout before disconnection

fmsadmin --yes --username Username --password Password --message "Server will restart in two minutes for security updates" --gracetime 120 RESTART SERVER

Or, you could use the force option to disconnect clients and webDirect sessions immediately:

# restart the FMS database server without requiring user interaction
# forcing disconnections immediately

fmsadmin --yes --username Username --password Password  --force RESTART SERVER
1 Like
6

I've tested this technique out and it appears to work well, on macOS servers at least.

Here's my shell script - see instructions within

#!/bin/bash
######################################################################
# Shell script called by FileMaker Server 2025 to restart
# server processes after the LetsEncrypt renewal happens.
#
# Place this script in /Library/FileMaker Server/Data/Scripts
# and make sure the 'fmserver' user has read/write access.
# 
# Set the executable bit on this file:
# chmod +x "/Library/FileMaker Server/Data/Scripts/*"
#
# Configuration - In the FMS admin interface, create a New Schedule:
#   Schedule Type: Script Sequence
#   Preceding System Script: Sys_Default_RenewLetsEncryptCertficiate.
#   Database Script:  [set up a dummy script which does nothing]
#   Following System Script: this file
#   Run the script sequence every N days
#     for 90 day certificates, LetsEncrypt recommends N=60 days
#
# Configuration - also set variables below
#
# Debugging:
# 	Logs can be viewed by running this command
# 	open -a Console "/Library/FileMaker Server/Logs/stderr" "/Library/FileMaker Server/logs/stdout" 
#
# 
######################################################################
# 2025-12-20 Created version 1
######################################################################

# Set these variables as needed

# fmsadmin username and password
USER='username'
PASS='password'

# URL of your WebDirect website (used for checking SSL cert issue and expiration dates)
URL="https://example.com/"

# number of seconds grace period
TIME=30

# message for disconnecting FM sessions
MSG="Server will restart in $TIME seconds for security update."


echo "######################################################################"
echo "# LetsEncryptRestart.sh -- Restarting processes after LetsEncrypt Renewal"
echo "#" `date`
echo "# "
echo "# who -m = " `who -m`
echo "# "
echo "# USER  = $USER"
echo "# PASS  = ****"
echo "# "
echo "# TIME  = $TIME seconds"
echo "# MSG   = $MSG"
echo "# "
echo "# URL   = $URL"
echo "# "
echo "######################################################################"


# list any clients currently connected
echo "# Current connected clients/sessions:"
/usr/local/bin/fmsadmin --yes --username "$USER" --password "$PASS" LIST CLIENTS
echo ""


# restart the database server
# note : to see the new SSL certificate in use,
# you may need to also quit FileMaker Pro before reconnecting to Server

echo "# Restarting the FMS Database Server"
echo "fmsadmin RESTART SERVER"
/usr/local/bin/fmsadmin --yes --username "$USER" --password "$PASS" --message "$MSG" --gracetime $TIME RESTART SERVER
sleep 5
echo ""


# restart the HTTPSERVER
# Note: tests indicate that RESTART does not get Apache to use the new SSL certificate
# instead we use STOP followed by START which does work

# log the current certificate in use (before renewal)
echo "# SSL Certificate in use by Web Server:"
echo ""
/usr/bin/curl --insecure -vvI $URL  2>&1 | grep -e "start date:" -e "expire date:"

echo ""

echo "# Stop, then start web server:"
echo ""

echo "fmsadmin STOP HTTPSERVER"
/usr/local/bin/fmsadmin --yes STOP HTTPSERVER
sleep 5
echo "fmsadmin START HTTPSERVER"
/usr/local/bin/fmsadmin --yes START HTTPSERVER

sleep 5
echo ""

# log the current certificate in use (after renewal)
echo "# SSL Certificate in use by Web Server:"
echo ""
/usr/bin/curl --insecure -vvI $URL 2>&1 | grep -e "start date:" -e "expire date:"



echo "######################################################################"
echo "# LetsEncryptRestart.sh -- DONE "
echo "######################################################################"

exit 0
2 Likes