As part of my road-testing of FMS19 for Linux, I decided to see if I could get it working with a free LetsEncrypt SSL Certificate. Here are my results
- FMS Admin Console - YES
- Connection from FMPro 19 (Yes, Windows and Mac)
- Connection from FMPro 18 (Yes, Windows and Mac)
- Earlier versions of FMPro - not supported by FMS19 anyway
- Filemaker Go 19 for iPhone on iOS 13.x - YES
- Filemaker Go 18 for iPhone on iOS 13.x - YES
- Earlier versions of Filemaker Go - not supported by FMS19 anyway
However :
WebDirect - not working yet. May not work at all.
If this is deemed worth pursuing, I can look into the different methods of automatically renewing them every 90 days (cause you don't get any points deploying a free SSL if it fails after only a few months).
3 Likes
Web Direct worked for us on Linux once you installed Java libraries.
There is a dialog for that coming up if you enable Web Direct.
1 Like
You can make it set-and-forget. A batch file calling certbot to renew the domains works nicely now. In earlier versions you had to make the renew request within the correct time frame. Nowadays, the renew request is politely ignored until it needs to be addressed. So you can have it running on a weekly schedule to handle all the domains on that server.
4 Likes
How about some nice instructions for a dummy on how to install LetsEncrypt it on FMS for Linux?
3 Likes
I would love instructions for dummies on Windows FMS as well.
That's good to know. Yes, I remember reading that the original idea was to issue a certificate for 90 days, and then submit a renewal request some time inbetween day 60 and day 90. Obviously they do not want their servers to be overwhelmed, like any API/gateway service., especially when it's free. Are you using the HTTP method, or the DNS CNAME method to do the verification?
I'd love to update this to automatically reboot FMS safely in the middle of the night after updating the cert. We have it working nicely, except for the auto reboot, on several FMS servers.
Mac OS Install Instructions:
- Put LE_GetSSL.sh in MacHD/User/Shared
- Edit LE_GetSSL.sh
- /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
- brew install certbot
- cd /Users/Shared
- sudo chmod 777 LE_GetSSL.sh
- sudo ./LE_GetSSL.sh
- In Terminal: sudo /bin/sh /Users/Shared/LE_GetSSL.sh
- To renew, run the terminal command and reboot FMS.
LE_GetSSL.sh file:
#!/bin/sh
# Created by: David Nahodyl, Blue Feather
# Contact: contact@bluefeathergroup.com
# Date: 5/7/2019
# Version: 0.4
# Need help? We can set this up to run on your server for you! Send an email to
# contact@bluefeathergroup.com or give a call at (770) 765-6258
# Change the domain variable to the domain/subdomain for which you would like
# an SSL Certificate
DOMAIN="foo.domain.com"
# Change the contact email address to your real email address so that Let's Encrypt
# can contact you if there are any problems #>
EMAIL="foo@domain.com"
# Enter the path to your FileMaker Server directory, ending in a slash
SERVER_PATH="/Library/FileMaker Server/"
FMADMIN="fmConsoleLogin"
FMPASS="fmConsolePassword"
#
# --- you shouldn't need to edit anything below this line
# --- spoiler: we did below on serverKey path
WEB_ROOT="${SERVER_PATH}HTTPServer/htdocs"
# Get the certificate
certbot certonly --webroot -w "$WEB_ROOT" -d $DOMAIN --agree-tos -m "$EMAIL" --preferred-challenges "http" -n
cp "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem" "${SERVER_PATH}CStore/fullchain.pem"
cp "/etc/letsencrypt/live/${DOMAIN}/privkey.pem" "${SERVER_PATH}CStore/privkey.pem"
chmod 640 "${SERVER_PATH}CStore/privkey.pem"
# Move an old certificate, if there is one, to prevent an error
# changed to server.pem as that seems to be used by fm now instead
mv "${SERVER_PATH}CStore/server.pem" "${SERVER_PATH}CStore/serverKey-old.pem"
# Remove the old certificate
fmsadmin certificate delete --yes -u ${FMADMIN} -p ${FMPASS}
# Install the certificate
fmsadmin certificate import "${SERVER_PATH}CStore/fullchain.pem" --keyfile "${SERVER_PATH}CStore/privkey.pem" -y -u ${FMADMIN} -p ${FMPASS}
1 Like
On the two servers that we're maintaining we are running nginx so we initially run a request from the command line. For renewals, everything is in cron on a weekly schedule.