Posted by & filed under FileMaker.

Looking for instructions for Mac? Click here!

Let’s Encrypt is a non-profit certificate authority with the mission of spreading the SSL love across the internet. Though they’re not officially supported, we can use Let’s Encrypt to get free SSL certificates to use with FileMaker Server. We will use a PowerShell script and the Windows Task Scheduler on Windows Server 2012 R2 to retrieve and automatically renew SSL certificates through Let’s Encrypt to make sure our connections to FileMaker Server are secure. With this, there’s no reason anyone should have an invalid SSL certificate on their FileMaker Server deployment!


  • FileMaker Server deployed on Windows Server – Tested with 2008 R2, 2012 R2, and 2016 but may work with other versions.
  • The “FileMaker Database Server Website” page must be reachable through the public internet using a web browser at the address you wish to get an SSL certificate for, such as This means opening or forwarding port 80 in your router, firewall, or security groups. We use the Let’s Encrypt HTTP verification challenge, so we must make sure that Let’s Encrypt is able to reach our FileMaker server through HTTP.

Warning: FileMaker does not list Let’s Encrypt as a supported SSL vendor and usually alerts the community that non-supported SSL vendors’ certificates won’t be able to be validated by FileMaker Pro and Go. I believe we’ve solved this issue with this solution. We’ve had no problems with validating these SSL certificates with FileMaker Pro 13-16 but of course can’t make any guarantees. FileMaker Go 15/16 also seem to validate everything correctly, though FileMaker Go 14 can’t connect. Please post in the comments section below if you have any issues using these SSL certificates. This is an experimental script and procedure. Please proceed with the use of this PowerShell script and Let’s Encrypt SSL certificates at your own risk.


Here’s a summary of what we’re going to need to do:

  1. Download the GetSSL.ps1 PowerShell script
  2. Install the Microsoft PowerShell Package Manager (2012 R2 and earlier)
  3. Edit the GetSSL.ps1 file
  4. Change Windows security to allow PowerShell Scripts to run
  5. Install ACMESharp
  6. Run the PowerShell Script
  7. Change the FileMaker Server SSL Connections settings
  8. Set up a schedule to renew the SSL certificate

Check out the video below for a walkthrough and continue reading for additional instructions.

1. Download the GetSSL.ps1 PowerShell script

First, you’ll need a copy of the GetSSL PowerShell script. Download the file using the link below and save it on your server where you’ll want to get the SSL certificate.

Warning: This is an experimental script and procedure, and SSL certificates from Let’s Encrypt are not officially supported by FileMaker, Inc. Please download and use this script with the understanding that it comes with no guarantees or warranties, and that you are doing so at your own risk. Blue Feather, Let’s Encrypt, nor anyone else are responsible for what happens to your server or systems when using this script.

Download the GetSSL PowerShell script


2. Install the Microsoft PowerShell Package Manager (2012 R2 and earlier)

Windows Server 2012 R2 does not have the PowerShellGet module installed by default, and so we must download it from Microsoft. Visit Microsoft’s download page or PowerShell Gallery to get the latest version of PowerShell for PS 3 and 4. Download and install the very small file. This will allow us to more easily install the modules we need to make this work.


3. Edit the GetSSL.ps1 file

The script file needs to be edited so that it know the address you wish to get an SSL certificate for. Right-click on the ps1 file and select edit to open a text editor. Change the address, email address, and (if necessary) the FileMaker Server install path variables to reflect your server’s information and your contact information. Let’s Encrypt will use this contact information to reach out to you if there is a problem with the SSL certificate that they have issued to you.



4. Change Windows security to allow PowerShell Scripts to run

Windows Server will not allow you to run PowerShell scripts by default, so you’ll need to modify your security settings to allow this. Open PowerShell or PowerShell ISE as Administrator using the “Run as Administrator” option and enter the command:

Enter “y” and press enter to accept the security warnings that appear.

If you’ve copied this file to your server though RDP or over a network you should be fine here, but if the file was downloaded directly to the server from this site there may be another “downloaded from the internet” warning that you’ll have to clear. Place the file in a semi-final location and unblock it using the Unblock-File command, passing in the path to the file as a parameter. Here’s an example for if the file is located on the root of the C drive:

Note: PowerShell must be Run as Administrator for this step and all subsequent steps, or you will receive errors. Be sure you are running PowerShell or the PowerShell ISE as Administrator using the “Run as Administrator” option, not just a user named Administrator.


5. Install ACMESharp

We’ll be using the ACMESharp PowerShell module to communicate with Let’s Encrypt to get our SSL certificate. Install the ACMESharp PowerShell module using the command:

Server 2012 R2:

Server 2016:

Enter “y” and press enter to accept the security warnings that appear.


The latest version of this module, 0.9.xx, has some changes and requires some addition configuration and module installation. You’ll need to install the module for ACMESharp to handle IIS and then enable the module.


Install the module:

Activate the newly installed module

We’re still doing testing with this new version and function, but it looks like you need to close and then re-open PowerShell again (as Administrator) before moving on to the next step.


6. Run the PowerShell Script

WARNING: Running this PowerShell script will safely restart your FileMaker Server service, abruptly disconnecting any active users. Make sure that nobody is connected to your server before you run this script.

With ACMESharp installed, the module enabled, PowerShell restarted, and our security settings adjusted, we’re now ready to run the PowerShell script. Make sure nobody is connected or using your FileMaker server and then run the GetSSL.ps1 PowerShell script by navigating to the directory you have it copied to in your PowerShell window and entering:

A bunch of text will scroll by in the PowerShell window as the script requests, fetches, and installs your SSL certificate. Your FileMaker Server service will then be stopped and started again automatically.

Your SSL certificate should now be installed! Go to your FileMaker Server admin console to make sure you’re seeing the new SSL certificate. You may need to close and re-open your browser if you had the page open already.

7. Change the FileMaker Server SSL Connections settings

The SSL certificate is installed, but we want to force FileMaker Pro and Go clients to connect securely to our server. Log in to your newly secured FileMaker Server admin console. Select the Database Server options from the list on the left and then the Security tab at the top of the page. Check the “Use SSL for database connections” option (as well as “Use SSL for progressive downloading” if you would like) to force FileMaker Pro and Go clients to use a secure connection when connecting to this server. Save your changes and then restart your FileMaker Server service on your server machine.

FileMaker Server Admin Console Settings

Your FileMaker Pro clients should now show the green lock icon when logging in to this server, indicating that the connection is secure.


8. Set up a schedule to renew the SSL certificate

SSL Certificates from Let’s Encrypt are only valid for 90 days and must be renewed before that time. Let’s Encrypt does this purposefully to encourage automation and increase security. In that spirit, we should set up an automatic renewal for our SSL certificates so that we don’t need to manually re-run this every couple of months. This process is similar to setting up a scheduled script in FileMaker Server.

Move the GetSSL.ps1 file to a relatively permanent location on your server and then open the Task Scheduler, which we will use to set up a new scheduled task.

Once you have the Task Scheduler open, right-click on the Task Scheduler Library icon on the left side of the window and select the “Create Basic Task” option.


Give your task a name and description so that you can recognize what is is and then press Next. Select a frequency for this task to run. Daily is a good setting here, and then on the next screen you can set it to recur every 80 days. The SSL certificates from Let’s Encrypt are good for 90 days at a time, so this will give us over a week’s leeway.

Enter “PowerShell” in the “Program/script:” field. Enter the path to the GetSSL.ps1 script in the “Add arguments (optional)” field. This should be a full path like C:\GetSSL.ps1.

Click the next button to review, and select the “Open Properties” checkbox. Complete the setup and the properties window will open for you to make final adjustments to this schedule. You can edit the triggers and scheduling here, but the important thing we need to do is change the security options.

Select the “Run whether user is logged o nor not” radio button and enter your password to allow the script to run even if you’re not logged into the machine. Also be sure to check the “Run with highest privileges” option to make the script Run as Administrator, which is required for the script to work properly.



That’s all that you need to do! Your script should run automatically at your scheduled time to renew your SSL certificate with Let’s Encrypt. Do a test to make sure that it’s all working properly, that it gets a new certificate for you, and that your FileMaker Server service restarts after it has retrieved the certificate. If there is an issue, you may want to run the script manually in PowerShell or debug with the PowerShell ISE to locate any issues.

Keep in mind that your FileMaker Server service will be restarted after getting the new SSL certificate, so be sure to schedule it for a time when people will not be active in your system.

This is an early version of this script and there is quite surely room for improvement. Please let me know if you have any suggestions or run into any issues using this scripting. Let’s make the FileMaker community a secure one!




  • C38S

    Thanks for sharing!

  • Daniel Harlow

    What versions of FMS have your tested this with? Does it support FMS 15, 14 and 13?

    • I’ve successfully run this on FileMaker Server 15.0.1/2 and 14.0.4, though I imagine it would also work on Server 13.0.9 which handles SSL certificates the same way. I’ve also tested it with FileMaker Pro 15, 14, and 13 and none of them have had any issues validating the SSL certificate.

      • Daniel Harlow

        How about in multiple machine setup?

        • I haven’t tried it, but I don’t think it would be a problem as the SSL certificate installation process is the same in both cases. One thing to keep in mind is that you need a different single-domain SSL certificate for each server, rather than a single wildcard certificate, if you want to make sure that your connections to both machines are secure. You might have and, for example.

          Please let us know how it works for you if you do run it.

          • Daniel Harlow

            Multiple machines seem to work fine.

          • Great! Thanks for providing feedback about this. I’m sure this information will help other people in using a multi-machine deployment.

  • Menno van Beek

    Thanks for sharing this. I am already using LE on my FMServers, but hadn’t been able to automate it yet.

  • I’ve updated this to v .2 which adds a . to the fmsadmin certificate import line. This improve compatibility with more servers.

  • Kjam

    Hi David. Thank you so much for your help with the GetSSL.ps1 script today, I really appreciate it. I replicated the process successful with one issue. Seems LE doesn’t like it when you use the same email address for different domains LOL. I changed that and all was good. Great work with that script mate, that is some cool stuff. I will be looking at your PHP tutorial next. Cheers

    • There isn’t any problem with using the same email for different domains. I’ve used mine for quite a few at this point. I did get an error one time when I had mis-typed my email address since they do check and make sure it’s a real domain. Could that have happened to you?

  • Daniel Harlow

    So I think I found an issue with using the Let’s Encrypt Certificate on FileMaker Server 15 & WebDirect. If turn on “Use SSL for progressive downloading” it seems to break downloading files via WebDirect (using the export field contents). Looking in the Windows logs I am seeing “A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 46.”. Turning off “Use SSL for progressive downloading” allows files to be downloaded again and the error entry no longer appears when I try to download the file. Can you test this function on one of your servers? Note I am still running 15.0.2.

    • I’ve been able to reproduce this and see the same error in the Event Viewer on the server. I’m not sure if the error is coming from IIS or FMS. I’ll try to look into this, but can you please post here if you discover more about this?

      • Daniel Harlow

        I think it has to do with Web Publishing Engine and it not trusting the Root Certificate for Let’s Encrypt. I thought maybe putting the isrgrootx1.pem at C:Program FilesFileMakerFileMaker ServerWeb Publishingpublishing-enginecwpcExtensionsOpenSSLRootCA would fix it but seems to make no difference. I wonder like Go they hard coded certificate vendors into the core of WebDirect.

  • Philip McGeehan

    The Install-Module isn’t recognised for me in PS – Win Server 2008 R2
    Do you know if I can still do it on this OS?

  • I’ve updated this to v 0.3. There was an issue with a web.config with certain deployments of FMS 16. The new version 0.3 should better support more configurations.

  • Hi, can i use,us domain, only my public Static IP like ???

    • It might technically be possible to have an SSL certificate for an IP address, but I think that’s a bad idea in general and goes around some of the security provided by the name matching of SSL certificates. I also don’t think Let’s Encrypt will allow that.

      The best practice is to use a Fully-Qualified Domain Name (FQDN) such as for your SSL certificate.

  • Hi, i’ve tried many time but getSSL.ps1 report red lines error:
    Can you help me, please?

    Submit-ACMECertificate : Error creating new cert :: authorizations for these names not found or expired:
    At C:GetSSL.ps1:147 char:1
    + Submit-ACMECertificate $certAlias;
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : PermissionDenied: (ACMESharp.Vault.Model.CertificateInfo:CertificateInfo) [Submit-ACMECertificate], AcmeWebException
    + FullyQualifiedErrorId : urn:acme:error:unauthorized (403),ACMESharp.POSH.SubmitCertificate

    Update-ACMECertificate : Certificate has not been submitted yet; cannot update status

    At C:GetSSL.ps1:153 char:1

    + Update-ACMECertificate $certAlias;

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo : NotSpecified: (:) [Update-ACMECertificate], Exception

    + FullyQualifiedErrorId : System.Exception,ACMESharp.POSH.UpdateCertificate

    Remove-Item : Cannot find path ‘C:Program FilesFileMakerFileMaker ServerCStoreserverKey.pem’ because it does not


    At C:GetSSL.ps1:161 char:1

    + Remove-Item $keyPath;

    + ~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo : ObjectNotFound: (C:Program File…eserverKey.pem:String) [Remove-Item], ItemNotFoundEx


    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.RemoveItemCommand

    Get-ACMECertificate : Cannot export private key; it hasn’t been imported or generated

    At C:GetSSL.ps1:162 char:1

    + Get-ACMECertificate $certAlias -ExportKeyPEM $keyPath;

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo : NotSpecified: (:) [Get-ACMECertificate], InvalidOperationException

    + FullyQualifiedErrorId : System.InvalidOperationException,ACMESharp.POSH.GetCertificate

    Remove-Item : Cannot find path ‘C:Program FilesFileMakerFileMaker ServerCStorecrt.pem’ because it does not exist.

    At C:GetSSL.ps1:166 char:1

    + Remove-Item $certPath;

    + ~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo : ObjectNotFound: (C:Program File…CStorecrt.pem:String) [Remove-Item], ItemNotFoundEx


    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.RemoveItemCommand

    Get-ACMECertificate : Cannot export CRT; CSR hasn’t been submitted or CRT hasn’t been retrieved

    At C:GetSSL.ps1:167 char:1

    + Get-ACMECertificate $certAlias -ExportCertificatePEM $certPath;

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo : NotSpecified: (:) [Get-ACMECertificate], InvalidOperationException

    + FullyQualifiedErrorId : System.InvalidOperationException,ACMESharp.POSH.GetCertificate

    Remove-Item : Cannot find path ‘C:Program FilesFileMakerFileMaker ServerCStoreinterm.pem’ because it does not


    At C:GetSSL.ps1:171 char:1

    + Remove-Item $intermPath;

    + ~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo : ObjectNotFound: (C:Program File…toreinterm.pem:String) [Remove-Item], ItemNotFoundEx


    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.RemoveItemCommand

    Get-ACMECertificate : Cannot export CRT; CSR hasn’t been submitted or CRT hasn’t been retrieved

    At C:GetSSL.ps1:172 char:1

    + Get-ACMECertificate $certAlias -ExportIssuerPEM $intermPath;

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo : NotSpecified: (:) [Get-ACMECertificate], InvalidOperationException

    + FullyQualifiedErrorId : System.InvalidOperationException,ACMESharp.POSH.GetCertificate

  • Johnson Ng

    It looks like only FMP connections are using the new SSL certificate. WebDirect and admin console connections are using the FMI Default Certificate. FMGo is saying it can’t verify the identity of servername:443. Did I do something wrong?

    • If FMP is seeing it it sounds like it’s properly installed. You may need to close your browser and FM Go and re-open them to get them to see the new SSL certificate. Refreshing the page won’t make the new certificate show. You actually have to close the browser and re-open it to get it to refresh. A new tab will sometimes work as well.

      Someone else had the opposite problem as you, where they hadn’t closed FMP, and so everything else was showing the new, correct certificate but FMP was still caching the default one.

      • Johnson Ng

        I did restart my browser, and restarted my computer too. Tried on a different computer too, and multiple iOS devices.

        Is it possible to delete the FMI Default Certificate?

        • I think it’s server.pem in the CStore folder, but I’m not sure if it’s a good idea to totally delete it.

          Try re-running the script in case FileMaker handle it’s IIS stuff correctly.

          Also, be sure that you’re using the fully-qualified domain name on all of the devices, the same as you’re using on FM Pro. If you use an IP address or a local domain address the SSL certificate won’t be able to validate. Is Go seeing the correct certificate? Check the SSL certificate when you connect and see if you can see what is making it throw that message. FMS can’t be serving two certificates at the same time, so if Pro is seeing a valid one then Go should be as well.

          • Johnson Ng

            Resolved! I re-ran the GetSSL.ps1 script and now everything (FMP, FMGo, WebDirect, admin console) is using the custom certificate. Thanks for your suggestion to re-run the script. 🙂

  • Chris Bailey

    If I am hosting on AWS – EC2 instance – not Filemaker Cloud – but Server. Is it possible to use the Amazon AWS Certificate Manager for SSL, it seems to be free also, included with hosted services. I appreciate your tutorial and will use this method, if the AWS system does not work with Filemaker server.
    Thanks again.

    • The AWS Certificate manager is only for certificates for certain services, such as the ELB. It won’t automatically deploy a certificate to a program running on an EC2 instance as they wouldn’t know how to do the deployment. Even if you could pull the private key out from it somehow I don’t know what the CA is and if the certificates would validate with FMP.

      • Chris Bailey

        Thank you for your reply. As I could not find evidence of anyone using Certificate Manager, I thought as much.

  • CSavva

    I had installed Let’s Encrypt certificates on 4 servers (2 Windows Server 2012 R2 and 2 Mac Minis) running the latest FMS15 in May. I upgraded all of them end of May early June to FMS16 and imported the certificates. Everything was running just fine and using FMPA16 I was getting the Green lock. Also everyone with FMP 14.0.5 and up would access the server just fine.

    I had to renew now the certificates and did the process for all of them. On WebDirect and Admin Console I have no problems. BUT with FMPA 15 and 16 I get the warning that it can’t verify the identity. While clicking to view the certificate, it shows all Green and valid just like in the browser. I also discovered that no FMP14 user can access the servers now.

    For one server I even completely deleted the previous certificate and redid the whole process with new certificate request all over again. The result is the same. By the way all servers run 16.0.1, I haven’t updated them to 16.0.2 just yet.

    By the way I am well aware that Let’s Encrypt certificates are not tested as supported but I am wondering if anyone has had the same or similar issue to help me out.

    • There are a few things you may be seeing, and these are just general SSL things, not having to do with Let’s Encrypt:

      1. You need to quit and re-open FileMaker to get it to check for a new certificate. It won’t automatically detect the new certificate if you’ve already pulled up the file list in the open-remote window.

      2. All users need to connect using the same server address as what is on the certificate. If the server address you’re using doesn’t match the certificate, it won’t be able to validate. If you get a certificate for then all of your users will need to use that address to connect to the server. If you use a local address or an IP address then the name on the certificate won’t match the address the users are using, and so validation will fail.

      3. Make sure all of your users are using up-to-date clients. For FileMaker 14 they’ll need to be all patched up to be able to connect to FMS 16 with SSL enabled.

  • Ville Glad

    ACMESharp current default version did not work on Server 2012 R2. Installing it with command “Install-Module -Name ACMESharp -RequiredVersion 0.8.1” worked well.

  • Simcha Blatter

    Is there a script or can you provide the steps needed in case I need to uninstall or undo the getssl.ps1 script and put the server back into the state it was before the gets.ps1 script was run?

    • To “uninstall” this configuration, all you need to do is delete the task from the task scheduler and delete the GetSSL.ps1 file from your computer. You can remove the serverKey.pem, serverRequest.pem, and serverCustom.pem files from the CStore directory if you don’t want to use a SSL certificate any more.

  • Simcha Blatter

    Is there a way to have the script work if port 80 is blocked and/or being used by another service? Currently Web Direct is only accesable via public https via port 443.

    • I believe Let’s Encrypt requires using port 80 for verification for security reasons.

      • Simcha Blatter

        Thanks for the quick response! I checked the link you provided and it seems to indicate that port 443 Https would be an option. Is my understanding correct?

        • 443 is used for HTTPS connections, so they wouldn’t be able to connect securely on 443 if you didn’t have a valid certificate on there already. It seems that it would be limited use unless they ignored the security errors. I’m not sure if they would allow that or not.

          • Terry Fundak

            I believe there is an interpretation going on here. While Let’s Encrypt the certification granting system uses one method that required the port 80 be open on the server to recieve the communications for granting the certificate, 1) This is not the only method available and 2) the fact that port 80 is used does not mean that the certificate cannot be used on other ports for client/server interactions.

            A Let’s Encrypt Certificate is primarily used and useful to authenticate a connect to a known server which matches one or more FQDNs. Beyond that, there is no limitation about ports that can be used for “secured”communications via various protocols.

          • Yes, you’re definitely right, Terry. Their HTTP validation operates on port 80, but you can use other validation methods. I don’t think we can automate those ones with this script, such as DNS validation, though. You’re also correct that once you have the certificate you can use it for whatever you like, with whatever service on whichever port that it operates on.

  • ACMESharp has (apparently accidentally) been updated to a pre-release version. The instructions for how to handle this have changed a bit. You’ll need to install an additional module, enable it, and then close and re-open PowerShell as Administrator before continuing and running the GetSSL script. I’ve updated the instructions above, but here are the new steps after installing ACMESharp in step 5:

    1. Install New Module:
    Install-Module -Name ACMESharp.Providers.IIS

    2. Enable Module:
    Enable-ACMEExtensionModule -ModuleName ACMESharp.Providers.IIS

    3. Quit and re-open PS as Administrator