Posted by & filed under Uncategorized.

Looking for instructions for Windows? Click here!

Let’s Encrypt is a non-profit certificate authority with the mission of spreading the SSL love across the internet. Though they’re not officially supported, we can use Let’s Encrypt to get free SSL certificates to use with FileMaker Server. We will use a Bash script and a LaunchDaemon to retrieve and automatically renew SSL certificates through Let’s Encrypt to make sure our connections to FileMaker Server are secure. With this, there’s no reason anyone should have an invalid SSL certificate on their FileMaker Server deployment!

Requirements:

  • FileMaker Server deployed on a Mac server – Tested with OSX 10.11 but may work with other versions.
  • The “FileMaker Database Server Website” page must be reachable through the public internet using a web browser at the address you wish to get an SSL certificate for, such as http://myserver.mycompany.com. This means opening or forwarding port 80 in your router, firewall, or security groups. We use the Let’s Encrypt HTTP verification challenge, so we must make sure that Let’s Encrypt is able to reach our FileMaker server through HTTP.

Warning: FileMaker does not list Let’s Encrypt as a supported SSL vendor and usually alerts the community that non-supported SSL vendors’ certificates won’t be able to be validated by FileMaker Pro and Go. I believe we’ve solved this issue with this solution. We’ve had no problems with validating these SSL certificates with FileMaker Pro 13-16 but of course can’t make any guarantees. FileMaker Go 15/16 also seem to validate everything correctly, though FileMaker Go 14 can’t connect. Please post in the comments section below if you have any issues using these SSL certificates. This is an experimental script and procedure. Please proceed with the use of this Bash script and Let’s Encrypt SSL certificates at your own risk.

Here’s a summary of what we’re going to need to do:

  1. Install Homebrew
  2. Install Certbot
  3. Download the GetSSL.sh file
  4. Edit the GetSSL.sh file
  5. Run the Bash script
  6. Change the FileMaker Server SSL Connections settings
  7. Set up a schedule to renew the SSL certificate

1. Install Homebrew

Homebrew is a package manager for Mac. It’s used to install tools and applications for your system. You can read more about Homebrew at the Homebrew website. We’re going to follow the instrucitions on there to install Homebrew on our Mac server. Run the following command in Terminal:

2. Install Certbot

Certbot is very easy to install once you’ve got Homebrew installed. Just type and run the command below in Terminal:

3. Download the GetSSL.sh Bash script

First, you’ll need a copy of the GetSSL Bash script. Download the file using the link below and save it on your server where you’ll want to get the SSL certificate.

Warning: This is an experimental script and procedure, and SSL certificates from Let’s Encrypt are not officially supported by FileMaker, Inc. Please download and use this script with the understanding that it comes with no guarantees or warranties, and that you are doing so at your own risk. Blue Feather, Let’s Encrypt, nor anyone else are responsible for what happens to your server or systems when using this script.

Download the GetSSL Bash script

4. Edit the GetSSL.sh file

The script file needs to be edited so that it know the address you wish to get an SSL certificate for. Open the script in a text editor like TextEdit, TextWrangler, Sublime Text, or through Terminal using an editor like Vim. Change the address, email address, and (if necessary) the FileMaker Server install path variables to reflect your server’s information and your contact information. Let’s Encrypt will use this contact information to reach out to you if there is a problem with the SSL certificate that they have issued to you.

5. Run the Bash Script

WARNING: Running this Bash script will safely restart your FileMaker Server service, abruptly disconnecting any active users. Make sure that nobody is connected to your server before you run this script.

With Certbot installed, we’re now ready to run the Bash script. Make sure nobody is connected or using your FileMaker server and then run the GetSSL.sh Bash script by navigating to the directory you have it copied to in your Terminal window and entering:

A bunch of text will scroll by in the Terminal window as the script requests, fetches, and installs your SSL certificate. Your FileMaker Server service will then be stopped and started again automatically.

Your SSL certificate should now be installed! Go to your FileMaker Server admin console to make sure you’re seeing the new SSL certificate. You may need to close and re-open your browser if you had the page open already.

 

6. Change the FileMaker Server SSL Connections settings

The SSL certificate is installed, but we want to force FileMaker Pro and Go clients to connect securely to our server. Log in to your newly secured FileMaker Server admin console. Select the Database Server options from the list on the left and then the Security tab at the top of the page. Check the “Use SSL for database connections” option (as well as “Use SSL for progressive downloading” if you would like) to force FileMaker Pro and Go clients to use a secure connection when connecting to this server. Save your changes and then restart your whole FileMaker Server machine or just the FileMaker Server background service.

FileMaker Server Admin Console Settings

Your FileMaker Pro clients should now show the green lock icon when logging in to this server, indicating that the connection is secure.

7. Set up a schedule to renew the SSL certificate

SSL Certificates from Let’s Encrypt are only valid for 90 days and must be renewed before that time. Let’s Encrypt does this purposefully to encourage automation and increase security. In that spirit, we should set up an automatic renewal for our SSL certificates so that we don’t need to manually re-run this every couple of months. This process is similar to setting up a scheduled script in FileMaker Server.

Move the GetSSL.sh file to a relatively permanent location on your server. An example place for this might be /usr/local/bin/.

You’ll need to create a LaunchDaemon schedule to run the script at the dates and times you want to do it. A LaunchDaemon will run your scheduled program or task at the dates and times, or at the interval, that you specify. These certificates are good for 90 days at a time, and the Certbot tool we’re using will only renew them once they’re at least 30 days out from renewal. You will want to create a .plist file to schedule this in a way which makes the most sense for you. You can have it run once per week, for example, and it will renew your certificate when it becomes eligible for renewal (It will still restart your FM Server at your scheduled time, even if there isn’t a new certificate – I’d like to update this in the future to only restart if there’s a new certificate.).

You can use the example .plist file available at the download link below. You can download and edit this example file to run your GetSSL.sh script at the location you stored it at and on the days you want. This example one is scheduled to run once per week, on Saturdays at 6:21 pm. You can read more about writing your own LaunchDaemons from the Apple Developer site.

Download example .plist

As an alternative, there’s a great app called Lingon X which give you a really nice GUI for creating, editing, and installing LaunchDaemons. A demo is available, and a single-user license is $9.99, which may be worthwhile as it makes creating and scheduling LaunchDaemons very easy.

Once you’ve finished setting your schedule, place your .plist file in /Library/LaunchDaemons/. With your LaunchDaemon installed you can tell your server to start the schedule by ( substituting your .plist file name and then ) running :

Done!

That’s all that you need to do! Your script should run automatically at your scheduled time to renew your SSL certificate with Let’s Encrypt. Do a test to make sure that it’s all working properly, that it gets a new certificate for you, and that your FileMaker Server service restarts after it has retrieved the certificate. If there is an issue, you may want to run the script manually in PowerShell or debug with the PowerShell ISE to locate any issues.

Keep in mind that your FileMaker Server service will be restarted after getting the new SSL certificate, so be sure to schedule it for a time when people will not be active in your system.

This is an early version of this script and there is quite surely room for improvement. Please let me know if you have any suggestions or run into any issues using this scripting. Let’s make the FileMaker community a secure one!

Share
  • Chris Abel

    Thanks for this. We are having an issue with FM15 after performing these instructions. The Fm Pro clients display a warning that it can’t verify the identity of the host. If I click “View Certificate”, it displays that all certificates are valid, so I’m not sure why we are getting this warning. Any ideas?

    • You may need to quit and re-open FileMaker Pro clients to get them to re-validate the certificate. They seem to cache some parts until you quit the application completely.

      • Chris Abel

        Thanks for the quick response. Unfortunately, quitting and even restarting the mac, did not resolve this.

        • Can you post a screenshot of the valid certificate you’re seeing in FileMaker Pro? Also, be sure your clients are all patched and up-to-date.

          • Chris Abel

            Server and client are both on latest version of FM15. Server is on 10.11… Strangely enough, I followed your instructions for a 10.12 and FM16 server and that seems to work great. Here are the screenshots: https://imgur.com/a/BHBSG

          • It definitely looks like the certificate is installed properly. Do you have the “Use SSL for database connections” option enabled in the Admin console on the 15 server? It looks like your firewall is blocking FMP connections from the outside, so I can’t test to see how it shows up in FMP on my end.

          • Chris Abel

            Yes, I do have it checked. I’ve used FM14, FM15, and FM16 clients. FM14 won’t connect at all and doesn’t give a warning. FM15 and FM16 will give the warning. I am going to try to upgrade the server to fm16 tonight and see what happens.

          • A fully patched up Pro 13 and 14 should be able to connect to a server with Let’s Encrypt certificates installed, but if they’re not patched up they will error-out and not load due to SSL compatibility issues that arose from changes after Heartbleed happened.

          • Chris Abel

            This was with a fully patches FM14 client. Connected fine to my FM16 server with letsencrypt, did not connect at all to my FM15 server with letsencrypt.