This is a fork of the work started by: David Nahodyl, Blue Feather
Thanks for figuring out the hard part David!
- Only supports Windows Server 2016+.
- Tested on FileMaker Server 17, 18, 19, 20, and 21.
- Installs all dependencies for you.
- If you use this script in production, you should watch this repo in GitHub so you get a notification when it's updated.
-
Open PowerShell console as an Administrator:
- Click Start
- Type PowerShell
- Right-click on Windows PowerShell
- Click Run as administrator
-
Download the
GetSSL.ps1
file to your server:
(replace master with dev or a tag name to download a different version of this script)Invoke-WebRequest ` -Uri https://raw.githubusercontent.com/dansmith65/FileMaker-LetsEncrypt-Win/master/GetSSL.ps1 ` -OutFile "C:\Program Files\FileMaker\FileMaker Server\Data\Scripts\GetSSL.ps1"
If you get an error like:
Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.
, you can resolve it by running this command in PowerShell:[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-
Access the wizard-style setup by calling without parameters:
(if you're just testing, add-Staging
to the end)Set-ExecutionPolicy Bypass -Scope Process -Force; & 'C:\Program Files\FileMaker\FileMaker Server\Data\Scripts\GetSSL.ps1'
After this task completes, you'll be asked if you want to get a certificate, at which point you'll be prompted for domain(s) and email. Then, you'll be asked if you want to schedule a task, then configure email. If you do all these steps, the setup is complete for this server.
Examples in this section will use a shortened syntax and assumes you will set execution policy manually, or prefix the command with the snippets above. It also leaves the path to GetSSL.ps1
off for the same reason.
-
Get and Install a Certificate:
Also use this command to modify the stored domain or email, which is used for renewals. Once this is done, you likely never have to specify domain/email again unless you want to change it..\GetSSL.ps1 -Setup -Domains fms.example.com, fms.example2.com -Emails user@email.com, user2@email.com
-
Renew Certificate:
Renew the most recently used certificate. This is the command called by the scheduled task, but you can run it manually if needed..\GetSSL.ps1 -Renew
-
Install Certificate:
Installs the most recently retrieved certificate. Useful if a certificate was successfully retrieved, but something failed before it was installed..\GetSSL.ps1 -InstallCertificate
-
Setup scheduled task to renew the certificate:
Will schedule a task to re-occur every 63 days. You can modify this task after it's created by opening Task Scheduler. If you don't do this step, you will have to manually renew the certificate before it expires every 90 days..\GetSSL.ps1 -ScheduleTask
Note that 63 days was choosens as the default renwal interval because it will make the renewal fall on the same day of the week and is close to the recommended renewal point which is 2/3 of the certificates lifespan. You can specify your own renewal interval by appending:
-IntervalDays 70
, or just manually modify the task via Task Scheduler.You can also specify your preferred renewal time by appending:
-Time 2:00am
. The default time is 4:00am.A full example with custom interval and time:
.\GetSSL.ps1 -ScheduleTask -IntervalDays 70 -Time 2:00am
-
Email Log File:
Store credentials and SMTP info so this script can send logs when it runs from a scheduled task.
Set-ExecutionPolicy Bypass -Scope Process -Force; & 'C:\Program Files\FileMaker\FileMaker Server\Data\Scripts\GetSSL.ps1' -ConfigureEmail
-
Update Dependencies:
.\GetSSL.ps1 -InstallDependencies -Force
-
Call Posh-ACME functions directly.
You could potentially do this to modify the domains or your contact email. GetSSL will use whatever domains are returned byGet-PAOrder
and whatever account is returned byGet-PAAccount
. -
Specify an alternative web root for HTTP-01 challenge:
If your FileMaker server is not exposed to the internet you will be unable to complete the HTTP-01 challenge. However, if you have another IIS server on your network that is exposed, you can use its web root instead.
.\GetSSL.ps1 -WebRoot '\\web-server\C$\inetpub\wwwroot'
NOTE: This documentation is not yet fully updated for version 2.
If you view the GetSSL.ps1 file as text; the documentation is in comments at the top of the file.
To view it the "PowerShell Way", you can use Get-Help
like:
Get-Help .\GetSSL.ps1 -full
This script will seamlessly and securely manage authentication for you. If external authentication is setup for the user the script is run as to access the Admin Console, then that will be used. If it's not, you will be asked for your Admin Console Sign In when the script runs. These credentials will be stored in Windows Credential Manager; the same place FileMaker Server stores your encryption at rest password. The next time the script runs, it will load the stored credentials from Credential Manager.
I haven't tested this scenario but the credentials can probably only be retrieved by the same user account that created them. If you modify your scheduled task to run as a different user, that might break this feature.
If you want to, external authentication can easily be enabled on a default installation of FileMaker Server and does not require an Active Directory:
- Log in to FileMaker Server 17 admin console
- Administration > External Athentication > External Accounts for Admin Console Sign In: click Change
- Add a group name and click Save Authentication Settings
(default install of Windows should work with "Administrators" as the group name) - Admin Console Sign In > External Accounts: Enable
- Confirm it's working by typing this on the command line:
fmsadmin list files
. If you are not asked for a user/pass, then it has be properly enabled.
If external authentication is enabled but you don't want to use it, you can store credentials with this command:
Get-Credential | New-StoredCredential -Target "GetSSL FileMaker Server Admin Console" -Persist LocalMachine
I won't duplicate what is already said about the -Staging
parameter in the official help docs but I do want to add to it. Let's Encrypt service imposes Rate Limits, which are less restrictive on their staging environment. While developing this script (and before I added this parameter) I repeatedly tested with the same domain and quickly hit the limit of 5 identical certificate requests per week. While this won't pertain to most people, I do want to point out that if you are doing testing, you should use the -Staging
parameter.
Using this parameter is a great way of doing the initial setup/testing as well. It allows you to go through all the steps without worrying about rate limits or your server being restarted. Common issues like permissions to call fmsadmin.exe without having to type a user/pass can be resolved before doing a final install. Since the existing certificate is backed up before being replaced, you could always restore to existing configuration, if needed.
Before replacing any files in the CStore directory, they are backed up in a sub-folder with the current date/time and no backups are ever overwritten or deleted by this script. If you need to restore a previously installed certificate, you can do it with a command like this:
Remove-Item "C:\Program Files\FileMaker\FileMaker Server\CStore\serverKey.pem"
fmsadmin certificate import `
"C:\Program Files\FileMaker\FileMaker Server\CStore\Backup\2018-10-09_181822\serverCustom.pem" `
--keyfile "C:\Program Files\FileMaker\FileMaker Server\CStore\Backup\2018-10-09_181822\serverKey.pem" -y
Make sure to use the actual path to the backup you want to restore; this code is an example for a backup taken at the time of writing this documentation.
This script must restart the FileMaker Server process to complete the installtion of the certificate. It does it's best to do a safe shutdown and to start the server, CWP (if it was running), and open files (if there were any open before). However, if you want to customize this process, you could edit the script's Install-Cert
function.
Beware that if you have to enter an encryption at rest password when you open files, you will need to manage this process yourself, in this section of the script. NOTE: this only applies if you've configured your server not to store the password.
Alternatively, if you have your own shutdown/startup scripts already, you could call them directly and remove the default steps provided in this script.