Securing your FileMaker Server with SSL certificates is crucial for protecting data and ensuring secure connections. With the release of FileMaker Server 2024, official support for Let’s Encrypt SSL certificates is available for macOS and Ubuntu. However, Windows users are still awaiting official support. In the meantime, this guide provides a secure method to implement Let’s Encrypt SSL certificates on FileMaker Server for Windows, emphasizing best security practices to protect your server.


Table of Contents

  1. Introduction
  2. Official FileMaker Let’s Encrypt Setup (macOS and Ubuntu)
  3. Understanding the Security Risks of Previous Methods
  4. Requirements
  5. Securing the Setup
  6. Steps to Set Up SSL Certificates
  7. Moving to the Official FileMaker Method
  8. Key Takeaways
  9. Additional Resources

Introduction

To top

With the release of FileMaker Server 2024, official support for Let’s Encrypt SSL certificates has been introduced for macOS and Ubuntu platforms. Windows users, however, are still awaiting this support. Many have turned to community-provided methods to integrate Let’s Encrypt with older versions of FileMaker Server on Windows to avoid the cost of paid SSL certificates.

This guide revisits a popular workaround with a strong emphasis on security. We’ll walk you through setting up Let’s Encrypt SSL certificates on FileMaker Server for Windows, ensuring that both the le64.exe tool and PowerShell scripts are secured according to best practices.


Official FileMaker Let’s Encrypt Setup (macOS and Ubuntu)

To top

For FileMaker Server 2024 users on macOS and Ubuntu, the official requirements for using Let’s Encrypt are:

  • FileMaker Server 2024
  • Ubuntu 22.04 or macOS
  • An HTTP site hosted on a public server
  • A public domain name for the server
  • Port 80 open for Let’s Encrypt validation
  • Certbot installed on the server

Security Notes:

  • Port 80 is only temporarily opened during validation and then closed.
  • Certbot automatically renews certificates when they are 30 days from expiration.

This built-in support simplifies the process and automates certificate renewal securely for macOS and Ubuntu users. Windows users need to employ a secure workaround until official support is available.


Understanding the Security Risks of Previous Methods

To top

Earlier methods, such as the one originally provided by Blue Feather Group, involved using a PowerShell script (GetSSL.ps1) and an ACME client (le64.exe) to manage SSL certificates. However, this implementation as seen in the video had significant security flaws:

  • Unrestricted PowerShell Execution: Setting the PowerShell execution policy to Unrestricted exposes the system to malicious scripts.
  • Elevated Privileges for Unsigned Executables: Running le64.exe with administrative privileges without proper security measures can be risky.

This guide addresses these issues by providing a more secure approach to implementing Let’s Encrypt SSL certificates on Windows.


Requirements

To top

To securely implement Let’s Encrypt SSL certificates on FileMaker Server for Windows, you’ll need:

  • Windows Server (2012 R2, 2016, 2019, or later)
  • A public domain name for your server (e.g., fms.mydomain.com)
  • FileMaker Server (versions up to 2024 on Windows)
  • Port 80 temporarily open for Let’s Encrypt validation
  • Secure PowerShell scripts and le64.exe executable
  • Administrative privileges for configuration

Securing the Setup

To top

Secure PowerShell Execution

Instead of setting the execution policy to Unrestricted, use one of the following secure methods:

Option 1: Per-Script Execution Policy Bypass

Run the GetSSL.ps1 script with the -ExecutionPolicy Bypass parameter:

powershell.exe -ExecutionPolicy Bypass -File "C:\Program Files\FileMaker\SSL Renewal\GetSSL.ps1"

This bypasses the execution policy only for this script, leaving the global policy intact.

Option 2: Digitally Sign the PowerShell Script

Step 1: Create a Self-Signed Certificate

$cert = New-SelfSignedCertificate -DnsName "localhost" -Type CodeSigningCert -CertStoreLocation Cert:\CurrentUser\My

Step 2: Sign the PowerShell Script

Set-AuthenticodeSignature -FilePath "C:\Program Files\FileMaker\SSL Renewal\GetSSL.ps1" -Certificate $cert

Step 3: Set Execution Policy to AllSigned

Set-ExecutionPolicy AllSigned -Scope LocalMachine

This ensures that only scripts signed with your certificate can run, enhancing security.

Secure le64.exe Execution

Option 1: Restrict Permissions on le64.exe

  1. Navigate to the folder containing le64.exe.
  2. Right-click le64.exe, select Properties, and go to the Security tab.
  3. Edit permissions to allow execution only by trusted administrators.

Option 2: Run le64.exe via Scheduled Task with Elevated Privileges

  1. Open Task Scheduler.
  2. Create a new task to run le64.exe with required arguments.
  3. Configure the task to run with highest privileges and whether the user is logged on or not.

By restricting access to le64.exe, you minimize the risk of unauthorized execution.


Steps to Set Up SSL Certificates

To top

Download the PowerShell Script

Save the script in a secure folder:

C:\Program Files\FileMaker\SSL Renewal\

Ensure the script is secured using one of the methods described in Secure PowerShell Execution.

Download le64.exe

Place le64.exe in the same folder as the PowerShell script and secure it as outlined in Secure le64.exe Execution.

Configure the PowerShell Script

Edit GetSSL.ps1 and update the following variables:

  • $domains: Set to your server’s domain (e.g., "fms.mydomain.com").
  • $email: Your email address for Let’s Encrypt notifications.
  • $le64Path: Path to le64.exe (e.g., "C:\Program Files\FileMaker\SSL Renewal\le64.exe").
  • $fmsPath: Path to your FileMaker Server installation (e.g., "C:\Program Files\FileMaker\FileMaker Server").

Test the Script

Warning: Running the script will restart the FileMaker Server service, disconnecting users.

Run the script in test mode:

powershell.exe -ExecutionPolicy Bypass -File "C:\Program Files\FileMaker\SSL Renewal\GetSSL.ps1"

Monitor the output for errors. Ensure that the test certificate is installed correctly.

Retrieve the Real Certificate

After successful testing:

  1. Edit GetSSL.ps1 and disable test mode (set $testMode variable to 0).
  2. Run the script again to obtain the real certificate.
  3. Verify the certificate installation by accessing the FileMaker Server Admin Console and checking for a valid SSL certificate.

Set Up Task Scheduler for Automatic Renewal

Automate the renewal process to keep your certificates up to date.

Steps:

  1. Open Task Scheduler.
  2. Create a new task named (e.g., Renew SSL Certificate).
  3. Triggers: Set to run every 60 days.
  4. Actions: Start a program:
    • Program/script: powershell.exe
    • Add arguments:-ExecutionPolicy Bypass -File "C:\Program Files\FileMaker\SSL Renewal\GetSSL.ps1"
  5. Settings:
    • Check Run whether user is logged on or not.
    • Check Run with highest privileges.
    • Use an account with administrative privileges and access to the FileMaker Server Admin Console.
  6. Conditions: Uncheck Start the task only if the computer is on AC power to ensure it runs regardless of power state.

Note: Ensure the scheduled task is secured and only accessible by trusted administrators.


Moving to the Official FileMaker Method

To top

Once FileMaker Server provides official Let’s Encrypt support for Windows:

  • Transition to Certbot: Use the official ACME client recommended by FileMaker.
  • Apply Security Principles: Continue to secure scripts and executables as outlined in this guide.
  • Update Automation: Adjust your scheduled tasks to use Certbot and follow official documentation.

Staying updated with the latest FileMaker releases ensures you benefit from improved security features and official support.


Key Takeaways

To top

By following this guide, you’ve securely implemented Let’s Encrypt SSL certificates on your FileMaker Server for Windows. Emphasizing security at each step protects your server from potential vulnerabilities associated with running scripts and executables with elevated privileges.

Key Takeaways:

  • Secure PowerShell Scripts: Avoid global policy changes; use per-script execution policies or sign your scripts.
  • Restrict Executable Permissions: Limit access to le64.exe to trusted users.
  • Automate Securely: Use Task Scheduler with appropriate security settings for automatic renewals.
  • Stay Informed: Keep an eye on official FileMaker updates for Windows support.

By maintaining these best practices, you ensure that your server’s SSL certificate management is both effective and secure.


Additional Resources

To top


Disclaimer: The information provided in this guide is based on the steps and procedures known as of September 23, 2024. Features and processes may change with future updates to FileMaker Server or Let’s Encrypt. Always consult the latest official documentation and consider reaching out to professional support if needed.


Preserving the Knowledge

This guide aims to provide a secure and updated method for implementing Let’s Encrypt SSL certificates on FileMaker Server for Windows, addressing the security concerns of earlier approaches. By following the practices outlined here, you help maintain a secure environment for your server and contribute to the overall security of the FileMaker community.

Leave a Reply