FileMaker Server 19 - Letsencrypt

März 10, 2021 Kladde

Installation

Homebrew installieren

# /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

certbot installieren

# brew install certbot

Den MacOS Standard-Webroot zum Webroot des Filemaker Servers linken

# cd /Library/WebServer
# sudo ln -s /Library/FileMaker\ Server/HTTPServer/htdocs/

Zertifikat

holen

# sudo certbot certonly --webroot -d fm.comodin.com --agree-tos -m fm@comodin.com --preferred-challenges "http"
    Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for fm.comodin.com
Input the webroot for fm.comodin.com: (Enter 'c' to cancel): /Library/WebServer/htdocs
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/fm.comodin.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/fm.comodin.com/privkey.pem
   Your cert will expire on 2019-08-21. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

prüfen

sudo certbot certificates                                                                                                               
Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: fm.comodin.com
    Serial Number: 46489aa88b4e9bb6e26fba0d984227dde6a
    Key Type: RSA
    Domains: fm.comodin.com
    Expiry Date: 2021-06-08 10:10:42+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/fm.comodin.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/fm.comodin.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

erneuern

sudo certbot renew
Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/fm.comodin.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for fm.comodin.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/fm.comodin.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/fm.comodin.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

per Hand kopieren

sudo cp /etc/letsencrypt/live/fm.comodin.com/privkey.pem /Library/FileMaker\ Server/CStore/privkey.pem
sudo cp /etc/letsencrypt/live/fm.comodin.com/fullchain.pem /Library/FileMaker\ Server/CStore/fullchain.pem

die Rechte einstellen

sudo chmod 644 /Library/FileMaker\ Server/CStore/privkey.pem

in Filemaker Server laden

sudo fmsadmin certificate import "/Library/FileMaker Server/CStore/fullchain.pem" --keyfile "/Library/FileMaker Server/CStore/privkey.pem" -y
username (root):gent
password:
Restart the FileMaker Server background processes to apply the change.

Filemaker Server stoppen / starten

launchctl stop com.filemaker.fms
launchctl start com.filemaker.fms

Automatisieren

Das Ganze wollen wir jetzt automatisieren. Jede Woche soll certbot automatisch

das Zertifikat erneuern
das Zertifikat in den Filemaker Server laden
den Filemaker Server neustarten
uns eine E-Mail senden, damit wir immer im Blick haben was Sache ist

Benötigt/Vorausgesetzt wird ein laufender postfix auf dem Mac, siehe MacOS - postfix

sudo bbedit /usr/local/bin/fmcertrenew.sh

fmcertrenew.sh

#!/bin/sh

DOMAIN="fm.comodin.com"

EMAIL="fm@comodin.com"

SERVER_PATH="/Library/FileMaker Server/"

WEB_ROOT="${SERVER_PATH}HTTPServer/htdocs"

USER="fmuser"

PASS="fmpass"

LOGFILE="/tmp/fmcertrenew.log"

# certbot

certbot renew > "${LOGFILE}"

cp "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem" "${SERVER_PATH}CStore/fullchain.pem"

cp "/etc/letsencrypt/live/${DOMAIN}/privkey.pem" "${SERVER_PATH}CStore/privkey.pem"

chmod 640 "${SERVER_PATH}CStore/privkey.pem"

# FileMaker Server

fmsadmin certificate delete -y -u "${USER}" -p "${PASS}"

fmsadmin certificate import "${SERVER_PATH}CStore/fullchain.pem" --keyfile "${SERVER_PATH}CStore/privkey.pem" -y -u "${USER}" -p "${PASS}"  >> "${LOGFILE}"

launchctl stop com.filemaker.fms

sleep 60s

launchctl start com.filemaker.fms

echo "fertig :)"  >> "${LOGFILE}"

mail -s "fmcertrenew.log" "${EMAIL}" < "${LOGFILE}"

Rechte setzen

chmod 750 fmcertrenew.sh

das Script testen

sudo /usr/local/bin/fmcertrenew.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal
Restart the FileMaker Server background processes to apply the change.

die E-Mail sollte so aussehen

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/fm.comodin.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
 /etc/letsencrypt/live/fm.comodin.com/fullchain.pem expires on 2021-06-08 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Restart the FileMaker Server background processes to apply the change.
fertig :)

LaunchDaemon

sudo bbedit /Library/LaunchDaemons/com.filemaker.fmcertrenew.plist

Jeden Samstag früh um 4:29 Uhr soll certbot das Zertifikat erneuern und in den Filemaker Server laden

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>EnvironmentVariables</key>
    <dict>
        <key>PATH</key>
        <string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/sbin</string>
    </dict>
    <key>Label</key>
    <string>com.filemaker.fmcertrenew</string>
    <key>ProgramArguments</key>
    <array>
        <string>/bin/sh</string>
        <string>/usr/local/bin/fmcertrenew.sh</string>
    </array>
    <key>RunAtLoad</key>
    <false/>
    <key>AbandonProcessGroup</key>
    <true/>
    <key>StartCalendarInterval</key>
    <array>
        <dict>
            <key>Hour</key>
            <integer>4</integer>
            <key>Minute</key>
            <integer>29</integer>
            <key>Weekday</key>
            <integer>6</integer>
        </dict>
    </array>
</dict>
</plist>

Rechte anpassen

chown root:wheel /Library/LaunchDaemons/com.filemaker.fmcertrenew.plist

load

# sudo launchctl load -w /Library/LaunchDaemons/com.filemaker.fmcertrenew.plist

unload

# sudo launchctl unload /Library/LaunchDaemons/com.filemaker.fmcertrenew.plist

prüfen ob es geladen wurde

sudo launchctl list | grep com.filemaker
-   0   com.filemaker.httpd.graceful
-   0   com.filemaker.httpd.stop
92024   0   com.filemaker.fms
-   0   com.filemaker.httpd.start
-   0   com.filemaker.fmcertrenew
-   0   com.filemaker.httpd.restart