FileMaker Server 2023 - Letsencrypt

Juli 28, 2023 Kladde

Mac mini M1, macOS Ventura 13.5, Filemaker Server 2023

Installation

Homebrew installieren

# /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

==> Next steps:
- Run these two commands in your terminal to add Homebrew to your PATH:
    (echo; echo 'eval "$(/opt/homebrew/bin/brew shellenv)"') >> /Users/gent/.zprofile
    eval "$(/opt/homebrew/bin/brew shellenv)"

certbot installieren

# brew install certbot

certbot testen

# sudo certbot renew
Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Den MacOS Standard-Webroot zum Webroot des Filemaker Servers linken

# cd /Library/WebServer
# sudo ln -s /Library/FileMaker\ Server/HTTPServer/htdocs/

Zertifikat

holen

# sudo certbot certonly --webroot -d fm.comodin.com --agree-tos -m fm@comodin.com --preferred-challenges "http"
Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for fm.comodin.com
Input the webroot for fm.comodin.com: (Enter 'c' to cancel): /Library/WebServer/htdocs

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/fm.comodin.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/fm.comodin.com/privkey.pem
This certificate expires on 2023-10-28.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

prüfen

# sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: fm.comodin.com
    Serial Number: 33...3e5
    Key Type: ECDSA
    Domains: fm.comodin.com
    Expiry Date: 2023-10-28 06:25:10+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/fm.comodin.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/fm.comodin.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

erneuern

# sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/fm.comodin.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/fm.comodin.com/fullchain.pem expires on 2023-10-28 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

per hand kopieren

# sudo cp /etc/letsencrypt/live/fm.comodin.com/privkey.pem /Library/FileMaker\ Server/CStore/privkey.pem
# sudo cp /etc/letsencrypt/live/fm.comodin.com/fullchain.pem /Library/FileMaker\ Server/CStore/fullchain.pem

die Rechte einstellen

# sudo chmod 644 /Library/FileMaker\ Server/CStore/privkey.pem

per hand in Filemaker Server laden

# sudo fmsadmin certificate import "/Library/FileMaker Server/CStore/fullchain.pem" --keyfile "/Library/FileMaker Server/CStore/privkey.pem" -y
username (root):(Admin-name aus der FM-Console)
password:
Please restart the FileMaker Server service to apply the change.

Filemaker Server stoppen / starten

# launchctl stop com.filemaker.fms
# launchctl start com.filemaker.fms

Stand 2023: der Mac musste neu gestartet werden, damit das Zertifikat geladen wurde. Das o.g. stoppen/starten über launchctl reichte nicht aus.

Automatisieren

Das Ganze wollen wir jetzt automatisieren. Jede Woche soll certbot automatisch

das Zertifikat erneuern
das Zertifikat in den Filemaker Server laden
den Filemaker Server neustarten
uns eine E-Mail senden, damit wir immer im Blick haben was Sache ist

Benötigt/Vorausgesetzt wird ein laufender postfix auf dem Mac, siehe MacOS - postfix

# sudo nano /usr/local/bin/fmcertrenew.sh

fmcertrenew.sh

#!/bin/sh

DOMAIN="fm.comodin.com"
EMAIL="fm@comodin.com"
USER="fmuser"
PASS="fmpass"

SERVER_PATH="/Library/FileMaker Server/"
WEB_ROOT="${SERVER_PATH}HTTPServer/htdocs"
LOGFILE="/tmp/fmcertrenew.log"

# certbot
certbot renew > "${LOGFILE}"
cp "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem" "${SERVER_PATH}CStore/fullchain.pem"
cp "/etc/letsencrypt/live/${DOMAIN}/privkey.pem" "${SERVER_PATH}CStore/privkey.pem"

chmod 640 "${SERVER_PATH}CStore/privkey.pem"

# FileMaker Server
fmsadmin certificate delete -y -u "${USER}" -p "${PASS}"

fmsadmin certificate import "${SERVER_PATH}CStore/fullchain.pem" --keyfile "${SERVER_PATH}CStore/privkey.pem" -y -u "${USER}" -p "${PASS}"  >> "${LOGFILE}"

launchctl stop com.filemaker.fms

sleep 60s

launchctl start com.filemaker.fms

echo "fertig :)"  >> "${LOGFILE}"

mail -s "fmcertrenew.log" "${EMAIL}" < "${LOGFILE}"

Rechte setzen

# sudo chmod 750 fmcertrenew.sh

das Script testen

# sudo /usr/local/bin/fmcertrenew.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal
Restart the FileMaker Server background processes to apply the change.

die E-Mail sollte so aussehen

LaunchDaemon

sudo nano /Library/LaunchDaemons/com.filemaker.fmcertrenew.plist

Jeden Samstag früh um 4:29 Uhr soll certbot das Zertifikat erneuern und in den Filemaker Server laden

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>EnvironmentVariables</key>
    <dict>
        <key>PATH</key>
        <string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/sbin</string>
    </dict>
    <key>Label</key>
    <string>com.filemaker.fmcertrenew</string>
    <key>ProgramArguments</key>
    <array>
        <string>/bin/sh</string>
        <string>/usr/local/bin/fmcertrenew.sh</string>
    </array>
    <key>RunAtLoad</key>
    <false/>
    <key>AbandonProcessGroup</key>
    <true/>
    <key>StartCalendarInterval</key>
    <array>
        <dict>
            <key>Hour</key>
            <integer>4</integer>
            <key>Minute</key>
            <integer>29</integer>
            <key>Weekday</key>
            <integer>6</integer>
        </dict>
    </array>
</dict>
</plist>

Rechte anpassen

# sudo chown root:wheel /Library/LaunchDaemons/com.filemaker.fmcertrenew.plist

load

# sudo launchctl load -w /Library/LaunchDaemons/com.filemaker.fmcertrenew.plist

unload

# sudo launchctl unload /Library/LaunchDaemons/com.filemaker.fmcertrenew.plist

prüfen ob es geladen wurde

# sudo launchctl list | grep com.filemaker
-   0   com.filemaker.httpd.graceful
-   0   com.filemaker.httpd.stop
92024   0   com.filemaker.fms
-   0   com.filemaker.httpd.start
-   0   com.filemaker.fmcertrenew
-   0   com.filemaker.httpd.restart