SSL certificates are a critical component of any web server that encrypts traffic between the server and clients to ensure that the security of your data, and your users’ privacy remains protected. FileMaker Server provides a unified method within the admin console to ensure that all connections are secure, whether those connections are from a FileMaker client, over WebDirect, or through a connector. However, FileMaker Server must be restarted to complete the SSL certificate installation for FileMaker client connections; this requirement makes the process of automated certificate renewals more challenging.
In this technical blog post, we will explore a method for automating the installation of SSL certificates and accommodating the FileMaker Server restart requirement, following a renewal.
To kick off the installation process, we first need to know when a certificate has been renewed. In the Linux environment, we are using Certbot to issue and renew Let’s Encrypt certificates. Commands can be run at various stages of the renewal process using Certbot’s “hooks.” We will focus on the deploy hook, which only runs after a certificate has been successfully renewed.
The deploy-hook is configured to create a flag file to indicate that the certificate has been renewed and this command:
chmod 777 /home/ubuntu/sslDeploy_true
The flag file is placed in a location and assigned permissions that allow jobs created by other users to read and modify the flag file, such as notify scripts. However, this can be adjusted by providing the chmod value that is appropriate for your environment.
Once we have the flag file indicating the certificate renewal, we can proceed with the installation process at a convenient time that minimizes disruptions. Cron is the most common method of scheduling jobs in Linux and is included in the Linux distributions supported by FileMaker Server. Cron jobs are written as a crontab rule that defines a schedule (or special event) when the job is triggered and the command to run.
An asterisk represents any/all in a crontab rule. This crontab rule runs the updateFMSCert.sh script at 3:00 AM every day and can be broken down as:
minute 0 / hour 3 / any day (month) / any month / any day (week)
0 3 * * * /root/updateFMSCert.sh
By comparison, a crontab rule that runs the same script at 12:00 AM on Sunday each week would be broken down as:
minute 0 / hour 0 / any day (month) / any month / day 7 (week)
0 0 * * 7 /root/updateFMSCert.sh
The script checks for the existence of the flag file at the beginning of its execution. If the flag file does not exist, the script simply exits, since there is no need to update the SSL certificate.
If the flag file exists, the script proceeds with the installation of the SSL certificate.
- The flag file is deleted to prevent the script from re-installing the certificate each time the job is run.
- The updated certificate is moved to the FileMaker Server CStore directory and the file permissions are set.
- The currently installed certificate is deleted using the FileMaker Server CLI (fmsadmin).
- The updated certificate is imported using fmsadmin.
- The databases are closed using fmsadmin. If there are active connections, a message is displayed and users are given two minutes before the databases will close.
- The script is paused to allow the databases to close. It is important that the pause exceeds the timeout specified during the close command; fmsadmin will return a result immediately after the command is run, and the script would proceed during the timeout.
- A system command is sent to restart the FileMaker Server service and the script is paused to allow the service time to restart.
- The database server is started using fmsadmin and the script is paused. If the database server is set to start automatically, this step will return an error but does not prevent the script from continuing.
- The databases are opened using fmsadmin.
The updateFMSCert script, available on GitHub, is designed to be the most basic implementation of the automation process, prioritizing portability and ease of use. Its simplicity allows users to quickly grasp the functionality and implement the script with minimal effort. While the script can be used as-is, it is better suited as a foundation for customization, empowering users to tailor and expand upon the script to suit their specific needs.
A supporting installation script is available to streamline the configuration further. This script downloads the updateFMSCert script, creates the deploy-hook, and configures the crontab rule to run at 3:00 AM each day. When using the installation script, the configuration required is limited to updating the updateFMSCert script with the admin console credentials and the server’s fully-qualified domain name.
The installation script must be run as sudo. This is necessary to place the update script in a location that does not expose credentials to additional users and to configure the crontab rule. The script can be downloaded and run using the following commands. As with any script downloaded from the internet, you should review the script before running it with elevated privileges.
# wget https://raw.githubusercontent.com/Codence-Developers/codence-blog/main/installUpdateFMSCert.sh -O installUpdateFMSCert.sh && chmod +x installUpdateFMSCert.sh # sudo ./installUpdateFMSCert.sh -h example.codence.com -u FMSAdminConsoleUser -p FMSAdminConsolePassword # rm installUpdateFMSCert.sh
Make sure to update the script options
[-u fms_user], and
[-p fms_pass] with the fully qualified domain name of the server and the FileMaker Server admin console credentials. The domain name used must be valid and should match the subject of your SSL certificate.
By automating SSL certificate installations in Claris FileMaker Server, you can ensure the security of your connections while saving time and minimizing manual errors. Stay tuned for more informative articles and tutorials as we explore ways to optimize your Claris FileMaker experience.
Justin is an alumnus of 42 Silicon Valley, founding his own company with fellow students to develop software solutions for service industry workers. His greatest passion is find a creative solution to any problem that someone has declared can’t be solved.