Skip to content

CyberFM

  • Home
  • FileMaker Security
  • Disclaimer
  • Privacy Policy
  • Home
  • Koji Takeuchi
  • “Let’s Automate” – Renewing FREE SSL certificates on your FileMaker Server
  • Koji Takeuchi

“Let’s Automate” – Renewing FREE SSL certificates on your FileMaker Server

Dimitris Kokoutsidis 3 years ago1 week ago19 mins0

Koji Takeuchi, dotFMP Berlin 2021

In today’s rapidly evolving digital landscape, the need for secure server connections is paramount. SSL certificates play a crucial role in protecting data transmitted between clients and servers. However, managing SSL certificates for FileMaker Server—especially when considering the costs and renewal overhead—can be challenging. What if you could automate SSL certificate renewals and even get the certificates for free?

In this blog post, we’ll dive into Koji Takeuchi’s step-by-step presentation on how to automate the renewal of SSL certificates on FileMaker Server using Let’s Encrypt. You’ll learn about different tools, configuration techniques, and best practices for maintaining secure connections while minimizing both manual intervention and costs.

Menu

  1. Introduction to SSL Certificates for FileMaker Server
  2. Understanding Let’s Encrypt and Its Role in SSL
  3. Challenges in SSL Certificate Management
  4. What is DNS-01 Challenge and Why Use It?
  5. Necessary Tools and Libraries for Automation
  6. Step-by-Step Installation of Dehydrated and Certbot
  7. Understanding the Script for SSL Renewal Automation
  8. Deploying the SSL Certificate to FileMaker Server
  9. Scheduling the Renewal: Automating with Cron Jobs
  10. Final Considerations for FileMaker Server and SSL

Introduction to SSL Certificates for FileMaker Server

Securing FileMaker Server communication is critical, especially with increasing reliance on the internet for sharing and accessing data. SSL certificates offer a way to ensure that communication between the server and client is encrypted, preventing unauthorized access or data leakage.

Traditionally, acquiring and maintaining SSL certificates involves costs—both for the certificate itself and for the labor required to manage and renew it. However, Let’s Encrypt, a free and automated Certificate Authority (CA), provides a solution that eliminates both types of costs. With automation tools such as Certbot or Dehydrated, you can automate the entire certificate renewal process, removing the need for manual intervention every 90 days.

Understanding Let’s Encrypt and Its Role in SSL

Let’s Encrypt is a free and automated CA, which provides domain validation certificates for free. Its primary objective is to make web security more accessible by offering SSL/TLS certificates that are easily renewable. The certificates are trusted by major browsers and supported by a global community of security professionals.

Let’s Encrypt’s domain validation is done through either the HTTP-01 or DNS-01 challenge. While the HTTP challenge is simpler, it requires that the FileMaker server be accessible on the internet, which is not always feasible. Instead, the DNS-01 challenge allows domain validation without direct internet access to the server.

Key features of Let’s Encrypt include:

  • Completely free SSL certificates.
  • Supports wildcard domains (one certificate can cover multiple subdomains).
  • Automated certificate management via tools like Dehydrated or Certbot.
  • 90-day expiration period (with an automated renewal system in place, this is not an issue).

Challenges in SSL Certificate Management

SSL certificates generally require two types of cost:

  1. Monetary Cost: Traditional certificates can be expensive, especially when you consider premium certificates from providers like VeriSign or GeoTrust.
  2. Administrative Overhead: Certificates need to be manually renewed, installed, and managed, which consumes time and may result in downtime if not handled correctly.

With Let’s Encrypt, these costs can be avoided by automating the renewal process using command-line tools like Dehydrated and Certbot, which automatically generate and renew certificates.

However, one caveat is that Let’s Encrypt certificates expire after 90 days, compared to the 1-year lifespan of traditional SSL certificates. This short validity period means that automation is crucial to prevent lapses in SSL protection.

What is DNS-01 Challenge and Why Use It?

Let’s Encrypt supports two primary methods for domain validation:

  1. HTTP Challenge
    The HTTP challenge involves placing a specific file on your server, and Let’s Encrypt verifies the domain by checking if it can access this file over the web. This method works if your FileMaker Server is publicly accessible and configured for HTTP/HTTPS. However, it’s not ideal if your server isn’t internet-facing or if your firewall settings prevent external traffic from reaching your server.
  2. DNS Challenge
    The DNS challenge is more flexible. It involves adding a specific DNS TXT record that Let’s Encrypt can query to validate domain ownership. This method works even if your FileMaker Server isn’t publicly accessible. It is ideal for environments where the FileMaker Server is hosted on private networks or behind firewalls.

In Koji’s demos, the DNS challenge was used for its flexibility.

The DNS-01 challenge is one of the domain validation methods provided by Let’s Encrypt. It requires adding a DNS record that Let’s Encrypt can query to verify domain ownership. This method is particularly useful for servers that are not accessible via HTTP, such as a FileMaker Server sitting behind a firewall or a server that doesn’t have a public-facing web service.

Using the DNS-01 challenge with a DNS provider that supports API access (like AWS Route 53 or Gandi.net) allows for full automation of the certificate renewal process.

With DNS-01:

  • Your FileMaker server doesn’t need to be exposed to the internet.
  • DNS records are automatically managed via API integrations with supported DNS providers.
  • It is the ideal method for wildcard certificates, covering multiple subdomains.

Necessary Tools and Libraries for Automation

To automate the SSL certificate generation and renewal process on a FileMaker Server, you will need the following tools:

  • Dehydrated: A lightweight Let’s Encrypt client that handles certificate generation and renewal. It is highly flexible and can work with DNS-01 challenges.
  • Certbot (Optional): Another popular Let’s Encrypt client, primarily for HTTP challenges, though it also supports DNS-01.
  • Python 3 & Pip: Required for API access to DNS providers such as AWS Route 53 or Gandi.net.
  • AWS CLI (if using AWS Route 53 for DNS): The AWS command-line interface is necessary for interacting with Route 53’s DNS API.

Required Commands for Installing Necessary Tools:

  1. Install Dehydrated: sudo yum install dehydrated
  2. Install Python and Pip: sudo yum install python3-pip pip3 install certbot-dns-route53
  3. AWS CLI (if using Route 53): sudo yum install awscli aws configure

Ensure you have API keys for your DNS provider before proceeding with configuration.

Step-by-Step Installation of Dehydrated and Certbot

Once you have the required tools installed, you can proceed with setting up Dehydrated to handle SSL certificate renewals via the DNS-01 challenge. In this example, we use Route 53 as our DNS provider.

Steps for Initial Setup:

  1. Download and Configure Dehydrated:
    • Clone the Dehydrated repository: git clone https://github.com/lukas2511/dehydrated.git cd dehydrated
  2. Set Up the DNS Hook Script for Route 53:
    • Use the hook.sh file, which handles the interaction with AWS Route 53.
    • Example DNS hook command for AWS Route 53: dehydrated --cron --hook ./hook.sh --domain fms.example.com --challenge dns-01
  3. Generate API Keys for Route 53:
    • Login to AWS, create a new IAM user, and generate API keys. These keys will allow Dehydrated to update DNS records for your domain automatically.
  4. Store API Keys Securely:
    • The API keys are stored in a file or environment variable that the DNS hook script will use to authenticate with AWS Route 53.

Understanding the Script for SSL Renewal Automation

The primary shell script responsible for automating the SSL certificate renewal and deployment is wrapper_sslRenew.sh. This script automates the entire process, from generating the certificate to deploying it on the FileMaker Server.

Script Breakdown:

#!/bin/sh
# 2021.05.30, Koji Takeuchi
# Dehydrated SSL renewal script

# Trigger the Dehydrated client with DNS-01 challenge
dehydrated -c -d fms.example.com -t dns-01 --hook /etc/dehydrated/hook/route53.py

# Call the script to update the SSL on FileMaker Server
/usr/local/bin/sslUpdateOnFMS.sh

In this script:

  • dehydrated -c: Runs the Dehydrated client in cron mode (checking if a renewal is required).
  • -d fms.example.com: Specifies the domain for which to generate/renew the certificate.
  • -t dns-01: Uses the DNS-01 challenge for domain validation.
  • The --hook option specifies the script that interacts with the DNS API (in this case, AWS Route 53).

The script then calls sslUpdateOnFMS.sh to apply the certificate to FileMaker Server.

Deploying the SSL Certificate to FileMaker Server

The next step is deploying the newly generated SSL certificates to FileMaker Server. This is handled by the sslUpdateOnFMS.sh script, which ensures the certificates are installed properly and restarts the necessary services.

Script Breakdown:

#!/bin/sh
# Script to deploy new SSL certificates to FileMaker Server

auth='-u USERNAME -p PASSWORD'
domain=fms.example.com
keyPath=/etc/dehydrated/certs
tmpPath=/tmp/certs

# Create temporary directory for copying certificates
if [ ! -d "$tmpPath" ]; then
    mkdir "$tmpPath"
    chmod 700 "$tmpPath"
fi

# Copy certificates to the temporary path
cp ${keyPath}/${domain}/privkey.pem $tmpPath/
cp ${keyPath}/${domain}/cert.pem $tmpPath/
cp ${keyPath}/${domain}/fullchain.pem $tmpPath/

# Delete existing certificates
fmsadmin certificate delete -y $auth
fmsadmin close -f -y $auth

# Restart FileMaker Server and import new certificates
service fmshelper restart
sleep 10
fmsadmin certificate import -y --keyfile "${tmpPath}/privkey.pem" --intermediateCA "${tmpPath}/fullchain.pem" "${tmpPath}/cert.pem" $auth
service fmshelper restart

# Clean up temporary files
rm -rf "${tmpPath}"
  • Delete and Restart: The existing certificates are removed before the new ones are installed.
  • Import the Certificates: The fmsadmin certificate import command is used to import the new certificates.
  • Restart Services: Finally, the FileMaker Server and admin services are restarted to apply the changes.

Scheduling the Renewal: Automating with Cron Jobs

To ensure the SSL certificates are renewed and applied periodically without manual intervention, you can schedule the process using cron jobs.

Example Cron Job:

0 4 1 */2 * /usr/local/bin/wrapper_sslRenew.sh

This cron job will run every two months at 4:00 AM on the first day of the month, ensuring that SSL certificates are automatically renewed and deployed without any downtime.

  • **0 4 1 /2 : Runs the job at 4:00 AM on the 1st day of every second month.
  • /usr/local/bin/wrapper_sslRenew.sh: Calls the script responsible for renewing and deploying SSL certificates.

Final Considerations for FileMaker Server and SSL

When deploying SSL certificates on FileMaker Server, there are a few final points to consider:

  • Downtime: Restarting the FileMaker Server can cause a brief period of downtime (typically less than a minute). This is necessary to apply the new certificates.
  • Server Resources: Ensure your server has adequate resources, especially if running on low-tier cloud instances, as SSL operations can be resource-intensive.
  • Migration to Ubuntu: If you are using CentOS, be aware that newer versions of FileMaker Server will require migration to Ubuntu Linux for continued support.

By automating SSL certificate renewals with Let’s Encrypt and Dehydrated, you can significantly improve the security and reliability of your FileMaker Server without the burden of manual certificate management.

Koji’s presentation shows how powerful automation can be when managing SSL certificates on FileMaker Server. By using tools like Certbot and Dehydrated, you can ensure your server remains secure with minimal effort and no recurring certificate costs.

Whether you’re using Gandi.net, AWS Route 53, or another DNS provider, the key takeaway is that Let’s Encrypt’s free SSL certificates, combined with automation, provide a scalable and efficient solution for securing your FileMaker Server.

As Koji suggested, while his demos were done on CentOS, the same process can be easily adapted to Ubuntu, which will be the recommended Linux distribution for future versions of FileMaker Server.

For those looking to implement these changes, all of the commands, scripts, and instructions will be available on the dotFMP website. This method not only saves you money but also ensures that your SSL certificates are always up to date, providing continuous secure connections for your FileMaker Server deployments.

https://dotfmp.berlin/files

Tagged: API Automation AWS Best Blog Post Cloud Deployment dotFMP Berlin 2021 FileMaker Server Firewall Install Integration Linux Load Login Management Network Practice Provider Python Role Server Shell SSL Step-by-Step Ubuntu Update Web YouTube

Dimitris Kokoutsidis

Post navigation

September 30, 2021
DevOps in FileMaker with The Moyer Group
September 30, 2021
Security and compliance: An inside look