Effect of --webroot (FileMaker FM Mac)

Help
1

(certbot 2.6.0)

I ran (on macOS Monterey)

# certbot certonly -domain myhost.ddnss.de

and it put the pem files nicely in /etc/letsencrypt. I then offered these certificates to FM and they now can be seen as registered into FileMaker (19 is the version).

It was a bit problematic to reach the /etc/letsencrypt directories/symbolic links from within the filemaker admin session. Maybe because of access permissions of the actual files. So I copied them into the administrating user's home directory in a certs subdirectory from where the installer picked them up. I'm not understanding right now how FM admins its certs.

So my idea was to try to fetch the certs using the --webroot option.

fm:~ root# certbot certonly --webroot -w /Library/FileMaker\ Server/HTTPServer/htdocs -d myhost.ddnss.de          
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/myhost.ddnss.de.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): c
Operation canceled. You may re-run the client.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
fm:~ root# 
fm:~ root# exit

Despite from not wanting to override a yet issued cert, how else could I change the behaviour
such that I put the certs into webroot myself and if, where are they put there? In a subdirectory?

Using the --dry-run option with the above command didn't give a hint where the certs were about to be put.

2

I'm not sure you fully grasp the workings here. You already got the certificate issued if I read the first part correctly. But you're having trouble with permissions to the already acquired certs.

The webroot is something for the challenge to get a certificate issued in the first place. But as you already have an issued certificate, I'm puzzled why you're trying to do something related with the webroot? You'd end up in the same situation as when using whatever you've used the first place: it won't make a difference regarding to the symlinks/files in /etc/letsencrypt/.

If FM requires the certs in a different location and with different owner/permissions, I'd recommend writing a specific script for your situation and use a --deploy-hook to run that script after each renewal.

You can find the Certbot User Guide here: User Guide — Certbot 2.6.0 documentation

Recommended reading topics are:

  • generic use of Certbot;
  • authenticator plugins, especially regarding webroot (what is it and what does it do);
  • --deploy-hook.

Also, I'm puzzled why you'd like to have a certificate in the webroot to begin with. Especially if you'd put the private key there. That would be a BIG security issue as the whole world wide web would be able to access the private key! Which is BAD.. (And reason for certificate revocation..)

And another "also": why would FileMaker require a Let's Encrypt certificate anyway? Let's Encrypt domain validation certs are not able to sign code/apps.

5 Likes
3

Thanks. Your remarks on use of webroot are now understood.

There are some recipes also here on this site how to run FM server using a LE cert.

1 Like
4

In terms of the "what to do to like FileMaker use the certificates after they're updated" question, this is probably going to be the most relevant one!

3 Likes
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.