Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: db.hydradesignlabs.com
I ran this command:
getSSL.ps1 from BlueFeather to generate the files, no errors reports but FileMaker Server 19.6.2 still had it's default cert installed. Then ran this to import the files from the cmd prompt:
fmsadmin certificate import "C:\Program Files\FileMaker\SSL Renewalintermediary.pem" --keyfile "C:\Program Files\FileMaker\SSL Renewalkey.pem" --intermediateCA "C:\Program Files\FileMaker\SSL Renewalintermediary.pem" -y
It produced this output:
The certificate [C:\Program Files\FileMaker\SSL Renewalintermediary.pem] has expired.
Error: 20630 (SSL certificate expired)
My web server is (include version): This is a FileMaker Server, 19.6.2
The operating system my web server runs on is (include version): Windows Server 2019 Datacenter
My hosting provider, if applicable, is: Azure VM
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): using le64.exe and downloaded a fresh version last week
I have tried deleting all of the let's encrypt generated files in between attempts, but still get the same results even though a new intermediate file gets generated each time
If it contains no private keys, feel free to show it here.
Perhaps your system doesn't like non-RSA certs...
Well, looking at the cert history, the intermediate has been R3 the whole time, with the end-entity being a 4096-bit RSA key, so I don't think anything has changed in that regard and I think they're sticking with RSA.
Can you give a bit more detail on what this script is and what it's supposed to do?
And why you are trying to import some sort of "intermediate"?
I guess it's a bit unclear to me what exactly you're trying to do, as well as if this is some process you do regularly or if you're doing this to try to recover from some problem or move servers or something? Since it looks from your certificate history that you're creating certificates just fine. Though I have no familiarity with FileMaker, so maybe this all makes more sense to people that do.
A Claris FIleMaker Server handles an SSL cert differently then most other servers where the certs get imported in the web server. Since FileMaker uses it's own nginx server, the ssl certs need to be imported using its own tools.
The getSSl.ps1 scrip just manages that process. It gets a new cert using le64.exe, then renames the existing certs (if any), imports the ssl certs in FileMaker Server, then restarts the FileMaker service.
The cmd I mentioned is just a way yo manually import the certs in case there was an issue with the automated process.
Here is the content of 'SSL Renewalintermediary.pem
You should check if that intermediate is actually send from the ACME server (which is ain't I can tell you already) or hardcoded somewhere in you script or client. As that is an intermediate which isn't used for some time now.
Those script writers apparently have still not fixed their code. We helped someone with a similar problem last Sept
Thanks Osiris and MikeMcQ!
So how do I get/create the intermediate file?
I don't see the resolution in the other thread, it seems to just just identify the issue. Can Let's Encrypt generate an intermediate file as well?
The intermediate(s) needed are included in the API response from Let's Encrypt, along with the certificate. It shouldn't be hardcoded into the script.
I assume you're using this program: GitHub - BlueFeatherGroup/FileMaker-LetsEncrypt-Win: A PowerShell script for fetching and renewing Let's Encrypt SSL certificates for FileMaker Server running on Windows Server.
It looks like this repository has been abandoned.
I haven't spent much time looking, but it appears somebody else has taken up maintenance of getSSL.ps1 here. Perhaps it will work better for you: GitHub - dansmith65/FileMaker-LetsEncrypt-Win: A PowerShell script for fetching and renewing Let's Encrypt SSL certificates for FileMaker Server running on Windows Server.
If you do manually need to get intermediates, they are always posted here: Chain of Trust - Let's Encrypt
But you shouldn't use them manually, as we have multiple online intermediates so you can't know ahead of time which we'll use.
Thank you - I'll definitely try this version.
Good find @mcpherrinm It looks like it uses the intermediate chain provided by Let's Encrypt so there should not be any need to look at Chain Of Trust
(formatted for readability)
Write-Output "Import certificate via fmsadmin: "
Invoke-FMSAdmin certificate, import,
I just used this version of getSSL.ps1 and although it did have a couple of errors at the end of the process, it successfully imported the certificates! The errors may just be that it did not wait long enough for the FileMaker services to start backup before testing them.
Thank you @mcpherrinm!
Next will be to wait and see how it manages the renewals.
Expired more than two years ago
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.