Intermediate Expired

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: db.hydradesignlabs.com

I ran this command:
getSSL.ps1 from BlueFeather to generate the files, no errors reports but FileMaker Server 19.6.2 still had it's default cert installed. Then ran this to import the files from the cmd prompt:

fmsadmin certificate import "C:\Program Files\FileMaker\SSL Renewalintermediary.pem" --keyfile "C:\Program Files\FileMaker\SSL Renewalkey.pem" --intermediateCA "C:\Program Files\FileMaker\SSL Renewalintermediary.pem" -y

It produced this output:
The certificate [C:\Program Files\FileMaker\SSL Renewalintermediary.pem] has expired.
Error: 20630 (SSL certificate expired)

My web server is (include version): This is a FileMaker Server, 19.6.2

The operating system my web server runs on is (include version): Windows Server 2019 Datacenter

My hosting provider, if applicable, is: Azure VM

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): using le64.exe and downloaded a fresh version last week

I have tried deleting all of the let's encrypt generated files in between attempts, but still get the same results even though a new intermediate file gets generated each time

What is?:

If it contains no private keys, feel free to show it here.

Perhaps your system doesn't like non-RSA certs...

2 Likes

Well, looking at the cert history, the intermediate has been R3 the whole time, with the end-entity being a 4096-bit RSA key, so I don't think anything has changed in that regard and I think they're sticking with RSA.

Can you give a bit more detail on what this script is and what it's supposed to do?

And why you are trying to import some sort of "intermediate"?

I guess it's a bit unclear to me what exactly you're trying to do, as well as if this is some process you do regularly or if you're doing this to try to recover from some problem or move servers or something? Since it looks from your certificate history that you're creating certificates just fine. Though I have no familiarity with FileMaker, so maybe this all makes more sense to people that do.

5 Likes

A Claris FIleMaker Server handles an SSL cert differently then most other servers where the certs get imported in the web server. Since FileMaker uses it's own nginx server, the ssl certs need to be imported using its own tools.

The getSSl.ps1 scrip just manages that process. It gets a new cert using le64.exe, then renames the existing certs (if any), imports the ssl certs in FileMaker Server, then restarts the FileMaker service.

The cmd I mentioned is just a way yo manually import the certs in case there was an issue with the automated process.

Here is the content of 'SSL Renewalintermediary.pem

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
1 Like

You should check if that intermediate is actually send from the ACME server (which is ain't I can tell you already) or hardcoded somewhere in you script or client. As that is an intermediate which isn't used for some time now.

4 Likes

Those script writers apparently have still not fixed their code. We helped someone with a similar problem last Sept

7 Likes

Thanks Osiris and MikeMcQ!

So how do I get/create the intermediate file?

2 Likes

I don't see the resolution in the other thread, it seems to just just identify the issue. Can Let's Encrypt generate an intermediate file as well?

The intermediate(s) needed are included in the API response from Let's Encrypt, along with the certificate. It shouldn't be hardcoded into the script.

I assume you're using this program: GitHub - BlueFeatherGroup/FileMaker-LetsEncrypt-Win: A PowerShell script for fetching and renewing Let's Encrypt SSL certificates for FileMaker Server running on Windows Server.
It looks like this repository has been abandoned.

I haven't spent much time looking, but it appears somebody else has taken up maintenance of getSSL.ps1 here. Perhaps it will work better for you: GitHub - dansmith65/FileMaker-LetsEncrypt-Win: A PowerShell script for fetching and renewing Let's Encrypt SSL certificates for FileMaker Server running on Windows Server.

If you do manually need to get intermediates, they are always posted here: Chain of Trust - Let's Encrypt
But you shouldn't use them manually, as we have multiple online intermediates so you can't know ahead of time which we'll use.

9 Likes

Thank you - I'll definitely try this version.

3 Likes

Good find @mcpherrinm It looks like it uses the intermediate chain provided by Let's Encrypt so there should not be any need to look at Chain Of Trust

(formatted for readability)

Write-Output "Import certificate via fmsadmin: "
	Invoke-FMSAdmin certificate, import, 
        """$($certObj.CertFile)""", 
        --intermediateCA, 
        """$($certObj.FullChainFile)""", -y
5 Likes

I just used this version of getSSL.ps1 and although it did have a couple of errors at the end of the process, it successfully imported the certificates! The errors may just be that it did not wait long enough for the FileMaker services to start backup before testing them.

Thank you @mcpherrinm!

Next will be to wait and see how it manages the renewals.

4 Likes


Expired more than two years ago :frowning:

3 Likes

Not any more :slight_smile:

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.