Problem installing certificate for FileMaker with LE64

I'm trying to install an SSL to my FileMaker Server that I use for my own purposes. I get this error (log):


Windows PowerShell transcript start
Start time: 20220920202329
Username: DESKTOP-VP5A81L\User
RunAs User: DESKTOP-VP5A81L\User
Configuration Name:
Machine: DESKTOP-VP5A81L (Microsoft Windows NT 10.0.19043.0)
Host Application: C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe
Process ID: 14584
PSVersion: 5.1.19041.1682
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682
BuildVersion: 10.0.19041.1682
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1


Transcript started, output file is C:\Program Files\FileMaker\SSL Renewal\SSL-Renewal.log
le64.exe : 2022/09/20 20:23:30 [ Crypt::LE client v0.38 started. ]
At C:\Program Files\FileMaker\SSL Renewal\GetSSL.ps1:140 char:1

  • & $le64Path $params
  •   + CategoryInfo          : NotSpecified: (2022/09/20 20:2...0.38 started. ]:String) [], RemoteException
      + FullyQualifiedErrorId : NativeCommandError
    

le64.exe : 2022/09/20 20:23:30 [ Crypt::LE client v0.38 started. ]
At C:\Program Files\FileMaker\SSL Renewal\GetSSL.ps1:140 char:1

  • & $le64Path $params
  •   + CategoryInfo          : NotSpecified: (2022/09/20 20:2...0.38 started. ]:String) [], RemoteException
      + FullyQualifiedErrorId : NativeCommandError
    
    

2022/09/20 20:23:30 Loading an account key from C:\Program Files\FileMaker\SSL Renewal\account.key
2022/09/20 20:23:30 Loading an account key from C:\Program Files\FileMaker\SSL Renewal\account.key
2022/09/20 20:23:30 Loading a CSR from C:\Program Files\FileMaker\SSL Renewal\domain.csr
2022/09/20 20:23:30 Loading a CSR from C:\Program Files\FileMaker\SSL Renewal\domain.csr
2022/09/20 20:23:32 Registering the account key
2022/09/20 20:23:32 Registering the account key
2022/09/20 20:23:33 The key is already registered. ID: 69300304
2022/09/20 20:23:33 The key is already registered. ID: 69300304
2022/09/20 20:23:33 Current contact details: info@.com
2022/09/20 20:23:33 Current contact details: info@
.com
2022/09/20 20:23:34 Successfully saved a challenge file 'C:\Program Files\FileMaker\FileMaker Server\HTTPServer\conf.we
ll-known\acme-challenge/fucbghkNq9Eu-LtIE_1e_bwmSel_UpIgxVBi8VAgaP4' for domain 'pp..com'
2022/09/20 20:23:34 Successfully saved a challenge file 'C:\Program Files\FileMaker\FileMaker Server\HTTPServer\conf.well-known\acme-challenge/fucbghkNq9Eu-LtIE_1e_bwmSel_UpIgxVBi8VAgaP4' for domain 'pp.
.com'
2022/09/20 20:23:46 Domain verification results for 'pp..com': error. 84.10.132.127: Fetching http://pp..c
om/.well-known/acme-challenge/fucbghkNq9Eu-LtIE_1e_bwmSel_UpIgxVBi8VAgaP4: Timeout during connect (likely firewall probl
em)
2022/09/20 20:23:46 Domain verification results for 'pp..com': error. 84.10.132.127: Fetching http://pp..com/.well-known/acme-challenge/fucbghkNq9Eu-LtIE_1e_bwmSel_UpIgxVBi8VAgaP4: Timeout during connect (likely fir
ewall problem)
2022/09/20 20:23:46 Challenge file 'C:\Program Files\FileMaker\FileMaker Server\HTTPServer\conf.well-known\acme-challen
ge/fucbghkNq9Eu-LtIE_1e_bwmSel_UpIgxVBi8VAgaP4' has been deleted.
2022/09/20 20:23:46 Challenge file 'C:\Program Files\FileMaker\FileMaker Server\HTTPServer\conf.well-known\acme-challenge/fucbghkNq9Eu-LtIE_1e_bwmSel_UpIgxVBi8VAgaP4' has been deleted.
2022/09/20 20:23:46 All verifications failed
2022/09/20 20:23:46 All verifications failed


Windows PowerShell transcript end
End time: 20220920202346


Can anyone suggest a possible FIX?

Hi @topol2b4u, and welcome to the LE community forum :slight_smile:

You must have a working HTTP site in order to use HTTP-01 authentication.
See: Best Practice - Keep Port 80 Open - Let's Encrypt

2 Likes

Thank you for warm welcome :slight_smile:

I have a working general site that is itmtlaw.com and I want to have a subdomain pp.itmtlaw.com for the server. I forwarded pp.itmtlaw.com to my IP where my server is, is that wrong?

1 Like

That's not wrong.
But it seems the entire Internet doesn't have access to your site: http://pp.itmlaw.com
I get:
*** 8.8.8.8 can't find pp.itmlaw.com: Non-existent domain

Please explain:

1 Like

I changed my IPv4 protocol to my server IP, then my router is set to forward any incoming traffic from ports 80 and 443 to the actual server where FileMaker Server is on. It worked in the past when I used my iMac as FileMaker Server, but recently I moved to Windows and I make it work.

So do you think that my fowarding to the IP is wrong, my router is likely not to forward traffic to the actual server, or anything else is wrong?

typo Rudy. it is: pp.itmTlaw.com

Still, the domain name exists but nothing replies to requests. It looks like all ports are protected by a firewall perhaps.

2 Likes

Check the IP on the Windows system.
And make sure the router is forwarding to that IP.

2 Likes

I get:

curl -Ii http://pp.itmtlaw.com/
curl: (56) Recv failure: Connection reset by peer

curl -Ii https://pp.itmtlaw.com/
curl: (7) Failed to connect to pp.itmtlaw.com port 443: Connection timed out
1 Like

So this is my IP Config:

Windows IP Configuration


Unknown adapter Połączenie lokalne:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : chello.pl
   Link-local IPv6 Address . . . . . : fe80::a0e4:6c06:a8e8:2baa%18
   IPv4 Address. . . . . . . . . . . : 192.168.0.117
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1

Wireless LAN adapter Wi-Fi:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Połączenie lokalne* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Połączenie lokalne* 10:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter Połączenie sieciowe Bluetooth:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

C:\Users\User>

This is my forwarding from pp.itmtlaw.com to IP address:

pp.itmtlaw.com 	na serwer (ipv4 - A) 	84.10.124.148

& This is my fowarding in my router:

|192.168.0.117|591-591|591-591|BOTH|||
| --- | --- | --- | --- | --- | --- |
|192.168.0.117|80-80|80-80|BOTH|||
|192.168.0.117|16000-16003|16000-16003|BOTH|||
|192.168.0.117|443-443|443-443|BOTH|

Am I missing anything?

BTW I turned on the server now, it was off so you might have got no connection 30 mins ago. Sorry.

I am puzzled by this:

Because the public IP in DNS is below and that does not respond to HTTP(S) requests. So, how does that forwarding work, exactly?

nslookup pp.itmtlaw.com
Address: 84.10.132.127
2 Likes

I changed the IP earlier Today from 84.10.132.127 to 84.10.124.148 as on my iMac (same router) IP was ...127 and on my PC IP was ...148. Possible that it hasn't updated yet with the provider and that is the issue?

No. I checked the authoritative DNS servers at your registrar (ovh) and they show the .127 address. You should check the place you updated the IP again.

You can check the authoritative servers to with a tool like this:
unboundtest.com

2 Likes

OK, I deleted the forwarding and created a new one on OVH Something seemed to work now but there is a new 'error' after Comparing private key files. Is it supposed to happen or is there another issue? :

Transcript started, output file is C:\Program Files\FileMaker\SSL Renewal\\SSL-Renewal.log
le64.exe : 2022/09/20 22:14:15 [ Crypt::LE client v0.38 started. ]
At C:\Program Files\FileMaker\SSL Renewal\GetSSL.ps1:140 char:1
+ & $le64Path $params
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (2022/09/20 22:1...0.38 started. ]:String) [], RemoteExcept 
   ion
    + FullyQualifiedErrorId : NativeCommandError
 
2022/09/20 22:14:15 Loading an account key from C:\Program Files\FileMaker\SSL Renewal\account.key
2022/09/20 22:14:15 Loading a CSR from C:\Program Files\FileMaker\SSL Renewal\domain.csr
2022/09/20 22:14:17 Registering the account key
2022/09/20 22:14:17 The key has been successfully registered. ID: 740686267
2022/09/20 22:14:17 Make sure to check TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2
017-w-v1.3-notice.pdf
2022/09/20 22:14:17 Current contact details: info@__.com
2022/09/20 22:14:18 Successfully saved a challenge file 'C:\Program Files\FileMaker\FileMaker Server\HTT
PServer\conf\.well-known\acme-challenge\/oLIddWn7XGaiVTUZ4NYPaKlY3bzm7lbns_GC6veVTaI' for domain 'pp._-.com'
2022/09/20 22:14:20 Domain verification results for 'pp.itmtlaw.com': success.
2022/09/20 22:14:20 Challenge file 'C:\Program Files\FileMaker\FileMaker Server\HTTPServer\conf\.well-kn
own\acme-challenge\/oLIddWn7XGaiVTUZ4NYPaKlY3bzm7lbns_GC6veVTaI' has been deleted.
2022/09/20 22:14:20 Requesting domain certificate.
2022/09/20 22:14:21 Requesting issuer's certificate.
2022/09/20 22:14:21 Saving the full certificate chain to C:\Program Files\FileMaker\SSL Renewal\certific
ate.pem.
2022/09/20 22:14:21 The job is done, enjoy your certificate!
Comparing private key files
Get-Content : Cannot find path 'C:\Program Files\FileMaker\FileMaker Server\CStore\serverKey.pem' becaus
e it does not exist.
At C:\Program Files\FileMaker\SSL Renewal\GetSSL.ps1:164 char:80
+ ... Get-Content $keyPath) -DifferenceObject $(Get-Content $liveKeyPath)){
+                                               ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Program File...e\serverKey.pem:String) [Get-Content], 
    ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
 
Compare-Object : Cannot bind argument to parameter 'DifferenceObject' because it is null.
At C:\Program Files\FileMaker\SSL Renewal\GetSSL.ps1:164 char:78
+ ... Get-Content $keyPath) -DifferenceObject $(Get-Content $liveKeyPath)){
+                                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Compare-Object], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Comma 
   nds.CompareObjectCommand
 
writing
out
intermediary

The problem "comparing" the keys is because this one does not exist. I am not expert at le64 so can't help other than point this out. Hopefully another volunteer will have better insights.

3 Likes

Thank you anyway. You were really helpful! :slight_smile:

2 Likes

What is the complete le64.exe command (or batch/script file) being run?

2 Likes

To run it I use

.\GetSSL.ps1

This is where it got le64.exe from : Releases · do-know/Crypt-LE · GitHub

and this is where the manual how to use it is: Downloads - Blue Feather

Edit:

I've tried to install it manually on FileMaker Server website and it seemed to install it successfully, however now I can see that the certificate "(STAGING) Pretend Pear X1 certificate is not trusted" and the connection is not secure.

That GetSSL.ps1 file is outdated.
It contains:

Write-Output writing out intermediary
$intermediaryPath = $outPath + 'intermediary.pem';
$intermediaryContents = '-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----'

Which is an expired intermediate cert:

2 Likes

Ah, hardcoding intermediate certificates..

Never trust nor use an ACME client doing that..

3 Likes