I've been around the block with Claris tech support and they finally said "ask Let's Encrypt" what is going on so...
I am running FileMaker Server 2025 (version 22.0.4.427) on macOS 15.7.3. I currently have a custom cert, but need to move to getting a Let's Encrypt cert within the next few months (for )
According to Claris' documentation, the requirements to make this work seem simple enough: ClarisPKB
"To use Let's Encrypt with FileMaker Server, you must meet the following requirements:
FileMaker Server 2025
HTTP site hosted on a public server
Public domain name for the server
Ports 80 and 443 open"
I am able to use their webadmin apps to "Test Validation" of my FQDN server successfully. I can "curl -I -m7 (http and https)" of my server and get the correct information back. I can "namp -Pn (server) and it tells me ports 80 and 443 are open.
But any time I actually request the LE certificate, I get this:
I'm sort of stumped here. I appear to be meeting the (simple) requirements to obtain an LE certificate -- but unfortunately there are no FileMaker logs that are telling me what is failing.
Is there anything painfully obvious that I'm missing here? Claris's KB is extremely simple in what should be done and what should work -- but it's not. Are they missing a step that I need to be following somewhere?
It's going to be hard for people to validate connections to your domain without knowing the domain name. But it sounds like your port 80 isn't actually open to the world even though you think it is, especially if that's what Let's Debug is telling you.
I had a friend in another state test that they are able to get to the server via http and https
My hostname is fms.dsc.umich.edu if you want to see from your end? That's what's throwing me off. My firewall admins don't see anything weird on my end with the ports being blocked, etc.
# Works as expected
curl -i -m5 http://fms.dsc.umich.edu/.well-known/acme-challenge/Test404
HTTP/1.1 404 Not Found
Date: Wed, 04 Feb 2026 20:28:43 GMT
Server: Apache
# Fails with a user-agent string similar to Let's Encrypt servers
curl -i -m5 http://fms.dsc.umich.edu/.well-known/acme-challenge/Test404 -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (28) Operation timed out after 5001 milliseconds with 0 bytes received
So we made that "ACME Protocol" change to the firewall appliance and now https://letsdebug.net/ works as expected (I'll try my cert renewal tonight or this weekend.)
Our firewall team had a question, though. Does Let's Encrypt have a specific set of source IPs we can set on the firewall so that 80/443 are not fully open to the world, but just open for these certificate requests/renewals?
Let's Encrypt does not publish a list of IP addresses used by its validation servers (currently 5 different centers world-wide with rotating IP).
You only need to allow URI of format /.well-known/acme-challenge/(token) on port 80. Any other inbound requests can be blocked or, perhaps better, redirected to 443.
You don't need to open anything different inbound on port 443 to satisfy an HTTP challenge unless you redirect the original HTTP request to port 443. That is under your control at your server.
Alternatively, there is a DNS Challenge which does not require any HTTP request inbound but has its own security concerns given you use a security token to update DNS records (adding and deleting TXT records).
And in fact, I think that's why Palo Alto has "acme-protocol" as a separate item in their list of things to enable, as confusing as it is to administrators, so that you can enable incoming to port 80 the smallest possible set of requests and still have validation work.