Using Letsencrypt on Filemaker Server 15


#1

I recently managed to obtain certificates for my MacMini running Filemaker Server 15.0.3 within my LAN using a dyndns Host Name.

I am aware that Filemaker does not recognise Certbot as an authorised CA and as such comes up with warnings (just as it does with its own development certificate). I don’t really mind this because I am only sharing the database with a few select individuals and I can reassure them and persuade them to manually override the warnings. However, it is important to me that the connection is properly encrypted because the information is sensitive. At present I am still using the Filemaker supplied certificate. Does the fact that I have a warning and a struck through https prefix mean that the connection is not encrypted? How can I check?

Can anyone run me through which certificates I need to import to the Filemaker CStore and what they need to be named? For instance, I am pretty sure that the Certbot privkey.pem file needs to be renamed PrivateKey.pem When I tried to upload the other certificates I got into problems and was locked out of the site!

So could anyone help me out here? If I get it wrong, can I roll back simply by removing the certificates?

Very many thanks

D


#2

If this is true for every user, there isn’t any benefit to using Let’s Encrypt; it doesn’t make you any safer or make the cryptography any more secure. The only reason to use Let’s Encrypt is to allow other users’ software to automatically trust the certificates instead of having to manually deal with trust management. If the users’ software doesn’t do that and the users have to manually add trust to the certificate, that benefit is out the window!

In your situation you would be at least as secure with a self-signed certificate instead of a Let’s Encrypt certificate; you can also get other benefits like making it last much longer if you want (say, 3 years instead of 3 months).

The warning with the struck-through HTTPS might mean that the browser couldn’t verify the certificate (in which case encryption is still being used). Your browser should allow you to click on the warning in order to see more details, which should explain why the browser thought the connection was insecure or couldn’t verify that it was secure.


#3

Thank you Seth

You have, in one leap, transcended my knowledge!

All I want is for the connection between user and database to be secure. If this can be done without users having to override warnings, that would be preferable but not critical.

It would appear that the certificate shipped with Filemaker is doing that, I think. This is the result of clicking on the “broken” https prefix:

Certificate Error
There are issues with the site’s certificate chain (net::ERR_CERT_AUTHORITY_INVALID).
View certificate
Secure Connection
The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-384), and a strong cipher (AES_256_GCM).
Secure Resources
All resources on this page are served securely.

So I am guessing that all is OK (for my purposes). I assume I would just get a different error with Let’s Encrypt but an error, nonetheless?

You mention a self signed certificate. Whilst I have heard of these, I have done no research on how they would work in my situation. At the risk of sounding lazy, could you possibly give me a brief overview of how it would work and point me to a useful website to learn more?

With very many thanks

D


#4

Correct,

There would be no different from the current certificate you have ( you would still get the message about net::ERRCERT_AUTHORITY_INVALID and the encryption would be the same). In the certificate info, could you see when the current certificate is valid for ? if it’s not close to renewal then I’d suggest just using the existing certificate.


#5

Thanks Andy

It expires in 2049, so I guess I may as well stick with it.

Thanks for all your help

D


#6

I’ve developed a script to automate installing and renewing Let’s Encrypt certificates on FileMaker Server, though currently only for Windows Server. It seems to be fully compatible with FMS/Pro/Go 15. I’ll be working on a Mac version as well, though it’s not ready yet. You may be able to use this to guide yourself on what to do on the Mac side as well for now until I get the other one done. FileMaker Server and Let’s Encrypt


#7

Thank you Smef

Yes, I saw your thread and am very interested! As mentioned above, I am currently using the default filemaker certificate which gives trust warnings but is still providing a secure connection. If your solution overcomes the warnings, I would be keen to make the switch back to Lets Encrypt and, indeed will do so!

I will keep an eye on your thread but do you think you could add me to your mailing list to let me know when your solution is available for Mac OSX, please?

Very many thanks and best wishes

Duncan


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.