BlueFeather's Let's Encrypt approach for Filemaker on MacOS X

Consideration.md

sleep 15s

In /opt/local/GetSSL.sh editing sleep to match the time it takes for your solution to stop may be a good option as such.

Wait 15 seconds for FileMaker Server to stop an actual solution? 15 may work for FM example.fmp12, however for a real life production environment with several relationships between files on a volume mounted from ZFS across 8x NVMes w/ 17 000 MB/sec access, I see that 300 secs is more realistic. Probably you can get away with 125( as the time FileMaker allows for kicking the latter user is 120 secs. )

/Library/LaunchDaemons/tld.domain.fms-ssl

Running the LaunchDaemon at monthly intervals appears to be frequent enough. The example below runs a the 1st of every month at 00:01 hours, my guess is that this translates to 12:01 AM. The 24 hour clock is never 24:00 It's impossible. Note that the 24 hour clock goes from 00:00:00 to 23:59:59.

GetSSL.sh

#!/bin/sh

# Created by: David Nahodyl, Blue Feather
# Contact: contact@bluefeathergroup.com
# Date: 5/7/2019
# Version: 0.4

# Need help? We can set this up to run on your server for you! Send an email to
# contact@bluefeathergroup.com or give a call at (770) 765-6258

# Change the domain variable to the domain/subdomain for which you would like
# an SSL Certificate
DOMAIN="fm18s21.domain.tld"

# Change the contact email address to your real email address so that Let's Encrypt
# can contact you if there are any problems #>
EMAIL="fm18s21@domain.tld"

# Enter the path to your FileMaker Server directory, ending in a slash
SERVER_PATH="/Library/FileMaker Server/"

#
# --- you shouldn't need to edit anything below this line
#

WEB_ROOT="${SERVER_PATH}HTTPServer/htdocs"


# Get the certificate
certbot certonly --webroot -w "$WEB_ROOT" -d $DOMAIN --agree-tos -m "$EMAIL" --preferred-challenges "http" -n

cp "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem" "${SERVER_PATH}CStore/fullchain.pem"
cp "/etc/letsencrypt/live/${DOMAIN}/privkey.pem" "${SERVER_PATH}CStore/privkey.pem"

chmod 640 "${SERVER_PATH}CStore/privkey.pem"

# Move an old certificate, if there is one, to prevent an error
mv "${SERVER_PATH}CStore/serverKey.pem" "${SERVER_PATH}CStore/serverKey-old.pem"

# Remove the old certificate
fmsadmin certificate delete

# Install the certificate
fmsadmin certificate import "${SERVER_PATH}CStore/fullchain.pem" --keyfile "${SERVER_PATH}CStore/privkey.pem" -y

# Stop FileMaker Server
launchctl stop com.filemaker.fms

# Wait 15 seconds for it to stop, 15 may work for `FM example.fmp12`, however for a real life production environment on ZFS across 8x NVMes w/ 17 000 MB/sec access, I see that 300 secs is more realistic. Probably you can get away with 125( the time FileMaker allows for kicking the last user off. )
sleep 300

# Start FileMaker Server again
launchctl start com.filemaker.fms

tld.domain.fms-ssl

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>EnvironmentVariables</key>
	<dict>
		<key>PATH</key>
		<string>/opt/local:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/sbin</string>
	</dict>
	<key>Label</key>
	<string>tld.domain.fms-ssl</string>
	<key>ProgramArguments</key>
	<array>
		<string>/bin/sh</string>
		<string>/opt/local/GetSSL.sh</string>
	</array>
	<key>RunAtLoad</key>
	<false/>
	<key>StartCalendarInterval</key>
	<array>
		<dict>
			<key>Hour</key>
			<integer>0</integer>
			<key>Minute</key>
			<integer>1</integer>
			<key>Day</key>
			<integer>1</integer>
		</dict>
	</array>
</dict>
</plist>