Set up a schedule to renew the SSL certificate
SSL Certificates from Let’s Encrypt are only valid for 90 days and must be renewed before that time. Let’s Encrypt does this purposefully to encourage automation and increase security. In that spirit, we should set up an automatic renewal for our SSL certificates so that we don’t need to manually re-run this every couple of months. This process is similar to setting up a scheduled script in FileMaker Server.
Move the GetSSL.ps1 file to a relatively permanent location on your server and then open the Task Scheduler, which we will use to set up a new scheduled task.
Once you have the Task Scheduler open, right-click on the Task Scheduler Library icon on the left side of the window and select the “Create Basic Task” option.
Give your task a name and description so that you can recognize what is is and then press Next. Select a frequency for this task to run. Daily is a good setting here, and then on the next screen you can set it to recur every 65 days. The SSL certificates from Let’s Encrypt are good for 90 days at a time, so this will give us some leeway if there are problems
PowerShell in the “Program/script:” field. Enter the path to the GetSSL.ps1 script in the “Add arguments (optional)” field with the -File option. If you used the recommended path for storing the script this should be
-File "C:\Program Files\FileMaker\SSL Renewal\GetSSL.ps1"
Click the next button to review, and select the “Open Properties” checkbox. Complete the setup and the properties window will open for you to make final adjustments to this schedule. You can edit the triggers and scheduling here, but the important thing we need to do is change the security options.
Select the “Run whether user is logged o nor not” radio button and enter your password to allow the script to run even if you’re not logged into the machine. Also be sure to check the “Run with highest privileges” option to make the script Run as Administrator, which is required for the script to work properly. For FileMaker Server 17 it is important that the user you enter here is allowed to log in to the FMS admin console through external authentication, as described in the previous step.
That’s all that you need to do! Your script should run automatically at your scheduled time to renew your SSL certificate with Let’s Encrypt. Do a test to make sure that it’s all working properly, that it gets a new certificate for you, and that your FileMaker Server service restarts after it has retrieved the certificate. If there is an issue, you may want to run the script manually in PowerShell or debug with the PowerShell ISE to locate any issues.
Keep in mind that your FileMaker Server service will be restarted after getting the new SSL certificate, so be sure to schedule it for a time when people will not be active in your system.