Replies: 10 comments 5 replies
-
|
Not a direct answer to your question, but most of these use the HTTP challenge method. Don't forget that you can also use the DNS challenge and keep things more secure. I haven't updated my scripts to PS scripts but you can find the gist of the DNS approach here: https://www.soliantconsulting.com/blog/filemaker-lets-encrypt-ssl-certificates-dns/ |
Beta Was this translation helpful? Give feedback.
-
|
From what I can tell, certbot/windows doesn't suport the Route53 plugin. Certbot only references using open port 80. And it appears that it discontinued support for windows in February 2024. There appear to be other options out there as listed here. https://community.letsencrypt.org/t/certbot-discontinuing-windows-beta-support-in-2024/208101 This is all new territory for me and it's taking me hours to sort through this and try to get it working. At this rate, I'm beginning to think it'll just be cheaper and less time consuming to just buy a certificate the old fashioned way. I don't want to risk attacks on the system by opening port 80. The database in question holds very sensitive information. I'm going to try the "Certify the web" software and see how it goes. |
Beta Was this translation helpful? Give feedback.
-
|
This project does require port 80 to be open; I'm going to add that to the docs. The logs do show this is the issue, but it doesn't give a very good error message. I'd like to modify this script to better explain why if failed in this case. In addition to the alternative options already mentioned, you could likely modify this script to open port 80 in the Windows firewall, then close it again when it's done. For that to work, you'd have to allow port 80 through the AWS security group. I can help you with this, if you'd like. |
Beta Was this translation helpful? Give feedback.
-
|
I would definitely like help with this as I have serious concerns about leaving port 80 open all the time for this process. It's too high of a security risk. I'm trying alternate solutions and frankly, I just can't seem to figure it out. I so rarely deal with with DNS related things that I feel like I'm missing something that's probably obvious to folks who deal with it all the time. I'm experimenting with Certify Certificate Manager to use the DNS option, and it's not going well. |
Beta Was this translation helpful? Give feedback.
-
|
Email your contact info to me at dan@filemaker.consulting and I'll see what I can do to help. |
Beta Was this translation helpful? Give feedback.
-
|
I forgot to reference this in commit fac40c8, but I just added a
The result is that port 80 will only be open for a short amount of time (a few seconds or less in my recent tests). I still need to document this in the README. |
Beta Was this translation helpful? Give feedback.
-
|
Where does the -ModifyFirewall command go in the two lines of code? I tried in two different places (end of first line before the colon and end of second line), and it didn't work. The logs didn't show any attempts to create/remove a port 80 access. I just got invalid statuses. |
Beta Was this translation helpful? Give feedback.
-
|
It would go at the end of the second line but it sounds like I've got a bug
to fix before that will work.
You might be able to get it to work right now if you added -Renew
-ModifyFirewall instead.
…On Wed., Sep. 18, 2024, 11:15 p.m. saebel, ***@***.***> wrote:
Where does the -ModifyFirewall command go in the two lines of code? I
tried in two different places (end of first line before the colon and end
of second line), and it didn't work. The logs didn't show any attempts to
create/remove a port 80 access. I just got invalid statuses.
—
Reply to this email directly, view it on GitHub
<#23 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAFDDJYJKVJY3P7FURUC75DZXJTZXAVCNFSM6AAAAABOOH4L56VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTANRYHA4DQMA>
.
You are receiving this because you commented.Message ID:
<dansmith65/FileMaker-LetsEncrypt-Win/repo-discussions/23/comments/10688880
@github.com>
|
Beta Was this translation helpful? Give feedback.
-
|
No luck. I’ve got to get some sleep and will check back in tomorrow.
Chris
From: Dan Smith ***@***.***>
Sent: Wednesday, September 18, 2024 11:24 PM
To: dansmith65/FileMaker-LetsEncrypt-Win ***@***.***>
Cc: saebel ***@***.***>; Author ***@***.***>
Subject: Re: [dansmith65/FileMaker-LetsEncrypt-Win] Multiple issues - undefined errors, original blog missing, set up documentation missing, etc (Discussion #23)
It would go at the end of the second line but it sounds like I've got a bug
to fix before that will work.
You might be able to get it to work right now if you added -Renew
-ModifyFirewall instead.
On Wed., Sep. 18, 2024, 11:15 p.m. saebel, ***@***.*** <mailto:***@***.***> > wrote:
Where does the -ModifyFirewall command go in the two lines of code? I
tried in two different places (end of first line before the colon and end
of second line), and it didn't work. The logs didn't show any attempts to
create/remove a port 80 access. I just got invalid statuses.
—
Reply to this email directly, view it on GitHub
<#23 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAFDDJYJKVJY3P7FURUC75DZXJTZXAVCNFSM6AAAAABOOH4L56VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTANRYHA4DQMA>
.
You are receiving this because you commented.Message ID:
<dansmith65/FileMaker-LetsEncrypt-Win/repo-discussions/23/comments/10688880
@github.com>
—
Reply to this email directly, view it on GitHub <#23 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEDMYNXX4O4CT6IWCYNJH23ZXJUWXAVCNFSM6AAAAABOOH4L56VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTANRYHA4TONA> .
You are receiving this because you authored the thread. <https://github.com/notifications/beacon/AEDMYNUTASN5XH46M3LJZQDZXJUWXA5CNFSM6AAAAABOOH4L56WGG33NNVSW45C7OR4XAZNRIRUXGY3VONZWS33OINXW23LFNZ2KUY3PNVWWK3TUL5UWJTQAUMM44.gif> Message ID: ***@***.*** ***@***.***> >
|
Beta Was this translation helpful? Give feedback.
-
|
The previously mentioned bug has been fixed and the README has been updated. Note that you MUST be able to access your server in a browser on port 80 before running the script. Once the script runs with the new Since you've already run the setup on that server, you can now use the Renew parameter to re-use the previously entered url and email address: Set-ExecutionPolicy Bypass -Scope Process -Force;
& 'C:\Program Files\FileMaker\FileMaker Server\Data\Scripts\GetSSL.ps1' -Renew -ModifyFirewall |
Beta Was this translation helpful? Give feedback.
-
|
Still not working. Turns out I already had rules that kept port 80 open for inbound/outbound calls. So, I can only assume it's something else? I looked at the error message and I can't make any sense of it. See attached logs. powershell 2024-09-18_231219.log |
Beta Was this translation helpful? Give feedback.
-
|
I can't access your server in a browser and this script won't work until you can. There's no use continuing to run it until you can access your server in a browser. Here's the error from the log:
I like using Google's Dig for troubleshooting DNS issues: https://toolbox.googleapps.com/apps/dig/#ANY/fms.musicpublishingmanger.com It doesn't look like you have any DNS setup for this domain. If you've configured it in Route53, then you'll need to go to your domain registrar and change the nameservers to Route53: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/GetInfoAboutHostedZone.html |
Beta Was this translation helpful? Give feedback.
-
|
I assume you mean just fms.musicpublishingmanager.com by itself and not the web direct landing page?
Sent via my mobile phone.
…________________________________
From: Dan Smith ***@***.***>
Sent: Friday, September 20, 2024 10:13:48 AM
To: dansmith65/FileMaker-LetsEncrypt-Win ***@***.***>
Cc: saebel ***@***.***>; Author ***@***.***>
Subject: Re: [dansmith65/FileMaker-LetsEncrypt-Win] Multiple issues - undefined errors, original blog missing, set up documentation missing, etc (Discussion #23)
I can't access your server in a browser and this script won't work until you can. There's no use continuing to run it until you can access your server in a browser. Here's the error from the log:
DNS problem: NXDOMAIN looking up A for fms.musicpublishingmanger.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for fms.musicpublishingmanger.com - check that a DNS record exists for this domain
I like using Google's Dig for troubleshooting DNS issues: https://toolbox.googleapps.com/apps/dig/#ANY/fms.musicpublishingmanger.com
It doesn't look like you have any DNS setup for this domain. If you've configured it in Route53, then you'll need to go to your domain registrar and change the nameservers to Route53: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/GetInfoAboutHostedZone.html
—
Reply to this email directly, view it on GitHub<#23 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AEDMYNWTM7SALCN2AVFUY23ZXRJUZAVCNFSM6AAAAABOOH4L56VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTANZQG43DOMI>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
I am so embarrassed. I misspelled it. I left out an “a”. ☹
https://fms.musicpublishingmanager.com/
It has an A record already and the site is showing up.
From: Dan Smith ***@***.***>
Sent: Friday, September 20, 2024 11:47 AM
To: dansmith65/FileMaker-LetsEncrypt-Win ***@***.***>
Cc: saebel ***@***.***>; Author ***@***.***>
Subject: Re: [dansmith65/FileMaker-LetsEncrypt-Win] Multiple issues - undefined errors, original blog missing, set up documentation missing, etc (Discussion #23)
yup
—
Reply to this email directly, view it on GitHub <#23 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEDMYNU7FDZ7N6AWFE5GXM3ZXRURJAVCNFSM6AAAAABOOH4L56VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTANZQHA2DONY> .
You are receiving this because you authored the thread. <https://github.com/notifications/beacon/AEDMYNUG2TJEJAJYCTENE23ZXRURJA5CNFSM6AAAAABOOH4L56WGG33NNVSW45C7OR4XAZNRIRUXGY3VONZWS33OINXW23LFNZ2KUY3PNVWWK3TUL5UWJTQAUNS72.gif> Message ID: ***@***.*** ***@***.***> >
|
Beta Was this translation helpful? Give feedback.
-
I am trying to get this set up on an AWS hosted server with Microsoft Windows 2019 Datacenter installed. I followed the instructions and things seemed to be going okay until I got some errors:
My guess is that there is an issue with Let's Encrypt being able to access the port (based on some other posts/troubleshooting), but it's not clear to me which port should be opened for this purpose as there have been discussions about port 80 being vulnerable to attack.
I tried to go to the Blue Feather Group blog link that's referenced in the documentation, but apparently the entire website is down and unavailable.
powershell 2024-09-18_101559.log
powershell 2024-09-18_101735.log
Beta Was this translation helpful? Give feedback.
All reactions