Let's Encrypt Setup for FileWave Server (Debian)

What

This Knowledge Base (KB) article ~~discusses the use of~~covers a Debian-focused shell script tothat ~~automate the process of setting up~~automates Let's Encrypt SSL ~~certificates~~certificate setup for a FileWave ~~server.~~server ~~Let's~~on ~~Encrypt~~Debian is12/13.

The ~~free,~~script ~~automated,~~now supports two challenge methods:

HTTP-01 (standalone certbot)

DNS-01 (Cloudflare)

Both paths handle certificate request, FileWave certificate injection, and ~~open~~renewal ~~Certificate Authority (CA) that provides SSL certificates required for secure (HTTPS) connections.~~automation.

When/Why

FileWave administrators ~~would~~use this when they need toa ~~set up an~~trusted SSL certificate for ~~the FileWave server to ensure~~ secure communication.

~~Using~~

~~Let's~~

Use ~~Encrypt~~HTTP-01 iswhen aport ~~popular choice because it's free and~~80 can be ~~automated.~~reached ~~However,~~from the ~~setup~~internet.

~~process~~

Use ~~has~~DNS-01 ~~multiple~~(Cloudflare) ~~steps~~when ~~and~~port ~~can~~80 beis ~~prone~~blocked/unavailable toor ~~human~~you ~~error.~~prefer ~~This~~DNS ~~script~~validation.

~~simplifies the process by automating most of the steps.~~

~~Note that this~~This documented process is ~~only~~ for Debian ~~systems.~~12/13. If you are a Hosted ~~customer~~customer, weFileWave can ~~also~~ handle ~~Let's~~certificate ~~Encrypt~~management for ~~hosted~~you: ~~servers~~SSL Certificate Management for Custom Domains (FileWave-Hosted Servers).

How

~~Let's~~

Prerequisites

~~Encrypt~~

~~requires~~

FileWave ~~port~~server 80on Debian 12 or 13

Root/sudo access

Public DNS name (FQDN) for ~~their challenge type. Ensure~~ the FileWave server

~~has~~

If ~~port~~using DNS validation: Cloudflare API token with DNS edit permissions for the zone

Challenge method guidance

HTTP-01: requires inbound TCP/80 ~~open.~~reachability for Let's Encrypt ~~Challenge~~validation.

~~Port~~

DNS-01 (Cloudflare): does not require inbound TCP/80.

If TCP/80 is not available, select DNS-01 (Cloudflare) during install.

~~The script needs to be run on a FileWave server with root permissions. The server should be Debian 12+ or compatible.~~

~~Here are the~~

Install steps to use the script:

Download the script ~~below.~~with wget:

wget -O filewave-letsencrypt-debian.sh https://kb.filewave.com/attachments/413

Make ~~the~~it ~~script~~executable: ~~executable by running~~

chmod +x scriptname.filewave-letsencrypt-debian.sh
.

Run ~~the~~install: ~~script~~

sudo as root with./filewave-letsencrypt-debian.sh --install
as

Follow prompts for:
- Hostname (FQDN)
- Email
- Validation method:
  - 1 = HTTP-01
  - 2 = DNS-01 (Cloudflare)
- If DNS-01 chosen: Cloudflare API token

Confirm values when prompted.

Verify output for success messages and final summary.

What the argument.script
Example:does

Validates Debian + root execution

Validates hostname and email

Backs up existing certs under sudo ./scriptname.sh --installusr/local/filewave/certs/backup-<timestamp>/
~~The~~Installs/validates ~~script will automate the rest of the process. It will:~~
- ~~Check if the provided FQDN is resolvable.~~certbot
- ~~Backup any existing certificates.~~
- ~~Install necessary tools (if not already installed).~~
- ~~Request~~Requests a new certificate ~~from~~using ~~Let's~~selected ~~Encrypt.~~challenge method
- ~~Set~~For upDNS-01 a(Cloudflare): ~~script~~creates to/etc/letsencrypt/secrets/cloudflare.ini automatically ~~renew~~(no ~~the~~manual ~~certificate~~pre-creation ~~and~~required)
- Updates FileWave ~~server.~~mdm_cert_trusted DB flag
- ~~Set up a daily cron job to renew the certificate.~~

~~Check the output of the script to ensure there were no errors during the process.~~

~~If you want to remove Let's Encrypt you can do the following and then go in to FileWave Central and replace your certificate with one from a different source.~~
~~Example:~~ sudo ./scriptname.sh --uninstall

~~Please replace~~ scriptname.sh ~~with the actual name of the script.~~

~~Download Script:~~ ~~linux-letsencrypt-v2.0.sh~~

~~linux-letsencrypt-v2.0.sh (Debian)~~

#!/bin/bash
#26-May-2022 - Removed the old update dep certs file that would break a 14.7.x server updating its dep profiles
#19-June-2020 - added parameter verification ; made DEP script injection conditional ; added firewall exceptions ; made sure certificate is injected at initial run ; added cronjob scheduling
#10-July-2023 - Updated the script to replace the oldCreates renewal hookdeploy ifhook:
it
exists, made the script work with --uninstall without additional arguments, changed the script to ask for the hostname and email during installation, added Debian OS check.
#16-Feb-2024 - Updated for Debian server
#08-Mar-2024 - Refinements for Debian use. Switched to SNAP for certbot and more help if errors. 
#23-Apr-2024 - Added code to set the cert as trusted

scriptname="$BASH_SOURCE"

# check if script is running on Debian
if ! grep -q 'Debian' /etc/os-release ; then
echo "This script is designed to run on Debian. Exiting."
exit 1
fi

# root or moot
if [ $(whoami) != "root" ] ; then 
echo "root rights required - please rerun as"
echo "sudo ${BASH_SOURCE} --install"
exit 1
fi

#letsencrypt installation for Debian Linux
if [ -z "$1" ]; then
    echo "This script automates the process of obtaining and installing a Let's Encrypt SSL certificate for a FileWave server on Debian."
    echo "Available arguments:"
    echo "--install: Install a new Let's Encrypt SSL certificate."
    echo "--uninstall: Uninstall the Let's Encrypt SSL certificate and remove associated scripts."
    exit 1
fi

# Check if uninstall switch is provided
if [ "$1" == '--uninstall' ]; then
  echo "Uninstalling..."
  rm -f /etc/letsencrypt/renewal-hooks/deploy/filewave-server-cert.sh
rm
-f
Creates daily renewal cron:

/etc/cron.daily/letsencrypt-filewave
snap


Immediately injects cert into FileWave and restarts server services


Uninstall

To remove certbot
  echo "Uninstallation complete. The renewal hook script, daily cron job, and Certbot have been removed."
  exit 0
fi

# Proceed with installation
if [ "$1" == '--install' ]; then
  read -p "Enter your fully qualified domain name (hostname): " hostname
  read -p "Enter your email address: " emailaddress

  # verify whether this is a resolvable public hostname ; abort if not
  if ! [ -x "$(command -v nslookup)" ]; then
    echo "Installing 'dnsutils' for Debian."
    apt install -y dnsutils
  fi

  nslookup $hostname 8.8.8.8
  public=$?
  if [ $public -ne 0 ] ; then echo "$hostname not resolvable by 8.8.8.8 (Google) ; exiting." ; exit 0 ; fi 

  # Confirm hostname and email address
  echo "Hostname: $hostname"
  echo "Email Address: $emailaddress"
  read -p "Are these correct? (yes/no) " confirm
  if [ "$confirm" != "yes" ]; then
    echo "Aborting due to user confirmation."
    exit 1
  fi

  #Backup existing certs
  BACKUP_DATE=$(date +%Y-%m-%d-%H-%M)
  mkdir /usr/local/filewave/certs/backup-$BACKUP_DATE
  cp -p /usr/local/filewave/certs/server.* /usr/local/filewave/certs/backup-$BACKUP_DATE

  # Update Debian system and Install Certbot if not already installed
  apt update -y
  DEBIAN_FRONTEND=noninteractive apt-get upgrade -y -o Dpkg::Options::="--force-confold"
  
  if ! [ -x "$(command -v certbot)" ]; then
    echo "Installing SNAP."
	apt install -y snapd
	snap install core
	echo "Installing Certbot."
	apt remove certbot python3-certbot-apache
	snap install --classic certbot
	ln -s /snap/bin/certbot /usr/bin/certbot
    # Test again for the certbot command
    if ! [ -x "$(command -v certbot)" ]; then
      echo "Certbot installation failed. Exiting."
      exit 1
    fi
  fi

  #request certificate initially
  # I've seen this fail and there is no harm in the command running 2x the first time to be sure it worked. 
  certbot -n --agree-tos --standalone certonly -d "$hostname" -m "$emailaddress" 

  echo "Certificate for $hostname should be created. If there was an error try running:"
  echo 'certbot -n --agree-tos --standalone certonly -d "'$hostname'" -m "'$emailaddress'"'

# PostgreSQL command to update ios_preferences
  echo "Updating iOS preferences in PostgreSQL..."
  /usr/local/filewave/postgresql/bin/psql -d mdm -U django -c "INSERT INTO ios_preferences (key, value) VALUES ('mdm_cert_trusted', TRUE) ON CONFLICT (key) DO NOTHING; UPDATE ios_preferences SET value = 'true' WHERE key = 'mdm_cert_trusted';"
  if [ $? -eq 0 ]; then
      echo "iOS preferences updated successfully."
  else
      echo "Failed to update iOS preferences in the database."
  fi

  # Ensure renewal-hooks and deploy directories exist
  mkdir -p /etc/letsencrypt/renewal-hooks/deploy

  # Remove old renewal hook if exists
  rm -f /etc/letsencrypt/renewal-hooks/deploy/filewave-server-cert.sh

  # Create new renewal hook
  cat>/etc/letsencrypt/renewal-hooks/deploy/filewave-server-cert.sh<<EOT
#!/bin/bash
cp /etc/letsencrypt/live/$hostname/fullchain.pem /usr/local/filewave/certs/server.crt
cp /etc/letsencrypt/live/$hostname/privkey.pem /usr/local/filewave/certs/server.key
chown apache:apache /usr/local/filewave/certs/server.*
echo "Restarting FileWave Server..."
/usr/local/bin/fwcontrol server restart
echo "Updating DEP profile certificates..."
(yes 2>/dev/null) | /usr/local/filewave/python/bin/python /usr/local/filewave/django/manage.pyc update_dep_profile_certs 2>/dev/null
echo "DEP profile certificates updated."
EOT
  chmod a+x /etc/letsencrypt/renewal-hooks/deploy/filewave-server-cert.sh

  echo "injecting certificate into filewave server"
  /etc/letsencrypt/renewal-hooks/deploy/filewave-server-cert.sh
  echo "injection done"

##Install firewalld for configuring port 80
#    if ! [ -x "$(command -v firewalld)" ]; then
#    echo "Installing firewalld."
#    apt install -y firewalld
#    systemctl enable --now firewalld
#    # Test again for the firewalld command
#    if ! [ -x "$(command -v firewalld)" ]; then
#      echo "firewalld installation failed. Exiting."
#      exit 1
#    fi
#  fi

#  echo "making firewall opening for port 80 permanent to allow for automatic renewals"
#  firewall-cmd --add-port 80/tcp --zone=public --permanent
#  firewall-cmd --reload
#  echo "firewall settings modified"

  echo "scheduling automatic renewal of certificate"
  cat>/etc/cron.daily/letsencrypt-filewave<<'EOT'
#!/bin/bash
sleep $[RANDOM % 7200]
/usr/bin/certbot renew --quiet
EOT
  chmod a+x /etc/cron.daily/letsencrypt-filewave
  echo "scheduling complete"

  echo " "
  echo "----------------"
  echo "List ofintegration files created by thisthe script:"
echosudo "./etc/letsencrypt/renewal-hooks/deploy/filewave-server-cert.sh"letsencrypt-debian.sh echo--uninstall
"/etc/cron.daily/letsencrypt-filewave"
echoThis "removes FileWave renewal hook + cron job and (if present) Cloudflare credentials file. The script intentionally leaves certbot installed.

Troubleshooting

1) Certificate forrequest $hostnamefailed should(HTTP-01)
beEnsure created.inbound IfTCP/80 thereis wasreachable, anthen errorretry:
try running:"
  echo 'sudo certbot -n --agree-tos --standalone certonly -d "'$hostname'<FQDN>" -m "'$emailaddress'<EMAIL>"'
echo 'And upon success run:'
  echo "sudo certbot renew --force-renewal"renewal
echo "The main reason this process can fail is if the server is not reachable on TCP 80"
else
  echo "Invalid argument. Please run with --install or --uninstall."
fi
2) 
Troubleshooting
Certificate request failed (DNS-01 Cloudflare)
IfEnsure youtoken see errors when it tries to do the below command that registers with Let's Encrypt or if you just see that there is no active cert you can run the command below again. Just replace $hostname with fwjoshlab.filewave.net if that is your server,permissions and $emailaddress with your email. Keep the " marks. It'll tell you if it is successful or already was previously successful.

Once you have success with reistering then running the renew will tell the FileWave Server that the cert is updated.retry:
 sudo certbot -n --agree-tos --standalonedns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/secrets/cloudflare.ini certonly -d "$hostname"<FQDN>" -m "$emailaddress"<EMAIL>"
sudo certbot renew --force-renewrenewal

3) FileWave UI shows old certificate behavior
If youolder havebehavior noticedpersists, thatverify on your https://server:20443 you see 2 options where 1mdm_cert_trusted is to download a certificate then you may have used an old version of this script. The current script handles this. The fix is to do the belowset in a Terminal session on the server:PostgreSQL:

/usr/local/filewave/postgresql/bin/psql mdm django

insert into ios_preferences values('mdm_cert_trusted', TRUE);


update ios_preferences set value='true' where key='mdm_cert_trusted';


\q

An image of what this looks like:


Related Links

Let's Encrypt Documentation

Cloudflare DNS plugin for Certbot
GitHub - nycon/filewave-installer: Filewave AIO installer
Review My Notes: FileWave and Let's Encrypt | Version 12.0 (punkstuff.com)

Let's Encrypt Setup for FileWave Server (Debian)

What

When/Why

How

Prerequisites

Challenge method guidance

Install steps to use the script:

What the argument.script Example:does

Uninstall

Troubleshooting

1) Certificate forrequest $hostnamefailed should(HTTP-01)

2)

Troubleshooting

3) FileWave UI shows old certificate behavior

Related Links

What the argument.script
Example:does