Let's Encrypt Setup for FileWave Server (Debian)
What
This Knowledge Base (KB) article covers a Debian-focused shell script that automates Let's Encrypt SSL certificate setup for a FileWave server on Debian 12/13.
The script now supports two challenge methods:
- HTTP-01 (standalone certbot)
- DNS-01 (Cloudflare)
Both paths handle certificate request, FileWave certificate injection, and renewal automation.
When/Why
FileWave administrators use this when they need a trusted SSL certificate for secure communication.
- Use HTTP-01 when port 80 can be reached from the internet.
- Use DNS-01 (Cloudflare) when port 80 is blocked/unavailable or you prefer DNS validation.
This documented process is for Debian 12/13. If you are a Hosted customer, FileWave can handle certificate management for you: SSL Certificate Management for Custom Domains (FileWave-Hosted Servers).
How
Prerequisites
- FileWave server on Debian 12 or 13
- Root/sudo access
- Public DNS name (FQDN) for the FileWave server
- If using DNS validation: Cloudflare API token with DNS edit permissions for the zone
Challenge method guidance
- HTTP-01: requires inbound TCP/80 reachability for Let's Encrypt validation.
- DNS-01 (Cloudflare): does not require inbound TCP/80.
If TCP/80 is not available, select DNS-01 (Cloudflare) during install.
Install steps
-
Download the script with
wget:wget -O filewave-letsencrypt-debian.sh https://kb.filewave.com/attachments/413 -
Make it executable:
chmod +x filewave-letsencrypt-debian.sh -
Run install:
sudo ./filewave-letsencrypt-debian.sh --install -
Follow prompts for:
- Hostname (FQDN)
- Validation method:
1= HTTP-012= DNS-01 (Cloudflare)
- If DNS-01
chosen:is selected: Cloudflare API token
-
Confirm values when prompted.
-
Verify output for success messages and final summary.
What the script does
- Validates Debian
+and root execution - Validates that FileWave server paths exist (
/usr/local/bin/fwcontrol,/usr/local/filewave/certs) - Validates hostname and email
- Validates DNS resolution (tries
8.8.8.8, then system resolver fallback) - Backs up existing certs under
/usr/local/filewave/certs/backup-<timestamp>/ - Installs/validates certbot
- Requests a new certificate using selected challenge method
- For DNS-01 (Cloudflare): creates
/etc/letsencrypt/secrets/cloudflare.iniautomatically (no manual pre-creation required) - Updates FileWave
mdm_cert_trustedDB flag - Creates renewal deploy hook:
/etc/letsencrypt/renewal-hooks/deploy/filewave-server-cert.sh
- Preserves existing cert file owner/group when replacing certificates
- Creates daily renewal cron:
/etc/cron.daily/letsencrypt-filewave
- Immediately injects cert into FileWave and restarts server services
Uninstall
To remove integration files created by the script:
sudo ./filewave-letsencrypt-debian.sh --uninstall
This removes FileWave renewal hook + cron job and (if present) Cloudflare credentials file. The script intentionally leaves certbot installed.
Troubleshooting
1) FileWave server prerequisites failed
If script reports missing FileWave binaries/paths:
- Verify
/usr/local/bin/fwcontrolexists. - Verify
/usr/local/filewave/certsexists. - Re-run on the FileWave server host.
2) Certificate request failed (HTTP-01)
Ensure inbound TCP/80 is reachable, then retry:
sudo certbot -n --agree-tos --standalone certonly -d "<FQDN>" -m "<EMAIL>"
sudo certbot renew --force-renewal
2)3) Certificate request failed (DNS-01 Cloudflare)
Ensure token permissions and retry:
sudo certbot -n --agree-tos --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/secrets/cloudflare.ini certonly -d "<FQDN>" -m "<EMAIL>"
sudo certbot renew --force-renewal
3)4) FileWave UI shows old certificate behavior
If older behavior persists, verify mdm_cert_trusted is set in PostgreSQL:
/usr/local/filewave/postgresql/bin/psql -d mdm -U django
insert into ios_preferences values('mdm_cert_trusted', TRUE); on conflict (key) do nothing;
update ios_preferences set value='true' where key='mdm_cert_trusted';
\q