8 Replies Latest reply on May 19, 2015 8:25 AM by disabled_ntaylor

    Impossible to Have Valid Cert on 2-Machine Deployment for FM Clients

    Mac89

      Summary

      Impossible to Have Valid Cert on 2-Machine Deployment for FM Clients & Admin Console

      Product

      FileMaker Server

      Version

      13.0.9

      Operating system version

      Windows Server 2012

      Description of the issue

      When utilizing a custom cert on a 2-machine deployment, it is impossible to make the cert appear as valid when accessing the solution from FM Clients, FM Go and the Admin Console.

      The basic issue revolves around the fact that WebDirect clients access the server from the Worker machine while FM Clients, FM Go and the Admin Console access the Master.

      The domain on the cert points to the Worker machine so when being accessed via WebDirect it will show as valid.

      However, when accessing the Master through FM Clients, FM Go or Admin Console you will be entering either a different IP or domain name that will not match the cert that is loaded and does match the Worker.

      There needs to be a way to have two certs loaded or some other workaround so that clients accessing on the Master also see a valid cert and know they are connecting to a valid server.

      Steps to reproduce the problem

      1 - Set up a two-machine deployment with a custom cert.
      2 - Access through WebDirect and it will show as valid.
      3 - Access through FMP, FMPA, FM Go or Admin Console which needs to point at the Master.

      Expected result

      WebDirect and all FM Clients and Admin Console users need to see a valid certificate.

      Actual result

      Sessions will be encrypted and show a lock in the bottom left of FM clients but will show as not valid and the Get ConnectionState Attribute will only show secure state 2. There is no way to get a 3 or valid cert.

        • 1. Re: Impossible to Have Valid Cert on 2-Machine Deployment for FM Clients & Admin Console

          Mac89:

           

          Thank you for the post.

           

          Only the certificates specifically listed in the following knowledge base article will work to encrypt the FileMaker Pro and FileMaker Go connections:

           

          List of supported SSL certificate types and vendors for FileMaker platform

           

          “Note:  FileMaker Go has certificates embedded within the application.  Therefore, FileMaker Go can only securely connect with certificates listed above.”

           

          If the connection were not encrypted, then the Get (ConnectionState) function would return a 1. 

           

          FileMaker Network Security and SSL - Overview

           

          TSFalcon

          FileMaker, Inc.

          • 2. Re: Impossible to Have Valid Cert on 2-Machine Deployment for FM Clients & Admin Console

            Mac89:

             

            After rereading your post, I wanted to comment on this part:

             

            “Sessions will be encrypted and show a lock in the bottom left of FM clients but will show as not valid and the Get ConnectionState Attribute will only show secure state 2. There is no way to get a 3 or valid cert.”

             

            Get (ConnectionState) = 2 means the connections is secure; however, the fully qualified domain name does not match the certificate. This could occur if using the public I.P., the private I.P., or private computer name when trying to connect. 

             

            If using Favorite Hosts to connect, then make sure to be using the fully qualified domain name instead of the alternatives. 

             

            TSFalcon

            FileMaker, Inc.

            • 3. Re: Impossible to Have Valid Cert on 2-Machine Deployment for FM Clients & Admin Console
              Mac89

              Hi,

              Yes, I'm using an approved cert and also have a FM support ticket open on this. So far FM support has not been able to come up with a solution.

              You can't use the same fully qualified domain name for simultaneous access to WebDirect and FM Clients/FM Admin Console in a two-machine deployment because FM configuration instructions tell you to point them to different servers. WebDirect clients point to the Worker machine while FM Clients & FM Admin Console point directly to the Master machine. In order for this to work properly you would need to load two different certs, one for the Worker and one for the Master. However, FMS only allows you to load one cert. So you can choose to have it show as valid as the Worker or the Master but not both.

               

              • 4. Re: Impossible to Have Valid Cert on 2-Machine Deployment for FM Clients & Admin Console

                Mac89:

                 

                Thank you for the reply.

                 

                I spoke with my contact in Technical Support about your open case to make sure I fully understood the issue. 

                 

                If the Master and Worker machine are using different fully qualified domain names, then 2 certificates would be needed to return Get (ConnectionState) = 3. One certificate is needed for each machine and each fully qualified domain name.

                 

                TSFalcon

                FileMaker, Inc.

                • 5. Re: Impossible to Have Valid Cert on 2-Machine Deployment for FM Clients & Admin Console
                  Mac89

                  Right, but FMS documentation only talks about installing one cert that then applies to both machines. How do you install a 2nd cert and how do you tell FMS which cert goes to the Master and which goes to the Worker?

                  Also, to make the cert show as valid from WebDirect and valid from an FM Client wouldn't you always need to have two certs to make them show as valid since the Worker machine would have one IP and sub-domain name and the Master will have another IP and sub-domain name?

                  This could be handled with a wildcard cert but of course in FM's extremely limited compatibility with certs that is not supported.

                  • 6. Re: Impossible to Have Valid Cert on 2-Machine Deployment for FM Clients & Admin Console

                    Mac89:

                     

                    Thank you for the reply.

                     

                    “FMS documentation only talks about installing one cert that then applies to both machines.”

                     

                    The documentation was corrected in the FileMaker Server 14 Getting Started Guide:

                     

                    “If you are using a two-machine deployment, you must run the certificate import command on both machines.”

                     

                    “Also, to make the cert show as valid from WebDirect and valid from an FM Client wouldn't you always need to have two certs to make them show as valid since the Worker machine would have one IP and sub-domain name and the Master will have another IP and sub-domain name?”

                     

                    Yes. That is correct. 

                     

                    “This could be handled with a wildcard cert but of course in FM's extremely limited compatibility with certs that is not supported.”

                     

                    This is not a feature as currently designed; however, if you would like to see this changed, I would encourage you to enter this as a suggestion into our Feature Requests web form at:

                     

                    http://www.filemaker.com/company/contact/feature_request.html

                     

                    These web form suggestions are monitored and read by our Development and Product Management departments where they are then discussed and considered for a future release. Although I could copy your post and paste it into the web form, there are some questions asked that only you can answer.

                     

                    TSFalcon

                    FileMaker, Inc.

                    • 7. Re: Impossible to Have Valid Cert on 2-Machine Deployment for FM Clients & Admin Console
                      Mac89

                      Thanks for the information and I'll definitely do a feature request.

                      Can you install two certs in v13.0.9 or only v14.0.1?

                       

                      • 8. Re: Impossible to Have Valid Cert on 2-Machine Deployment for FM Clients & Admin Console

                        Mac89:

                         

                        Thank you for the reply.

                         

                        “Can you install two certs in v13.0.9 or only v14.0.1?”

                         

                        Everything discussed in this thread applies to both FileMaker Server 13.0v9 and FileMaker Server 14.0.1.

                         

                        In terms of SSL, FileMaker Server 13.0v9 and FileMaker Server 14.0.1 are virtually the same except in FileMaker Server 14.0.1, we added the ability to import certificates through the Admin Console and two new error codes related to SSL:

                         

                        “Error 1632 The Certificate cannot be authenticated by a supported CA (new to FileMaker Pro 14)

                         

                        Error 1633 The Certificate is valid, but still wrong. e.g. hostname doesn't match, or expired (new to FileMaker Pro 14)”

                         

                        TSFalcon

                        FileMaker, Inc.