AnsweredAssumed Answered

Using Require Secure Connections with a signed certificate - no databases are shown as hosted

Question asked by drowland@una.ab.ca on Sep 17, 2014
Latest reply on Sep 25, 2014 by TSGal

Summary

Using Require Secure Connections with a signed certificate - no databases are shown as hosted

Product

FileMaker Server

Version

13.0.4.400

Operating system version

OS X 10.9.4

Description of the issue

After enabling Require Secure Connection using a signed certificate the server no longer presents hosted databases to clients (even on the same local machine as the server).

Steps to reproduce the problem

1. Generate CSR, install signed certificate using fmsadmin.
2. Reboot and verify web is using proper signed certificate
3. Enable Require Secure Connections
4. Restart Database Server
5. Hosted databases are no longer listed (server still is).

Expected result

Client should be able to see hosted databases.

Actual result

Clients see no hosted databases while Require Secure Connection is enabled.

Exact text of any error message(s) that appear

N/A

Configuration information

When FMS starts it appears to be copying/re-encrypting keys from CStore to HTTPServer/conf and overwriting anything in that directory. The certificate is ripped out of serverCustom.pem and placed into server.pem. We don't understand where the server.key in HTTPServer/conf is being generated from; it does not match either of the keys in CStore.

We attempted to modify the httpd.conf to point at a differently named cert (to avoid FMS overwriting it) but that causes Web Server to not launch. Equally we attempted to lock the certs in HTTPServer/conf to avoid being overwritten but with identical results.

We've built FMS clean on a test server to replicate this behaviour we saw on our production and dev servers. We've also re-issued the certs with no change in symptoms.

Workaround

1. Generate and install the signed certificate.
2. Verify web is using the signed certificate.
3. Turn off the Database Server.
4. Delete from the CStore: serverCustom.pem, serverKey.pem, serverRequest.pem
5. Enable "Require Secure Connections"
6. Turn on the Database Server

Web will now be using the correct signed certificate and FM Clients can see hosted databases.

HOWEVER YOU CAN'T REBOOT

Upon reboot FMS is going to overwrite the signed keys (in HTTPServer/conf) with the original self signed keys.

See: http://forums.filemaker.com/posts/98f940fcdf

Outcomes