Thank you for the post.
After verifying the update was the default SSL certificate replaced?
The following is from Software Update: FileMaker Server 13.0v1a:
Replacing the default SSL certificate
After applying this software, if you do not have a signed SSL certificate that matches your specific server name, request a certificate from a trusted certificate authority (CA) supported by FileMaker, Inc.
If you previously obtained a signed SSL certificate, contact your CA to revoke your existing certificate and request a new certificate.
For instructions, see the FileMaker Server Help topic “Securing your data.”
For information on supported CAs, see the FileMaker Knowledge Base:
I didn't revoke and request a new one, since I only got it a few weeks ago, and I think that section is more of a "best practice" thing (because of the potential exposure of private keys via Heartbleed) rather than a technical requirement.
But I suppose it's possible that FMS is actually checking cert dates or looking for older private keys and deliberately breaking itself if it finds something before a certain date....seems unlikely but who knows. I'll give it a try and post a reply with the results.
Unfortunately, a new cert (revoked and re-keyed, based on a new private key generated by the CERTIFICATE command) didn't solve the issue.
I tried restarting the FMS and the server box itself, but to no avail: when "Require Secure Connections" is checkmarked, the FM client (I tried 13.0v2 and v3) can't see any databases hosted on the server. As soon as I uncheck "Require Secure Connections", all is well.
The same cert is working fine securing https traffic to the web side, and it was useful to check that the new cert was definitely in place, so the new cert working and valid (plus the CERTIFICATE IMPORT command liked it, of course), but it hasn't solved this issue for me.
Any other ideas?
Thank you for the reply.
To confirm, you are using one of the specific certificates listed in the article above? (See screenshot).
Also, was this working prior to the update?
Thanks for the reply.
I'm using a GoDaddy cert, from GoDaddy's CA (not Starfield's).
This was all working before the 13.0v1a update. I had performed the previous incarnation of the Heartbleed patch, which involved manually copying framework files, and it seemed to be working fine after that.
As part of doing the FMS 13.0v1a update, I also performed the 2014-002 OS X Security Update (http://support.apple.com/kb/HT6207).
I am having a similar problem with a GoDaddy certificate as well -- on a clean installation of Windows Server 2008 with a clean installation of the updated FMS, when I import a re-keyed post-Heartbleed GoDaddy certificate, I can no longer connect either via WebDirect or FMP to my files if the
"Require Secure Connections" checkbox is checked. Uncheck it, reboot -- and the files appear again and are accessible.
JohnDCCIU & Frederick Dimarco:
Thank you for the replies.
I lack the ability to test this further without the certificates. If you are willing, Testing would like to try a setup using your certificates.
If so, please check your inbox at the top of this page for instructions on how to submit the file for testing.
I had this same issue with three FileMaker 13 servers. It worked initially v0 but after the heart bleed fixes never worked again. I tried using the exact Go Daddy cert filemaker specifies but nothing works. FileMaker blamed the certificate, blamed being on 2008 Enterprise all red hearings. The only solution is:
Open the command prompt window using Run as Administrator.
From the command line enter: fmsadmin CERTIFICATE CREATE server_name.xxx.com
The CERTIFICATE CREATE command is used to create the certificate request file that you send to the certificate authority (serverRequest.pem), plus an encrypted private key file that is used by the CERTIFICATE IMPORT command (serverKey.pem).
The serverRequest.pem is located at: F:\Program Files\Filemaker\Filemaker Server\Cstore
Send the serverRequest.pem to a Certificate Authority
Save the returned signed certificate to F:\Certs
Use the CERTIFICATE IMPORT command to create a custom server .pem file that combines the certificate file that you get back from the certificate authority with the encrypted private key file created by the CERTIFICATE
Open the command prompt window using Run as Administrator.
fmsadmin certificate import F:\certs\signedCertificate.crt
Stop Filemaker server service
Remove the serverRequest.pem, serverKey.pem, and serverCustom.pem from
F:\Program Files\Filemaker\Filemaker Server\Cstore
Restart Filemaker Server
Now your transactions on the web will use your third party certificate and your transactions in the client will use the OpenSSL certificate provided by filemaker. When you restart filemaker with Require SSL your files will be available in the open remote window and though web direct.
So it's been since April 2014 and this is still an issue. TSFalcon nicely facilitated a discussion with FMI development in a private thread back in May to try to resolve this, but their only (completely laughable) suggestion to get this working with a secure SHA-2 cert installed on the server is to touch every single FM client (!), adding the intermediate G2 cert to the OpenSSL root CA on that client. Completely ridiculous suggestion, of course, considering that I have many hundreds of clients spread around in various locations....and such a massive effort on the customer's part would be solely because of the longstanding buffoonery of FMI's SSL efforts in v13.
So my FMS 13 server still has no encryption between FM client and FM server right now, nearly 6 months after I reported this. Nice. Good thing it's not really in production yet and all my critical stuff is still on FMSA v11.
When can we expect an update to the FM 13 client to fix this issue? It will still be a giant pain in the neck to deploy (every single client will have to be updated before I can set the server to enforce encryption), but at least then it's permanent and automatic, and any new client installations will be good to go out of the box.
If that is their suggestions why isn't it documented? FileMaker seems to not be taking this very seriously.
There also is no documentation on how to replace certificates so better get a three year certificate
You should try my workaround. It utilizes the built in certificate that comes with FileMaker client for the clients so you won't have to touch any of them. For the WebDirect users you get a trusted third party certificate. It is basically the way it used to work in FileMaker 11. I have had mine in production for several months with no issues.
I have the same problem as John but am using a certificate from a non-approved vendor. I followed Matthew's procedure to import the certificate and remove the serverRequest.pem, serverKey.pem, and serverCustom.pem from the C:\Program Files\Filemaker\Filemaker Server\Cstore folder after installation and, indeed, FM Pro clients can now see and open all of the hosted databases with "Require Secure Connections" checked on the server and the Get (ConnectionState) function returns a 2 showing that the connection is secure using the default FM supplied certificate. Also now when accessing the FMS Admin Console using https, I no longer receive any certificate error as I did before the installation of the non-approved certficate.
WebDirect users, however, are not secure - Get(ConnectionState) returns a 1. For grins, I copied the same serverRequest.pem, serverKey.pem, and serverCustom.pem files into the C:\Program Files\FileMaker\FileMaker Server\Web Publishing\publishing-engine\CStore folder and then all hosted databases with WebDirect enabled, magically, disappeared from the WebDirect home page - just like when these same files are in C:\Program Files\Filemaker\Filemaker Server\Cstore. Hmmm......
So a non-approved vendor certificate appears to secure the connection to FMS Admin Console but nothing but a default FM cert appears to secure the connection with FMP clients.
TSFalcon what are the latest findings in the FM labs?
Fred Marker:Thank you for post.We are aware that only the certificates in the knowledge base article below are fully supported at this time.I have no additional information at this time.TSFalconFileMaker, Inc.