1 2 Previous Next 16 Replies Latest reply on Jun 8, 2016 1:14 PM by taylorsharpe

    Green lock (SSL cert verified) not consistent with FileMaker 15

    stephensexton

      Trying to sort out an issue with SSL cert verification since installing developer copies of FMS15 and FMP15 and also installing FMGo15 on my iPad.

      I thought I needed to re-issue the GoDaddy SSL cert on my server is I wasn't seeing the green lock on opening my files... so I re-issued it....

       

      Still having problems with FileMaker Pro 15 however.  Any tips from anyone about how I might resolve this?

       

      FileMaker Go 15 -> FileMaker Server 15 (green lock, normal)

      FileMaker Pro 14 -> FileMaker Server 15 (green lock, normal)

      FileMaker Pro 15 -> FileMaker Server 15 (no lock - not encrypted, problem)

       

      Please note that "SSL for database connections" and also progressive downloading have been checked and system restarted.

       

      Is it possible that this has something to do with FileMaker Pro 14 still installed (will test anyway shortly)?

       

      Cheers, Stephen

        • 1. Re: Green lock (SSL cert verified) not consistent with FileMaker 15
          taylorsharpe

          I assume this is the approved GoDaddy certificate, which is the Standard SSL only. 

           

          List of supported SSL certificate types and vendors for FileMaker platform | FileMaker

           

          What is the FileMaker Server's Operating System?  Is it possible you are using something other than the URL to access it with FMP 15 such as opening it locally?

          • 2. Re: Green lock (SSL cert verified) not consistent with FileMaker 15
            stephensexton

            Thanks Taylor... that's right... the Standard SSL for GoDaddy.

            I unfavourited everything in the launch centre and tried via local host and also via a freshly created favourite host with the correct fully qualified domain name for the server.  Everything looks spot on with FileMaker Go 14 & 15, and FileMaker Pro 14, but NOT FileMaker Pro 15.

             

            I have only been able to test one more scenario since the original post... i.e. checked accessing a database on a server that is using FileMaker Server 14, from my computer using FileMaker Pro 15... all good.

            • 3. Re: Green lock (SSL cert verified) not consistent with FileMaker 15
              taylorsharpe

              Btw, what operating systems are you using on your FMS, and FMPs?

               

              What if you connect from outside of your local area network that the server is on?  The reason I ask is that sometimes inside the server, DNS and NATing routes things funny so SSLs don't work.  Also, have you tried this from multiple FMPs?  Any chance the server has multiple ethernets and IPs?  Just some ideas. 

              1 of 1 people found this helpful
              • 4. Re: Green lock (SSL cert verified) not consistent with FileMaker 15
                ch0c0halic

                And remove any keychain entries for the databases on that FMS. This has been a problem in FMP 14 as well. When it first came out and when 14.0v4 was released some computers had issues with the SSL connection.

                 

                Both the favorites and the keychain store information about the connection. So either one can cause the SSL to fail. And, it's cached in FMP so you must also quit FMP after you delete the favorites and before you delete the keychain entries.

                2 of 2 people found this helpful
                • 5. Re: Green lock (SSL cert verified) not consistent with FileMaker 15
                  stephensexton

                  Thank you for the suggestions...

                   

                  The operating system is Mac OS X 10.11.4.

                  FileMaker Server and FileMaker Pro are installed on this same machine (development machine).

                   

                  I think that you are both on the right track with the nature of the problem, but I can't nail it yet.  More to do in the morning.

                   

                  I have just deleted filemaker preferences, keychain entries (there were none specific to this server connection), removed FileMaker Pro 11,12,13,14,15 from the machine, emptied trash, and then restarted the machine... Re-installed FileMaker Pro 15... Still no good...

                   

                  I also deleted a favourite host link for this server on my iPad, and subsequently found that I was getting a black, rather than green padlock.  This concerns me a little, as it appears I was getting false a impression of secure connection via the iPad earlier.  My assumption now is that the certificate may not be installed correctly.  Will update further tomorrow.

                  • 6. Re: Green lock (SSL cert verified) not consistent with FileMaker 15
                    taylorsharpe

                    FYI, you normally would not have an application on a server service machine except for a development setup, but not production.  It is not a best practice for a server.  I have one such setup with a valid SSL for development purposes.  It does not show the green icon when connecting FMP to FMS on the same machine and 15, but when other devices connect via a domain name URL it does work.  When you have an application on the same machine looking back at itself, there may be issues with when and if it validates the certificate.  I'm not sure.  But it does not work on my development machine looking back at itself either.  However, it does for all other connections where a domain name URL is used.  Remember the purpose of the green icon is to have a 3rd party validate that you really are you at that domain and IP.  If you are looking back at yourself, there really doesn't need to be a 3rd party to validate that.  You know who you are on the exact same machine.  SSL is really for devices connecting to other servers to validate who they are, not for validating a device looking back at itself. 

                    • 7. Re: Green lock (SSL cert verified) not consistent with FileMaker 15
                      ch0c0halic

                      Since your iPad was green and went black when you reconnected my guess is you aren't using the complete server name used in the certificate. Your connection to FMS must match exactly. You cannot use the IP address or a wild card or a truncated server name.

                       

                      For example:

                      Certificate was issued for Server name "my_server.filemaker.com".

                      I want to access a database name "hosted_db".

                       

                      This is the exact name required to achieve a Green Padlock.

                      fmnet:/my_server.filemaker.com/hosted_db

                       

                       

                      You can access the server using the IP.

                      You can probably access the server using its short name "my_server".

                       

                      But, neither of these will produce a green padlock.

                      • 8. Re: Green lock (SSL cert verified) not consistent with FileMaker 15
                        stephensexton

                        Hi Taylor & chocohalic - this is a development machine.  I previously would see a green icon when opening it from the same computer (self) and also from other computers (LAN or WAN) using the same fully qualified domain name manually typed (exactly the same as a favourite host internet address).  In other words, the host name resolved correctly whether SELF, LAN or WAN.  Also, following last night's testing, I found that deleting and recreating the favourite host shortcut on my iPad resulted in no longer getting the green icon whether connecting via LAN or WAN.  So the issue is now wider than I initially thought... at some point today (if a few other options fail) I will attempt re-importing the SSL certificate to see if that helps.

                         

                        I checked port-forward settings on the modem:  5003 TCP, 443 TCP and 80 TCP, are all forwarded to the local IP of the server.... no changes made.

                        • 9. Re: Green lock (SSL cert verified) not consistent with FileMaker 15
                          stephensexton

                          Just had an update from FileMaker support... as Taylor mentioned, it appears that I should not be expecting a green icon when opening the file using FileMaker Pro on the same computer as FileMaker Server (the local host) - concerns network optimisation.  This confused me as previously with FileMaker Pro 14 I was definitely seeing a green icon.  However, as stated with previous posts, I am no longer getting a green icon from anywhere... Will be having another go at importing the SSL certificate.

                          • 10. Re: Green lock (SSL cert verified) not consistent with FileMaker 15
                            stephensexton

                            All good now.  Thanks for the tips.  The SSL cert was fine.  A difference in the SSL icon that I saw on my host machine with FMP15 versus FMP14 threw me in circles.  After repeating same steps of removing favourites, quitting Pro14, Pro15, Go14 and Go15 on other devices and re-entering the favourite host address, the green icon appeared on all non-host computers and iPads.

                            1 of 1 people found this helpful
                            • 11. Re: Green lock (SSL cert verified) not consistent with FileMaker 15
                              lavendt

                              When you connect to your server, it is important how you connect.

                               

                              If you select a host, that shows up in the local hosts list, FM will use Bonjour to find your hosts.

                              However, they will be listed as .local instead of FQDN.

                              That means, if you e.g. have a server named; server1.mydomain.com - it will be named server1.local, when you see it in the local hosts list. (or it can also be using the IP address)

                               

                              When your client tries to connect to your server, it will do so either using server1.local or the IP address, when you select from the list of local hosts.

                              That will always render a black padlock, since your certificate says server1.mydomain.com

                               

                              Now, in order to always get green padlock, you will need to manually add a favourite host with the FQDN.

                              That is, add a favourite host with the name server1.mydomain

                              1 of 1 people found this helpful
                              • 12. Re: Green lock (SSL cert verified) not consistent with FileMaker 15
                                taylorsharpe

                                Claus... FYI, I renamed my favorite with the local name which happens to be FMS.local.  It still does not give me the green bar for FMPA 15 with FMS 15 on the same machine.  It works with all other devices, but still not getting the green bar with that or the full domain name. 

                                • 13. Re: Green lock (SSL cert verified) not consistent with FileMaker 15
                                  JZombie

                                  Hi Claus,

                                   

                                  I understand that if you access an FMS on LAN using the FQDN that you'll get a green padlock.

                                   

                                  My question is, if you use the FQDN does the client machine access the server through LAN or does it have to go out to WAN and back to the server?

                                   

                                  If the connection has to go out to WAN, will it affect the connection speed?

                                   

                                  I'm thinking maybe I need to set an internal DNS in my router so that local computer that uses the FQDN will point to a local IP of the server instead of going out to WAN and back. Just so that I could use the LAN's full speed by connecting local.

                                   

                                  Thank you in advance.

                                  • 14. Re: Green lock (SSL cert verified) not consistent with FileMaker 15
                                    lavendt

                                    It really depends on your router/firewall. Some don't allow traffic to flow out and in again and some can be difficult to setup.

                                    Without an internal DNS server, you will lead traffic through your router/firewall and put traffic there, which could affect performance.

                                    If you have a LAN switch, a good thing would be to send internal traffic through that one only.

                                    This will require an internal DNS server, that maps your FQDN of internal servers via the LAN IP.

                                     

                                    Hope this answers your question.

                                    1 2 Previous Next