1 2 Previous Next 15 Replies Latest reply on Jan 9, 2017 10:37 AM by ErichWetzel

    Problem with SSL verification of valid cert by FMP, mac network client

    ErichWetzel

      The following was originally posted here back in June and did not get any attention. I have made some recent changes to some of the system details, and the problem persists.

       

      Current systems:

      FMS 15.0.1.137 on a Mac OS 10.11.6 with a valid GoDaddy certificate of acceptable format to FMS.

      FMP 15.0.2.220 on macOS 10.12.1 clients bound to Open Directory on a Server running macOS 10.12 and Server 5.2

       

      For clarity:

      FMP for a non-managed user shows the certificate as valid and approved and connects as usual with a green lock.

      FMP on a managed user says the certificate cannot be validated but "show certificate" shows a valid verified certificate. The login can proceed through the "do you want to connect to this host" dialog and connects with a grey lock.

       

      ORIGINAL POST:

       

      FMS 15 on a Mac OS 10.11.5. Valid GoDaddy certificate of acceptable format to FMS. FMP 15 on Mac OS 10.11.5 clients.

       

      Everything worked well until a recent problem required rebuild of our Mac OS 10.11.5 Server network user server. Created brand new user homes for network users.

       

      Since the rebuild, the network users all get the unconfirmed SSL certificate dialog and grey lock showing encryption but no verification on log login to the databases. In the SSL certificate dialog, selecting the certificate shows that it is valid and verified.

       

      Local users on the client machine all log in as expected and get the full green lock and SSL verification.

       

      The server.FQDN.com replaces our real server name in the logs below. User replaces our real username. Console on the client trying to connect to FMS shows the following for each FMP login attempt:

       

      6/8/16 2:47:19.352 PM com.filemaker.messages[1906]: 2016-06-08 14:47:19.351 -0400 [Main_0x7fff7d57f000] FMCertificateStore::AddNewContentToPEMFile() Write Error 20405: filemac:/Macintosh HD/Network/Servers/server.FQDN.com/Volumes/Data/Networkuserdata/user/Library/Application Support/FileMaker/FileMaker Pro/15.0/root.pem, amountToWrite 1521, amountWritten 0

      6/8/16 2:47:19.353 PM com.filemaker.messages[1906]: 2016-06-08 14:47:19.352 -0400 [Main_0x7fff7d57f000] FMCertificateStore::RegenerateDefaultPEMFiles() AddNewContentToPEMFile failed.

      6/8/16 2:47:19.395 PM com.filemaker.messages[1906]: 2016-06-08 14:47:19.394 -0400 [Main_0x7fff7d57f000] FMCertificateStore::AddNewContentToPEMFile() Write Error 20405: filemac:/Macintosh HD/Network/Servers/server.FQDN.com/Volumes/Data/Networkuserdata/user/Library/Application Support/FileMaker/FileMaker Pro/15.0/root.pem, amountToWrite 300157, amountWritten 0

      6/8/16 2:47:19.395 PM com.filemaker.messages[1906]: 2016-06-08 14:47:19.395 -0400 [Main_0x7fff7d57f000] FMCertificateStore::AppendRootCAWithMachineRootCA() Error: cannot update FileMaker CA Pem file.

      6/8/16 2:47:26.817 PM FileMaker Pro[1906]: Failed to connect (_okButton) outlet from (SFCertificatePanel) to (NSButton): missing setter or instance variable

       

      It looks like the client is trying to write to the Application Support folder in the users home folder and is failing to write. I have deleted the FileMaker folder in Application Support. On restart of FMP, the FileMaker folder in Application Support is recreated. However, the error remains the same.

       

      Pushed owner and owner permissions through the user home folder. Error remains the same.

       

      This problem may be related to the issue here: FM 15 Can't approve certificates, open remote files, view Permitted Hosts preferences

       

      Any ideas?

       

      Thanks - Erich

        • 1. Re: Problem with SSL verification of valid cert by FMP, mac network client
          ErichWetzel

          Additional detail:

           

          In the filemac:/Macintosh HD/Network/Servers/server.FQDN.com/Volumes/Data/Networkuserdata/user/Library/Application Support/FileMaker/FileMaker Pro/15.0/

           

          folder for a managed user the certificates placed are as follows:

          certifiedroot.pem - 12-9-2014

          root.pem - 12-9-2014

          server.pem - 12-8-2014

           

          folder for a non-manned user the certificates placed are as follows:

          certifiedroot.pem - Today

          root.pem - Today

          server.pem - 12-8-2014

           

          If the certificates in that folder are deleted and FileMaker and the connection are restarted, the certificates are replaced with ones matching the dates above. So the verified connection uses Today's date for the certificates. The unverified connection uses 12-9-2014 dated certificates.

          • 2. Re: Problem with SSL verification of valid cert by FMP, mac network client
            TSGal

            ErichWetzel:

             

            Thank you for your posts.

             

            I've discussed this with two other Support Technicians, and the agreement is that this is probably an Open Directory issue.  There was also discussion about the path name if it allowed write privileges to the users folder.  This would make sense as non-managed users don't have this issue.

             

            If no certificate is installed, do you get the same write error?

             

            With certifiedroot.pem and root.pem not being able to be written to, it makes sense that it would keep the original dates of 12-9-2014, and why non-managed users show today's date.

             

            Since you reported this worked prior to the server upgrade, it's not clear from your postings if you uninstalled FileMaker Server and then reinstalled.  Have you performed a reinstall?

             

            Any other information you can provide may be helpful in narrowing down possible causes.

             

            TSGal

            FileMaker, Inc.

            • 3. Re: Problem with SSL verification of valid cert by FMP, mac network client
              ErichWetzel

              TSGal,

               

              I agree that the Open Directory rebuild seems to be a likely target. However, this problem also only arrived with FMS15. Our FMS14 had worked as expected with certificate validation, of the same certificate, for some time running against a similar vintage Open Directory.

               

              The entire Mac Server, Open Directory and all userhomes were recreated and have operated as expected managing computers, users, and network userhomes in our all Apple setup. The userhomes were all created from new (empty) by the server. They were not old userhomes full of content cobbled together with resetting of permissions. The Open Directory server has also since been updated to macOS 10.12 with no change in behavior. Brand new users added to the OD server give the same results. At the time of the initial post the Mac Server would probably have been 5.1 or 5.1.15. So we have gone through a major version change there too since we are up to 5.2 now.

               

              I can manually access the path given (inside a typical Mac Server issued network userhome with FileMaker Application Support added by FMP on its own) via the user it belongs to in the Finder and add and delete from the folder. So read, write, delete access are all available to the user at that location.

               

              You mentioned something interesting, along the lines of: since it cannot write the current certificate, it makes sense to have the original one. I manually erased the certificates from the Finder.app and the ones dated 2014 were put in that location upon connecting FMP with the managed user. So it had no problem writing there. The folder was cleared to confirm what it was putting in, if anything. I just retested again and FMP put the 2014 dated certificates back into that folder before bringing up the login dialog.

               

              I did not test without a certificate because I don't want to have to rebuild my FMS system again if I don't have to. It is functioning in all respects with the exception of validating the GoDaddy Certificate. However, I did install FMS 15 on a 10.12 machine for testing and got an open lock on login with the default certificate because of the name mismatch. I don't want to push over to the 10.12 system because I cannot get my, currently fully functional, CWP websites to survive a server reboot properly under FMS on 10.12.

               

              Unfortunately, I reinstalled FMS several times when this initially happened because I worried that this issue would lead to bigger ones.

               

              I am not sure when in the connection process the certificates are placed in the location they should be, but upon opening the login dialog the indicator for the certificate not being validated is already showing.

               

              If you guys have any other ideas I can try or we could look at, let me know.

               

              Not that this helps but here are screen shots of what we are seeing. The top image occurs first of course:

              Screen Shot 2016-10-25 at 6.07.15 PM.jpg

               

              Screen Shot 2016-10-25 at 6.07.48 PM.jpg

              • 4. Re: Problem with SSL verification of valid cert by FMP, mac network client
                TSGal

                ErichWetzel:

                 

                Thank you for the additional information.

                 

                We have sent all information to our Development and Testing teams so they can test out different scenarios to determine why this is occurring.  When I receive any feedback, I will let you know.

                 

                TSGal

                FileMaker, Inc.

                • 6. Re: Problem with SSL verification of valid cert by FMP, mac network client
                  TSGal

                  ErichWetzel:

                   

                  Testing has read through everything and the first item they noticed was:

                   

                  "Everything worked well until a recent problem required rebuild of our Mac OS 10.11.5 Server network user server. Created brand new user homes for network users.

                   

                  Since the rebuild, the network users all get the unconfirmed SSL certificate dialog and grey lock showing encryption but no verification on log login to the databases. In the SSL certificate dialog, selecting the certificate shows that it is valid and verified."

                   

                  This generally signifies a configuration issue; not a FileMaker issue.

                   

                  The next item noticed was the Open Directory users do not seem to have a write permission on the following directory:

                  6/8/16 2:47:19.352 PM com.filemaker.messages[1906]: 2016-06-08 14:47:19.351 -0400 [Main_0x7fff7d57f000] FMCertificateStore::AddNewContentToPEMFile() Write Error 20405: filemac:/Macintosh

                   

                  I will be meeting with the Tester later today as he will set up an identical environment for me.

                   

                  TSGal

                  FileMaker, Inc.

                  • 7. Re: Problem with SSL verification of valid cert by FMP, mac network client
                    TSGal

                    ErichWetzel:

                     

                    The tester and I are unable to replicate the issue.  We used the same GoDaddy certificate, showed as valid, were always able to connect via Open Directory, and the lock was always green.  I'm not sure what else to try here.

                     

                    TSGal

                    FileMaker, Inc.

                    • 8. Re: Problem with SSL verification of valid cert by FMP, mac network client
                      ErichWetzel

                      TSGal,

                       

                      Ok. Thank you very much for looking at it. That puts it on my end then.

                       

                      One last thing to clarify that may be related:

                       

                      I have a two machine installation. I have a certificate for the database server itself, which is installed on and matches database.FQDN.com of that machine.

                       

                      Does that certificate cover encryption for connections via webd? Our web server is at www.FQDN.com. I have a separate certificate for the www.FQDN.com of the web server. Should that be installed or not? I currently have it installed.

                       

                      -Erich

                      • 9. Re: Problem with SSL verification of valid cert by FMP, mac network client
                        TSGal

                        ErichWetzel:

                         

                        "I have a two machine installation."

                        I didn't notice/realize you were using a two-machine deployment.  Just make sure you have all the necessary ports open on both machines.

                         

                        Yes, you should have another certificate for the web server.

                         

                        TSGal

                        FileMaker, Inc.

                        • 10. Re: Problem with SSL verification of valid cert by FMP, mac network client
                          ErichWetzel

                          TSGal,

                           

                          Ok. Ports are all set properly.

                           

                          Ill have to look into starting over with the installation and see how it goes.

                           

                          Thanks again.

                          • 11. Re: Problem with SSL verification of valid cert by FMP, mac network client
                            ErichWetzel

                            TSGal,

                             

                            Our last conversation suggested that the Open Directory might be the root of the problem I address with this discussion.

                             

                            An update to this situation: I rebuilt my MacOS 12.1 - Server 5.2 Network/OD server manually from a blank hard drive including manually creating all users, brand new user homes, and all settings.

                             

                            The behavior of the network clients and the inability to verify the certificate is still exactly the same. The non-network-user clients show expected validation of the certificates. Using the same client machine where a network user cannot verify, a local user on that client verifies properly.

                             

                            Does my description have any relation to the one Wim Decorte describes here? My guess is no because my FMS database server uses the same FQDN as the certificate issued for it database.fqdn.com and we control the internal DNS that resolves to it. The web server in my installation uses the same FQDN as the certificate used for it as well www.fqdn.com. DNS resolves forward and backwards properly on the LAN.

                             

                            I have destroyed and reinstalled my FileMaker Server installation twice and now rebuilt my Network/OD server from scratch with no behavioral change. Do you have any other suggestions?

                             

                            Thanks - Erich

                            • 12. Re: Problem with SSL verification of valid cert by FMP, mac network client
                              TSGal

                              ErichWetzel:

                               

                              Since you rebuilt the server and Open Directory server, please first verify that you can connect to the hosted database file without using Open Directory.  If this fails, then we can work on the FileMaker settings.  If it works, then we can focus on the Open Directory settings/restrictions.

                               

                              TSGal

                              FileMaker, Inc.

                              • 13. Re: Problem with SSL verification of valid cert by FMP, mac network client
                                ErichWetzel

                                TSGal,

                                 

                                Thanks.

                                 

                                To clarify:

                                 

                                OD users with Mac Server-managed-network-user-homes DO NOT validate the certificate. However, as mentioned in an earlier post, they do put something in the folder where the verified certificate is placed normally. I know they have access because if I delete the contents of that folder, the pop up asking to accept the certificate returns and then refills that folder when the certificate is accepted.

                                 

                                Logging in from the local account of a client machine and then connecting to FileMaker using an OD user, fully validates the certificate.

                                 

                                Logging in from the local account of a client machine and then connecting to FileMaker using a FileMaker user established inside the database itself, fully validates the certificate.

                                 

                                Our use and settings for FileMaker and OD have not changed over the years. We have successfully installed and used SSL certificates with FMS 13 and 14. There is nothing we are doing differently now relative to our FMS 13 or 14 installations. The database server has nothing unusual or custom about the installation or settings. Ours is a two machine installation. Everything works as we would expect with the exception of the network-userhome users not validating the SSL certificate despite the fact that it shows as valid in the certificate itself in the pop-up window that allows the certificate itself to be viewed.

                                 

                                As long as we are still encrypted we are good. It is just annoying because the login takes longer. Moving to 10.12 is not an option yet because I cannot get FMS to retain my custom web site settings.

                                 

                                Let me know if you think of anything else... 

                                • 14. Re: Problem with SSL verification of valid cert by FMP, mac network client
                                  TSGal

                                  ErichWetzel:

                                   

                                  Working with another Support Technician and setting up a similar environment, we are still unable to reproduce the issue.  The other technician and I still believe it is a settings issue, but obviously the settings that worked in 13 and 14 no longer work under FileMaker Server 15.  Isolating those settings will obviously be the challenge.

                                   

                                  We are glad that you are working, even it it is "annoying because the login takes longer".  For us to test further (and if you want to continue), we will need your complete settings.  Or, continue to keep us updated with any changes you make to settings.

                                   

                                  TSGal

                                  FileMaker, Inc.

                                  1 2 Previous Next