8 Replies Latest reply on Nov 10, 2016 2:07 AM by Jonathan Jeffery

    SSL import with FMcloud fails to decrypt key

    Jonathan Jeffery

      Product and version: FMcloud 1.15.0.185

      Description:

      When trying to import a GoDaddy Standard SSL pem file (and associated key file), we get the error "Cannot decrypt the private key file with the password. Make sure the key file and password are correct. Error: 20408 (File read error)"

       

      However, the certificate and key pair (and key password) are all correct -- the same pem files can be imported on any of our conventional servers (FMS 14.0.4.413 on a Windows 2008 virtual server, and FMS15.0.2 on two Mac Minis running macOS 10.12).

       

      There's no documentation on SSL on FMcloud, other than the list of supported certificates ( List of supported SSL certificate types and vendors for FileMaker platform | FileMaker ) which states that GoDaddy Standard SSL is compatible.

       

      Is there a difference in the file format required (? pfx or crt), or does your list of supported certificates need to be updated?

       

      How to replicate

      Open FMcloud admin console and attempt to import a certificate. Tried using Safari on a Mac, and iE on Windows.

        • 1. Re: SSL import with FMcloud fails to decrypt key
          TSGal

          Jonathan Jeffery:

           

          Thank you for your post.

           

          GoDaddy Standard SSL should work.

           

          Was the original certificate created using FileMaker Server 14?  If so, you will receive the error above when trying to import into FileMaker Cloud unless you use the embedded password used from FileMaker Server 14.

           

          In FileMaker Server 15, did you import the certificate via the Admin Console or via command line?  If the latter, what was the command used?

           

          TSGal

          FileMaker, Inc.

          • 2. Re: SSL import with FMcloud fails to decrypt key
            Jonathan Jeffery

            Hi,

             

            The original CSR was created using IIS 7, and the file imported into the Local Computer personal store (completely normal Windows processes for getting certificates into IIS). 

             

            I then exported the certificate (obviously along with the private key and intermediate certificates) as a PEM file.

             

            In FM14 and FM15 I imported the PEM files from the admin console (obviously requiring a password for the private key file) -- on FMS 14 I used two files (certificate and intermediates in one file, private key in another) and on FMS 15 I used three files (certificate, intermediates and private key) as the dialogue box now asks for intermediate certificates separately.

             

            The same PEM files were used with FMcloud without success.

             

            Regards,

             

            J.

            • 3. Re: SSL import with FMcloud fails to decrypt key
              TSGal

              Jonathan Jeffery:

               

              Thank you for the additional information.  After discussing this with another Support Technician, we are at a loss to why this does not work.  We would like to get your three files so we can test it here.  I have sent you a private message with instructions where to send the files.

               

              TSGal

              FileMaker, Inc.

              • 4. Re: SSL import with FMcloud fails to decrypt key
                TSGal

                Jonathan Jeffery:

                 

                I received your files.  Thank you.

                 

                I am able to replicate the issue on your FileMaker Cloud instance.  I have sent your files and instructions to our Development and Testing departments for review.  When I receive any feedback, I will let you know.

                 

                TSGal

                FileMaker, Inc.

                • 6. Re: SSL import with FMcloud fails to decrypt key
                  Jonathan Jeffery

                  Hi,

                   

                  Was there any news on this issue?

                   

                  My free trial of FMcloud finishes tomorrow and I think, in the circumstances, I have little option but to cancel the subscription.

                   

                  However, I'm still interested if you are able to get the certificates to work, so that I can warn/recommend FMcloud to clients.

                   

                  Many thanks,

                   

                  J.

                  • 7. Re: SSL import with FMcloud fails to decrypt key
                    TSGal

                    Jonathan Jeffery:

                     

                    Testing looked at the files you sent and said that the private keys were not encrypted with passcode or password.  The tester could import both certificates in the "FM14 Two files" and "FM15+ Three files" successfully without entering a password.  The tester also used the command line interface:

                     

                    openssl rsa-in <private key file> -check

                     

                    ... to verify the key files.  FileMaker Server 14 and FileMaker Server 15 are not strict about the private key password if it is not encrypted.

                     

                    I've asked the tester for more information.

                     

                    TSGal

                    FileMaker, Inc.

                    • 8. Re: SSL import with FMcloud fails to decrypt key
                      Jonathan Jeffery

                      Hi,

                       

                      Ah, the key was password-protected when exported as a .pfx file, but it seems that when converting to PEM format, I inadvertently removed the password.

                       

                      Thank to you and the tester for spotting that

                       

                      Certificates working as expected now!

                       

                      Kind regards,

                       

                      J.