9 Replies Latest reply on Jun 4, 2017 10:29 AM by tcwaters

    FMS 16 and Wildcard SSL Certs

    tcwaters

      I tried to upgrade our servers (2 box config) to FMS 16 yesterday, and ran into a problem on the worker box in the new deployment assistant.If I entered the host names, I got a time out and the worker box never gets added.  If I use the IP addresses, I get a "Server cannot verify the SSL certificate" and still don't get it to work if I check the "Connect using the unverified certificate" box.

       

      The SSL Cert is a wildcard cert.

       

      On some level, I think I understand the second error- when I plug in the IP, this data doesn't match the cert. But I don't understand the "timeout" error or how to get around it. 

       

      Does anyone know what port this is being handled on?  I could then have a network engineer watch for the traffic to see if we can figure out the time out.  Is the issue a port problem?

       

      These two boxes are fully functional with FMS 15, and it doesn't appear there are any port changes between 15 and 16, right?

       

      THX

        • 1. Re: FMS 16 and Wildcard SSL Certs
          taylorsharpe

          I haven't done a two machine setup, so I may not be the best to comment.  But I would start with verifying the SSL cert is one of the approved ones from FileMaker.  Next, in FM 16, I've found that the intermediate certificate is much more important for things to work and if you're using a wildcard cert, then you're probably having to build your own intermediate certificate.  You might want to review if your intermediate certificate was built properly. 

          1 of 1 people found this helpful
          • 2. Re: FMS 16 and Wildcard SSL Certs
            tcwaters

            THX for the reply.  These are good troubleshooting steps.  Yes, the cert is one of the approved based on FMS 15.  I can't seem to find anything about use of wildcards with FMS 16.

             

            You may be on to something re: the intermediate cert.  When I called FMI as I prepared for this, they told me I could just put the whole cStore folder from the v15 server into the v16 server, I was not importing the cert using the "import cert" button.

            • 3. Re: FMS 16 and Wildcard SSL Certs
              wimdecorte

              Did you remove or rename the original 'filemaker server' folder that was left over after unintalling FMS15?

               

              If not, there may be something there that is running interference.

              • 4. Re: FMS 16 and Wildcard SSL Certs
                tcwaters

                I did not remove or rename the folder.

                 

                Prior to the update, I made a copy of the cStore directory, and moved the copy out to the desktop.  Then I did the upgrade to FMS 16.  Then I renamed the "new" cStore directory, and moved the copy from the desktop back into the Filemaker folder. And lastly renamed the cStore directory to cStore.

                • 5. Re: FMS 16 and Wildcard SSL Certs
                  tcwaters

                  Here may be the solution to my issue in case others have this problem.  According to James @ FMI support desk, port 16002 must be open between the worker box and the master box.  This differs from the documentation, pg 21 of the  Getting Started guide, where it simply says 16002 must be available, but consistent with the figure on pg 23 at the top of the page.

                   

                  I haven't tested yet if this resolves the time out issue. I have to put in a firewall rule change request and have them open up the port, and will test and then add to this discussion when that's done.

                   

                  James did confirm that a wildcard SSL Cert can definitely still be used.

                  • 6. Re: FMS 16 and Wildcard SSL Certs
                    dburnham

                    In a single machine configuration where the SSL certificate was installed for FMS 15, what is the correct procedure for installing the intermediate certificate in FileMaker 16?

                     

                    Does the SSL certificate need to be purchased again?  I hope not, as that will annoy my client.   Otherwise, if it is just a matter of re-issuing a certificate request and doing so in a way that results in an intermediate certificate being installed, I need to learn how that's done.   The certificate was bought from GoDaddy last year and if I'm not mistaken, it has a 3-year term.

                    • 7. Re: FMS 16 and Wildcard SSL Certs
                      tcwaters

                      You do not need a new cert. Make a copy of the Cstore folder, and move that to the desktop. After you do the FMS installation, delete the newly created Cstore folder, and move your copy from the desktop back to the filemaker folder. im writing this on my iPad. if you need more detailed instructions with folder locations, let me know and I'll write a more detailed post from my desktop.

                      • 8. Re: FMS 16 and Wildcard SSL Certs
                        dburnham

                        Thanks -- what you wrote makes sense and I will give it a try.   I did preserve the CSTORE folder before installing FMS16 so I will be able to follow your instruction.  Not sure what will happen though about the requirement for an intermediate certificate.

                         

                        ---

                         

                        Did what you suggested.  it worked.   No request for intermediate certificate.  Not even a single hiccup.

                        Leaves me confused, but satisfied to leave this issue in my rearview mirror.

                         

                        Thank you again.

                        • 9. Re: FMS 16 and Wildcard SSL Certs
                          tcwaters

                          I have just completed my upgrade to FMS 16 on a 2box config and everything is working as it should following the instructions I gave you re: the cert.