13 Replies Latest reply on Jun 23, 2017 6:05 PM by motasea

    FileMaker 16 SSL Certificate

    motasea

      FileMaker 16 SSL Certificate.  I recently installed an InCommom WildCard Certificate but despite the fact that the certificate imported in the master and worker without any problem, Google Chrome and Firefox refuse to resolve the webdirect site.  Also, FM pro is not verifying the SSL either.

       

       

      I initally went with the InCommon WildCard Certificate because it was easy to install on both the master and the worker. However, I see that i may have to get a Comodo Elite Certificate for each machine.  I know how to create the the CSR file on the Master from the the fileMaker Admin Panel or using the fmsadmin command.   When I tried to do the fmsadmin command on the worker to create the CSR file, I get an error "Error 11000 (invalid command)".  I do not understand what did incorrectly.  Here is the command I am using on the worker:

       

       

      fmsadmin CERTIFICATE CREATE "/CN=myserver.edu /O=xxxxxxx/C=US/ST=New York/L=New York"

       

       

      Any input is appreciated...

       

      It seems like the wildcard certificate that I have currently installed works on Safari and IE 11 but it does not work on Chrome or Firefox.

        • 1. Re: FileMaker 16 SSL Certificate
          Johan Hedman

          InCommon is not on the list of supported SSL Certificate you can use with FileMaker Server.

          Configuring security for FileMaker Server 15 and higher | FileMaker

          • 2. Re: FileMaker 16 SSL Certificate
            wimdecorte

            motasea wrote:

             

            FileMaker 16 SSL Certificate. I recently installed an InCommom WildCard Certificate but despite the fact that the certificate imported in the master and worker without any problem, Google Chrome and Firefox refuse to resolve the webdirect site. Also, FM pro is not verifying the SSL either.

             

            Can you describe that a bit more?

            What icon do the browsers show and what explanation?

            In FMP, what is the color of the lock and what is shown when you click the lock?

             

            You do not need a separate cert for each machine; so you do not need to generate one from the master machine. You also don't need to use the CLI to create a CSR, the UI from the admin console is lot easier to follow.

            • 3. Re: FileMaker 16 SSL Certificate
              motasea

              yet, the inCommon certificate works with IE 11 and Safari. (see below pictures for safari)20170523_064717.jpg

              20170523_064732.jpg

              • 4. Re: FileMaker 16 SSL Certificate
                wimdecorte

                motasea wrote:

                 

                yet, the inCommon certificate works with IE 11 and Safari.

                 

                That's kinda irrelevant - "not supported" means that it may or may not work but that you should expect things to not work or not work consistently.

                 

                Also: note that FireFox is NOT a supported WebDirect browser.

                • 5. Re: FileMaker 16 SSL Certificate
                  motasea

                  I got your point about the not supporting tell me which of these is going to be supported for a two machine configuration because I just want to make it work.  These are the only CA that the university supports.

                   

                  InCommon SSL (SHA-2)
                  InCommon WildCard SSL Certificate (SHA-2)
                  InCommon Multi Domain SSL (SHA-2)
                  In Common Unified Communications Certificate (SHA-2)
                  Cornodo EV Multi Domain SSL (SHA-2)
                  Cornodo Mulit Domain SSL
                  IGTF Server Cert
                  IGTF Multi Domain
                  AMT SSL Certificate
                  AMT Wildcard SSL Certificate
                  AMT Multi-Domain SSL Certifcate
                  Comodo Elite SSL Certificate (SHA-2)
                  InCommon ECC
                  InCommon ECC Multi Domain
                  InCommon ECC WildCard
                  Comodo EV SSL Certificate
                  Comodo EV SSL Certificate (SHA-2)

                  • 6. Re: FileMaker 16 SSL Certificate
                    wimdecorte

                    Here are the ones that FMI tested and supports:

                    Configuring security for FileMaker Server 15 and higher | FileMaker

                     

                    Looks like Comodo is going to be your best bet.

                    • 7. Re: FileMaker 16 SSL Certificate
                      motasea

                      thanks, When I create the CSR on the master machine through the admin console. Do I need a differente certificate for the worker.  If so, how i create the CSR? 

                      • 8. Re: FileMaker 16 SSL Certificate
                        wimdecorte

                        No you don't need to create a different CSR for the worker.  Provided of course that you are using a wildcard cert.

                         

                        That help page that I linked to explains that.

                        • 9. Re: FileMaker 16 SSL Certificate
                          motasea

                          Thanks. That is a very useful link.  I will try it and report on it. 

                           

                          Based on the above, I should request the "Comodo Elite SSL Certificate (SHA-2)", correct?

                           

                          Do I have to uninstall the wildcard certificate I have now installed on both master and worker? if so, how I do that?

                           

                          in that link I saw something which I have not seen before.  Do you know why this matters to the certificate this concatenation?

                           

                          Concatenate the root and intermediate certificates into a single file

                           

                          Thanks again, this clarifies a lot.

                          • 10. Re: FileMaker 16 SSL Certificate
                            wimdecorte

                            It matters because not all machines have the necessary root and intermediate certs installed.  Without them the actual cert won't work because it can't find info on the 'chain' of trusted providers.

                             

                            To remove what you have: look at the FMS CStore folder and delete the recent files.  That are there, go by the created/modified date and you'll be able to spot what you imported.

                            • 11. Re: FileMaker 16 SSL Certificate
                              motasea

                              windecorte,

                               

                              you said "No you don't need to create a different CSR for the worker.  Provided of course that you are using a wildcard cert."

                               

                              What about if I am not using the wildcard certificate.  I do not think I can get one from Comodo because of the list above does not provide wildcard certificate for Comodo. I was thinking of getting this one: Comodo Elite SSL Certificate (SHA-2)

                               

                              if it is not a wildcard, do I need to get two. One for each server?

                               

                              Sorry for all the question, I just want to make sure.

                              • 12. Re: FileMaker 16 SSL Certificate
                                wimdecorte

                                motasea wrote:

                                 

                                I do not think I can get one from Comodo because of the list above does not provide wildcard certificate for Comodo.

                                 

                                The table on that help article does not specify any wildcards, but they are supported; see bullet #4 in the list above the table.

                                Wildcards have been supported since FMS15 so they are not mentioned separately.

                                • 13. Re: FileMaker 16 SSL Certificate
                                  motasea

                                  Hey,

                                   

                                  just want to say that I was able to resolve the problem.  The problem did not lie in the wildcard certificate or in FileMaker but in the Windows 2012 R2 Servers.  In case anyone else comes into this problem, I hope it helps.

                                   

                                  Issue Server was reporting the following Errors:

                                   

                                  6:20/2017 4:41:20

                                   

                                  A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

                                   

                                  6:20/2017 4:41:20

                                  An DTLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

                                   

                                  6:20/2017 4:40:20

                                  A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 1203.

                                   

                                  6:20/2017 4:39:27

                                  A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 1203.

                                   

                                  6:20/2017 4:37:25

                                   

                                  An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

                                   

                                   

                                  Also, Chrome and FireFox will not resolve the filemaker URLs in the client or in the server

                                   

                                   

                                  Solution:

                                  1 - Open Regedit (Run Command)

                                  2 Go to HKEY_LOCAL_MACHINE -- System---Control --- SecurityProviders --- SCHANNEL---Protocols.

                                  3- The following protocols need to be turned off:

                                   

                                  a) PCT 1.0

                                  b) SSL 2.0

                                  c) SSL 3.0

                                  d) TLS 1.0

                                   

                                  4- The following protocols need to be turned on:

                                   

                                  a) TLS 1.1

                                  b) TLS 1.2

                                   

                                  5- under each protocol you will find a client and server protocol. For each client and server protocol change to :

                                   

                                  Disabledbydefault (REG_DWORD) to a 1

                                  Enabled (REG_DWORD) to a 0

                                   

                                  This will disable the protocol.

                                  6- under each protocol you will find a client and server protocol. For each client and server protocol change to :

                                   

                                  Disabledbydefault (REG_DWORD) to a 0

                                  Enabled (REG_DWORD) to a 1

                                   

                                  This will enable the protocol.

                                   

                                  7- Open the local group policy Editor (gedit.msc) and go to Local Computer Policy -- Administrative Template --- Network --- SSL configuration Settings --- SSL Cipher Suite Order.

                                   

                                  (by default this policy is set to "Not Configured"; set it to Enabled. Click OK. Even though the state after you close will say "Not Configured", the policy is enabled.

                                  1 of 1 people found this helpful