13 Replies Latest reply on Jun 27, 2017 2:19 PM by james_parker

    Export Fields Contents fails in WebDirect: SSL and multi-machine

    JoeMartin

      Hello all,

       

      Here are the specs.  The master and the worker are identical and these specs apply to both:

      Product and version: FileMaker Server 16.0.1.184

      OS and version: Windows Server 2012 R2

      Browser and version: Chrome 58.0.3029.110 (64-bit)

      Hardware: AWS t.2 Medium: Dual Core 2.40 GHz, 4.0GB RAM

      Description: Export Field Contents fails in WebDirect on a multi machine deployment with SSL certs installed on worker and master

      How to replicate:

      Setup Multi-machine deployment for FileMaker Server.

      Install SSL certs on both worker and master.

      Open Admin console, and go to:

      Database Server -> Security

      Check the box for "Use SSL for database connections"

      Check the box for "Use HSTS for web clients"

      Restart server

       

      Open a file in WebDirect and try to Export Field Contents.  The initial prompt looks successful, but when you click the button to download the file, nothing gets downloaded.

       

      Additionally, calling Get(LastError) after this reports a 0.

       

       

      Workaround:

      Disable these checkboxes:

      "Use SSL for database connections"

      "Use HSTS for web clients"

       

      Then restart server, and have your webdirect clients connect over http.

       

      Additional Comments:

      Save Records as PDF does work as intended, and the file downloads fine.

       

      I set up a multi machine deployment solely for the purpose of recreating this issue, and was able to reproduce immediately.  Well, after setting up the multi machine deployment and the ssl certs.

       

      Safari behaves slightly differently, there is a file that gets put into the download folder, but the file has 0 bytes.  Safari actually throws an error for this saying:

      The File "Filename.png" could not be opened because it is empty

       

      With the cert installed, and HSTS disabled, this becomes easier to test.  I can connect over http and successfully export the container.  When I connect over https, I get no download (Chrome), or a 0-byte file (Safari)

       

      Any help with this issue would be greatly appreciated.  Please let me know if I can provide any more information.

        • 1. Re: Export Fields Contents fails in WebDirect: SSL and multi-machine
          Johan Hedman

          What SSL Certificate do you use?

          • 2. Re: Export Fields Contents fails in WebDirect: SSL and multi-machine
            JoeMartin

            I used a Let's Encrypt certificate on both machines.

             

            For my testing environment, each machine has its own certificate.  Master has a cert for fm16master.360works.com, worker has a cert for fm16worker.360works.com.

             

            However on a clients machine we were having this same problem, so we installed the same certificate on both machines. (Had to get a new SAN certificate that included both domain names.)  However, Export Field Contents was still unsuccessful with identical certs on both machines.

            • 3. Re: Export Fields Contents fails in WebDirect: SSL and multi-machine
              Johan Hedman

              Not sure if it will affect, but that certificate is not on the supported list, but I know it is used by several other FileMaker developers

              1 of 1 people found this helpful
              • 4. Re: Export Fields Contents fails in WebDirect: SSL and multi-machine
                JoeMartin

                Agreed, Let's Encrypt is not on the supported list here:

                Configuring security for FileMaker Server 15 and higher | FileMaker

                 

                I can try to acquire an SSL cert from that list to test with, but I am hoping someone may already have this setup and can confirm whether this makes a difference before I purchase certs just for this purpose.

                • 5. Re: Export Fields Contents fails in WebDirect: SSL and multi-machine
                  LisaRose

                  If your server is public-facing, and you use an SSL checker like

                  https://www.sslshopper.com/ssl-checker.html , does it indicate the entire chain of trust is valid? If not, that could cause an export field contents failure.

                   

                  And have you tried temporarily removing the worker from the configuration (or taking it offline), so the load balancer has to send all requests through the master? If so, does exporting work then?

                  2 of 2 people found this helpful
                  • 6. Re: Export Fields Contents fails in WebDirect: SSL and multi-machine
                    JoeMartin

                    Here are the reports from sslshopper:

                     

                     

                    Screen Shot 2017-06-26 at 5.23.18 PM.png

                    Screen Shot 2017-06-26 at 5.23.45 PM.png

                    These look ok to me, but correct me if I'm wrong.

                     

                     

                    Disabling the worker causes some strange behavior, and may be a separate issue, but if I disable the worker machine, but leave the master wpe running like this:

                     

                     

                    Screen Shot 2017-06-26 at 5.36.51 PM.png

                     

                     

                    the WebDirect home page loads, but when I try to open a WebDirect File, I get redirected to what I think is the machine name of the master:

                     

                    Screen Shot 2017-06-26 at 5.31.13 PM.png

                     

                    Screen Shot 2017-06-26 at 5.32.11 PM.png

                     

                     

                    If I disable both the master and the worker wpe, I get a 502.

                     

                    I don't really think disabling the worker is the way to go, this defeats the purpose of a multiple machine deployment.

                    • 7. Re: Export Fields Contents fails in WebDirect: SSL and multi-machine
                      LisaRose

                      Trust chain seems valid from those results. And agreed you shouldn't have to remove worker in general for your solution. Was just trying to eliminate mWPE configuration as potential source of failure.

                       

                      In your Admin Console screenshot, Host Name for master machine ("Worker Machine: 1") should be displaying its FQDN ("fm16master.360works.com"), not machine's internal name ("FM 16 Test Master").

                       

                      Can you try doing these steps?

                      1. Temporarily remove worker machine (Worker Machine: 2) from deployment (via trashcan button).
                      2. Change 'Server Name' (in General Settings) to FQDN (fm16master.360works.com).
                      3. Redeploy (Server menu>Edit Deployment) without worker.
                      4. Try exporting by pointing to master machine launch center (as test).
                      5. Add worker back into deployment, by entering master's FQDN (not network address) into worker's config screen.
                      6. Try exporting by pointing to either master or worker launch center (load balancer should route you through worker either way, after clicking on database).
                      1 of 1 people found this helpful
                      • 8. Re: Export Fields Contents fails in WebDirect: SSL and multi-machine
                        JoeMartin

                        Thank you for the steps to try, I hadn't thought of the Server Name.  Unfortunately I'm still failing to export.

                         

                        I trashed the worker, changed Server Name, and redeployed.  I tested exporting again with no worker, and it still failed.  Which is pretty strange, because I don't have this issue on other single machine deployments, however I was not redirected to an improper url, WebDirect worked perfectly until Export Field Contents.

                         

                        I added the worker back in, and still not able to export

                         

                        Here is the WPE config:

                         

                        Screen Shot 2017-06-26 at 6.36.05 PM.png

                         

                        Here is adding back in the worker, adding it back was successful:

                        Screen Shot 2017-06-26 at 6.29.05 PM.png

                        • 9. Re: Export Fields Contents fails in WebDirect: SSL and multi-machine
                          LisaRose

                          Ok, thanks for trying this reconfiguration (it was probably a good thing to do anyway).  However, in the meantime, one of my team members (James Parker) tried your certificates with a different SSL checking site (https://www.sslchecker.com/sslchecker) and found that their roots seem to be missing. He will follow up from here...

                          1 of 1 people found this helpful
                          • 10. Re: Export Fields Contents fails in WebDirect: SSL and multi-machine
                            JoeMartin

                            I do see what you mean, the Root 1 Cert is missing from the chain.

                             

                            I've tested a few other domains, some have root, some don't.  I'm leaving for the day, but I will try to see if I can include the root cert in the chain tomorrow.

                            • 11. Re: Export Fields Contents fails in WebDirect: SSL and multi-machine
                              james_parker

                              It is likely the serverCustom.pem file located in the FileMaker Server > CStore folder on both machines is missing the Let’s Encrypt Root certificate. You can locate the Let’s Encrypt Root Certificate here: https://www.identrust.com/certificates/trustid/root-download-x3.html

                               

                              Ultimately the serverCustom.pem files on your two machines need to have the following configuration to have a complete “chain of trust”.

                               

                              -----BEGIN CERTIFICATE-----

                              Custom Server certificate

                              -----END CERTIFICATE-----

                              -----BEGIN CERTIFICATE-----

                              Intermediate certificate 1

                              -----END CERTIFICATE-----

                              -----BEGIN CERTIFICATE-----

                              Root certificate

                              -----END CERTIFICATE-----

                              ----BEGIN RSA PRIVATE KEY-----

                              Key file

                              -----END RSA PRIVATE KEY-----

                               

                              Please let me know if you need more detailed steps on getting the files setup in this configuration.

                              1 of 1 people found this helpful
                              • 12. Re: Export Fields Contents fails in WebDirect: SSL and multi-machine
                                JoeMartin

                                Hey James, thank you for the advice.

                                 

                                I can't seem to include the root in the chain properly.  I added the root cert and private key to the serverCustom.pem following your format, then restarted the server and still no root.

                                 

                                I tried reimporting the cert into FileMaker server, then modifying the serverCustom.pem to include intermediate, root, and private key, then restarted.  Unfortunately that did not work either.

                                 

                                Could you provide instructions for how to include the root and get FileMaker to recognize it?

                                 

                                Also I'm curious, how do you know that this is the correct root cert?

                                https://www.identrust.com/certificates/trustid/root-download-x3.html

                                 

                                I ask because I am seeing a couple different roots listed by Let's Encrypt here:

                                https://letsencrypt.org/certificates/

                                 

                                I did try some of the root certs listed there but didn't have any luck either.

                                • 13. Re: Export Fields Contents fails in WebDirect: SSL and multi-machine
                                  james_parker

                                  A few months ago I assisted another user who was using a Let’s Encrypt certificate and had the exact same scenario as you are reporting. We were able to get Export Field Contents to work once we had the full “chain of trust” configured correctly. That user explained that implementing their Let’s Encrypt certificate did not follow the standard FileMaker Server certificate import process. At this time I am assuming you performed a similar process so the steps below will reflect that. If the steps below do not seem to match what you are seeing please let me know and we will tackle this another way.

                                   

                                  *This will need to be completed on both machines in your setup.

                                  1. Disconnect (trash-can) the Worker from the Master.

                                  2. Copy the entire CStore folder to a safe place. (e.g. desktop)

                                  3. Create a new folder on desktop, this is where we will move the files we need for the import process.

                                  4. In the CStore folder locate the following 3 files and place a copy of each in the folder we created on the desktop.

                                     i) crt.pem

                                     ii) interm.pem

                                     iii) serverKey.pem

                                  5. Open the interm.pem file with Notepad.

                                  6. Copy the Root Certificate from: https://www.identrust.com/certificates/trustid/root-download-x3.html

                                  7. Paste the Root certificate above the certificate already located in the interm.pem file so it will look like:

                                  -----BEGIN CERTIFICATE-----

                                  Root Certificate (from https://www.identrust.com/certificates/trustid/root-download-x3.html)

                                  -----END CERTIFICATE-----

                                  -----BEGIN CERTIFICATE-----

                                  Let’s Encrypt Intermediate Certificate (existing contents of the file)

                                  -----END CERTIFICATE-----

                                  8. Save and Close the file.

                                  9. Open Command Prompt and execute the following command: fmsadmin certificate delete

                                  10. Restart the FileMaker Server service via Admin Tools > Services.

                                  11. Log-in to the Admin Console, go to Database Server > Security > SSL Connections

                                  12. Import the certificate files from the folder we created on the desktop accordingly:

                                     i) Signed Certificate File = crt.pem

                                     ii) Private Key File = serverKey.pem

                                     iii) Intermediate Certificate File = interm.pem

                                  13. Restart the FileMaker Server service via Admin Tools > Services.

                                  14. Verify you can launch a database from the WebDirect Launch Center.

                                  15. Test Export Field Contents, you may want to test the Master only and if it succeeds then add the Worker and test it.

                                   

                                  Please let me know if you have any trouble or if some of the steps do not match what you are seeing in your setup.

                                  2 of 2 people found this helpful