13 Replies Latest reply on Jul 4, 2017 2:25 AM by ToddWiener

    SSL Name Mismatch

    ToddWiener

      I have an SSL certificate from GeoTrust properly installed on FileMaker Server 16 running on a Mac Mini.
      When connecting with a FlleMaker Pro Advanced 16 Client, the certificate shows as not valid. (Host name mismatch.)

      Other threads have suggested this may be an issue with the intermediate certificate, but I have that properly installed as well.

       

      Has anyone else encountered and/or resolved this issue?

        • 1. Re: SSL Name Mismatch
          fmpdude

          You're running Mac OS Server?

           

          I'm curious about this issue as well. I just installed FMS (trial) on Mac Server Sierra and from all the problem postings I've read here about FMS+certificates, it certainly sounds like getting FMS to correctly (or at all) import Server certificates is problematic. Maybe this is just related to Mac OS Server?

           

          Regardless, if you have a functioning certificate for your Mac Server that's recognized by a browser as being legitimate and is thus properly set up, but you can't import it into FMS, that seems to me like a bug (in FMS) and you should report it.

           

          Please update this thread with any updates.

          • 2. Re: SSL Name Mismatch
            Jason Wood

            Does Get ( HostName ) return the expected host name as it appears on the certificate?

            1 of 1 people found this helpful
            • 3. Re: SSL Name Mismatch
              ToddWiener

              I deleted a previously saved certificate in keychains on the client and this seem to resolve the issue. I will do further testing.

              • 4. Re: SSL Name Mismatch
                bigtom

                FMI does keep improving the SSL process with each version and they seem very surprised that anyone has any sort of trouble. They seem to think it is a fool proof system. This is a piece of FMS that they seem to take seriously and have actively engaged with those having issues in order to improve the process. It is fairly simple and once you understand how FMS want it done you get it. However, many installs will be the only one time this gets done by a single individual and that makes the process seem difficult.

                 

                They have been improving the process since v14, but there are still a lot of people having issues. I would like to say that 80% of the problems that people have could be solved with proper documentation. FM support is not extremely helpful and eventually they will get you there will some long phone calls. The FM support route is to reinstall a fresh OS and FMS and rekey a certificate for the fresh install. This is actually not difficult to do and I would recommend it to anyone with an issue. The fact that FMI relies heavily on this community to support these kinds of issues is interesting.

                 

                Most of the issue is also with the movement from "Please use SSL" to "You really need to be using SSL for FMS to function fully." Making SSL mandatory to avoid the nasty insecure connection warnings put the process in the hands of every install and not just those that choose to use it. Plenty of people installing SSL on LAN without a DNS server and still getting insecure warnings and wondering why. Not enough documentation.

                 

                With FM16 I know that I reported SSL problems including the name mismatch early early, but I guess they were not prepared to make changes or evaluate this before release.

                 

                FMI tends to lean on the "You are not doing it correctly" idea rather than the "We did not make it really clear how this works" idea. They might be forgetting that a lot of people running FMS are not "network" people. they fact remains that people are having issues. i certainly hope they get it sorted in the next version.

                 

                The other 20% that are issues are those doing deployments that are not normal and need special consideration.

                 

                Hopefully TSGal continues to make sure these threads on SSL install problems continue to make it tot he proper departments.

                • 5. Re: SSL Name Mismatch
                  ToddWiener

                  I agree with you. But they ought not make SSL required. If your server is not on the internet, there's no reason to go through the expense and hassle of SSL certificates.

                  • 6. Re: SSL Name Mismatch
                    fmpdude

                    Nicely put!

                    • 7. Re: SSL Name Mismatch
                      TSGal

                      bigtom:

                       

                      Thank you for your comments and perceptions.  I have sent your post to the FileMaker Server Product Manager, the Testing Manager for FileMaker Server, and the lead Support Technician for FileMaker Server.

                       

                      Looking through your case history for calls into Technical Support, I could not find a record pertaining to SSL.  Do you remember approximately when you talked to Technical Support about SSL?  I will follow up with the Support Technician.

                       

                      TSGal

                      FileMaker, Inc.

                      • 8. Re: SSL Name Mismatch
                        TSGal

                        ToddWiener:

                         

                        SSL is not required.  I have access to several FileMaker Server machines, and most do not have a certificate as SSL is not turned on.  Those machines without a certificate are only available on our local area network.

                         

                        TSGal

                        FileMaker, Inc.

                        • 9. Re: SSL Name Mismatch
                          bigtom

                          SSL is not required, but users get a lot of warnings reminding them the

                          connection is not secure and many people get scared by that. Scaring

                          users or making them feel unsafe is not a good idea. Yes you can always

                          allow connection in FMP/Go and skip the messages in the future, but the

                          idea is always there and lingering.

                          • 10. Re: SSL Name Mismatch
                            CarlSchwarz

                            ToddWiener wrote:

                             

                            When connecting with a FlleMaker Pro Advanced 16 Client, the certificate shows as not valid. (Host name mismatch.)

                             

                            Is the client connecting via the FQDN registered on the certificate or via the IP address or some other dns name?

                             

                            e.g. if the certificate is registered for server.yourcompany.com.au then the client needs to use that address in the "Open remote" dialogue box or have that address in the "External Data Sources" in FileMaker.

                            If the client instead is entering localhost or 192.168.0.10 or server.yourcompany.local etc. etc. then it won't work, the address used to access the server must be the same as the certificate.

                            • 11. Re: SSL Name Mismatch
                              ToddWiener

                              This occurred when opening from the Launch Center, where I was presented with the FQDN.

                              • 12. Re: SSL Name Mismatch
                                CarlSchwarz

                                Just double checking, is the dialogue box the same as what is shown below?

                                Also in the image note the two circles, if they are not identical then there will be an SSL error, are they identical?

                                (I've hidden the full server address just for security)

                                Cert.PNG

                                • 13. Re: SSL Name Mismatch
                                  ToddWiener

                                  I got that message when I tried connecting with the IP address and approved connections to that IP address. Subsequently I connected with the FQDN and the security Icon showed the warning. After deleting the certificate in keychain, the problem went away, leading me to believe that the local certificate was cacheing the mismatched name.