1 2 Previous Next 20 Replies Latest reply on Jul 13, 2017 6:07 AM by wimdecorte

    Certificat 2 times

    bkaisin

      Hello,

       

      since FMS 16 we have a red padlock when no certificate is installed.

      Until now, I was using my FM files through my Lan only -> no certificate needed.

      Before I change anything I would like to have some advice about the following point.

       

      Now some files will be publish with WebDirect.

      I bought a certificate and I will install it on my domain name.

      But should I install the certificate in my FMS16 as well?

      The files will be encrypted 2 times?

       

      If no, should I check the "Use SSL connection" button in FMS?

      From the web the file will be encrypted by the installed certificate on my domain name, isn't it?

       

      If yes, does FMS use this certificate only for the local connexion and do not encrypt for the web?

       

      Thanks

      Ben

        • 1. Re: Certificat 2 times
          mikebeargie

          With SSL, you want to purchase a certificate specifically for your filemaker server. The "domain name" is assigned to your filemaker server directly in most cases.

           

          EG if I have a domain called "db.mydomain.com" that I point to the IP address of my filemaker server. I will issue the SSL certificate to db.mydomain.com and install it on the filemaker server. This is independent of the certificate on my web server that would be at www.mydomain.com

           

          So traffic is not encrypted twice, they're two servers, two domain addresses, and two separate certificates entirely.

          2 of 2 people found this helpful
          • 2. Re: Certificat 2 times
            wimdecorte

            Mike Beargie wrote:

             

             

            So traffic is not encrypted twice, they're two servers, two domain addresses, and two separate certificates entirely.

             

            Further to what Mike is saying:

            The web server certificate encrypts the traffic between the user's browser and the web server.

            The FMS certificate encrypts the traffic between the web publishing engine and the database engine

             

            Those are two different pieces of the total route the data flows through.

            2 of 2 people found this helpful
            • 3. Re: Certificat 2 times
              bkaisin

              Thank you for your replies.

               

              I have another question:

              I will build a basic static html file for my domain name.

              On this page I will put a button to reach my FMS files -> link like https://myIP/fmi/webd/myFile

              I red that many people create a subdomain to reach their FMS.

              Is it necessary in my case?

              My FMS is not linked with any domain in my office.

              Can I install the same certificate on both (domainname.com and FMS)?

              I bought the domain name and certificate at godaddy.com.

              Anything more to know before I secure FMS and build this html file?

              I can't any disruption.

              Thanks for your help.

              • 4. Re: Certificat 2 times
                wimdecorte

                bkaisin wrote:

                 

                 

                On this page I will put a button to reach my FMS files -> link like https://myIP/fmi/webd/myFile

                 

                In order for the connection to webdirect to be secure you cannot use the IP address of where your FMS is.  It has to be a fully quailified domain name and that means it has to be 'routable' in DNS.

                 

                I typically use a subdomain and get a wild card cert, so that I can have one cert to cover pretty much everything and have total flexibility.

                 

                Since you already have the cert for your domain and not a  wildcard, I think you can achieve what you are after by setting up your DNS properly to point to your FMS machine directly on the web url.  Perhaps.  I would much prefer a cleaner approach with subdomain FQDN.

                 

                Read up on your DNS options by googling the difference between a DNS A record, a CNAME record,...

                Differences between the A, CNAME, ALIAS and URL records - DNSimple Help

                1 of 1 people found this helpful
                • 5. Re: Certificat 2 times
                  fmpdude

                  That's as clear as a textual explanation can be, I think.

                   

                  It would be great if there were (and maybe there are?) step by step walk-thoughs, with screenshots, and maybe videos, for setting up SSL with FMS.


                  This question comes up a lot and better documentation could be very helpful.

                   

                  -

                   

                  Since I have Comcast Home, and the thus-required DDNS service, I gave up on trying to secure FMS (trial) with an SSL Certificate as an exercise. Since Comcast blocks port 25 for home users (Comcast: sorry, no email server for you home user.), I can't create an "admin@" type address on the domain itself (required when you get the SSL cert.).

                   

                  So for this exercise, I would have to get Comcast Business ($$$). Thus, just to get an SSL certificate, as I understand this process for FMS, it would cost me a couple hundred dollars a month for Comcast Business, Plus the yearly (wild-card, possibly) certificate ($150+/yr). Plus the time and frustration for configuration.

                   

                  Then, after all these hundreds of dollars are flying out the window, monthly, there's the amazingly huge cost of FMS itself, which is anything but trivial.

                  • 6. Re: Certificat 2 times
                    wimdecorte

                    Working backwards:

                     

                    fmpdude wrote:

                     

                     

                    Then, after all these hundreds of dollars are flying out the window, monthly, there's the amazingly huge cost of FMS itself, which is anything but trivial.

                     

                    If we're talking about testing then the version of FMS that you get with FDS costs you $99.

                     

                     

                    fmpdude wrote:

                    I gave up on trying to secure FMS (trial) with an SSL Certificate as an exercise. Since Comcast blocks port 25 for home users (Comcast: sorry, no email server for you home user.), I can't create an "admin@" type address on the domain itself (required when you get the SSL cert.).

                     

                    This I don't understand.  You don't need your own email server in order to get an SSL cert.  Typically you only need to prove ownership of the domain you are trying to protect.  If both the domain and the SSL cert are from the same provider (like GoDaddy) then that process is trivial.  But even otherwise, getting an SSL does not require an specific ISP subscription, nor your own mail server.

                     

                    fmpdude wrote:

                     

                    Plus the yearly (wild-card, possibly) certificate ($150+/yr). Plus the time and frustration for configuration.

                     

                    True, the wildcard cert will cost anywhere from $100 to $300 a year.  But that would be a cost saving over buying and maintaining multiple individual certs.  If you only need to protect one FQDN then a simple cert will do and will cost you a few dozen dollar.

                     

                    The time & frustration: that's mostly learning curve pain.  Once you do it and document your process it becomes easy.

                    And it (SSL+DNS setup) is not necessarily something that FM developer's need to become good at.  Just like setting up a VPN or other networking specialities: you can choose to hire help to do it.  It's not a FM cost, it's the cost of wanting to secure the deployment.  That applies whether or not FM is in use.

                    • 7. Re: Certificat 2 times
                      fmpdude

                      Wim,

                       

                      Great info!!

                       

                      1. Key question: does the $99 FMS version let a client connect to a FMP solution over the web to play/test/see with something you posted on your server via Webd or otherwise? That one connection? Just wondering how restrictive the license is. $99/yr. is definitely doable.

                       

                      2. To get an SSL certificate, I was told (by NOIP.COM tech support) that you need an "admin@" email address on that domain email account or, I'm told, the certificate won't be verified. That was a cheapy $19.99 certificate from NOIP.COM. What you're saying is how I "thought" it would work, actually. However, since I have a Dynamic IP, I need to find a SSL vendor that can do what NOIP.COM does -- to keep my dynamic IP in sync with my domain name. I wrote them back for clarification in case I missed something.

                       

                      3. Wild-card cert. Yep, I agree, just not expecting all these costs as part of an "experiment", though it sounds like I can keep using Comcast home account if, in 2. above, I really don't need a working email account on the Mac Server.

                       

                      A wild-card certificate would be good, too, since at some point, I'll want to SSL-protect Apache Tomcat (port 8443). That's another nasty configuration, but, like you said, it's mostly that I write code and don't regularly do this network/security stuff.

                       

                      --

                      Finally, why don't you write a white paper or something? You're clearly the expert-go-to guy here on this information. I don't mind figuring things out, but some of the companies that do the SSL/DDNS stuff are small and tech support is limited.

                       

                      Thanks for all the good information. You're amazing.

                      • 8. Re: Certificat 2 times
                        wimdecorte

                        fmpdude wrote:


                        Finally, why don't you write a white paper or something? You're clearly the expert-go-to guy here on this information. I don't mind figuring things out, but some of the companies that do the SSL/DDNS stuff are small and tech support is limited.

                         

                        One of our guys is presenting a session at devcon on this: FileMaker Developer Conference | Soliant Consulting

                        Reason enough to go

                         

                        As to the licensing restriction: pretty sure that it is ok for a client to log in and help test.  Not ok if is used for production.

                        • 9. Re: Certificat 2 times
                          fmpdude

                          Sigh...

                           

                          Go-Daddy might work with FMS, but they don't offer DDNS for my dynamic Comcast IP. Just called them.

                           

                          NOIP.COM, on the other hand, has DDNS and inexpensive certificates, but those certificates aren't accepted by FMS (at least none of the names match exactly).

                           

                          It therefore appears the only solution would be Comcast Business with a static IP where, additionally with static IP (rip-off priced at $20/mo.), they force you to rent their router (rip-off priced at $15/mo.). Prob. $200-$300/mo. even before certificate expenses.

                           

                          If FMS only ran on Linux (CentOS, for example)...

                           

                          ----

                           

                          BTW, here's a great SSL video for FMS on Youtube:

                           

                          FileMaker News-FileMaker Server 15 SSL Encryption Security Setup-FileMaker Pro 15 Video Course - YouTube

                          • 10. Re: Certificat 2 times
                            wimdecorte

                            Or... implement a VPN and do your DNS internal.  Your VPN connection would go to your DDNS (it's what I do for my home office).  And once inside the VPN the assigned local IP address for the connection talks to my internal DNS.  DNS is part of your Mac Mini's server capabilities and very easy to set up).  And you have the added benefit of being able to talk to all of your FMSes if you have multiple, and you can keep your perimeter firewall fairly tight and closed.

                            1 of 1 people found this helpful
                            • 11. Re: Certificat 2 times
                              fmpdude

                              I'm actually using a 2009 iMac 16 GB RAM, 4 core i7 with Mac OS Server and, yep I do have VPN running. VPN was actually the easiest service to get working. Worked the first time. I have DNS setup, too as per Todd Olthoff's excellent Mac OS Server videos on YouTube), and it works with NOIP.COM. Actually, everything works (FMS, Tomcat, web services, anything I add to the ports list where Mac OS Server nicely updates my Airport Extreme), just no SSL.

                               

                               

                              Sorry, but I'm still not sure of the steps I would have to do to make this work as you're saying. I now know how my cats feel when I'm talking to them.

                               

                              I'll go back and re-watch Todd's SSL video. He also uses a NOIP type service so maybe there's something in that video that would seem more important (like get it working...) now.

                               

                              Thanks Wim.

                              • 12. Re: Certificat 2 times
                                bkaisin

                                Hello,

                                 

                                Does someone has some experiences with GoDaddy?

                                As I told you I bought mydomain.com and a standard SSL certificat at GoDaddy.com.

                                 

                                Before installing a certificate I tried (to be sure my FMS can be reach): http://my_IP/fmi/webd/ and I can reach my FMS without security and it works.

                                 

                                Than with my account at go daddy.com:

                                • I create a subdomain: fm.mydomain.com

                                • I create a A record for fm pointing to my IP address

                                • With my FMS16 I create a SSL request with  *.mydomain.com.

                                After installing the certificate in FMS it does not work (red padlock with FM) and the link https://fm.mydomain.com/fmi/webd/myFile does not work -> invalid certificate.

                                 

                                I rekey with fm.mydomain.com -> same problem.

                                I rekey with my domain.com -> Can't work because fm is not secure.

                                 

                                I call GoDaddy 2 times:

                                • First they told me to put an htaccess file for my subdomain -> this is absurd because it's the same problem fm is not secure and I can't use direct IP address.

                                • After they want to rekey for me (paid service, yes you read well: Paid service). I ask them to have the warranty that fm will be secure but they can't give me this warranty. To pay for what? The rekey is available on their website!

                                • After they told me that with my standard SSL the subdomain can't work. I have to buy the UCC/San SSL at nearly 3 times the price and no refund or upgrade because, has they said, I use already my certificate.

                                 

                                I check their website and at SSL Certificate | Secure Your Data & Transactions

                                at the bottom of the page in their comparaison SSL type, it's written "Protects all subdomains" for my standard SSL.

                                 

                                I don't know if someone has experiences with those clowns but I am very upset.

                                Or did I make something wrong?

                                At this stage I need some help. Should I quit Godaddy and start from scratch to another provider?

                                 

                                Ben

                                • 13. Re: Certificat 2 times
                                  PeterDoern

                                  I successfully installed GoDaddy certificate twice thanks in large part to the "correct" answer I found in this thread: The Filemaker Server 16 and SSL tragedy topic

                                   

                                  I would not have known that I needed an intermediate certificate or where to get it except for that thread.

                                   

                                  Also, it looks like...

                                  • With my FMS16 I create a SSL request with  *.mydomain.com.

                                  ... might be where you're failing unless the certificate you got from GoDaddy is a wildcard certificate. I think your request should match the subdomain you created: fm.mydomain.com.

                                   

                                  Peter

                                  • 14. Re: Certificat 2 times
                                    bkaisin

                                    Thanks for your reply Peter,

                                     

                                    that's exactly what I have done.

                                    I imported both certificate files ( 3dec27f26b7b6feb.crt and gd_bundle-g2-g1.crt ) into FMS.

                                     

                                    Godaddy told me that the standard certificate ($76.99/y) does not work for subdomain.

                                    But on their website it's written: "Protects all subdomains".

                                     

                                    Which SSL certificate did you buy?

                                     

                                    I have only 1 domain name and I need 1 subdomain for my fms.

                                    If only the subdomain is protected, it's enough for me.

                                     

                                    Ben

                                    1 2 Previous Next