1 2 Previous Next 23 Replies Latest reply on Jul 27, 2017 1:14 AM by ecallaghan

    SSL in FileMaker 16 - hopeless?

    PaulKneipp

      I am so sick of this endless mucking around with SSL in FMS16. The implementation is a joke. Consider this from any other product:

       

      1. FileMaker only approve certain providers of certificates.

      2. Naturally, they are all quite expensive.

      3. GoDaddy are one of the cheapest, therefore popular - but their tech support I spoke to had "never heard of FileMaker"

      4. Installing the certificate is like a black art. One certificate? Two? The bundle as the intermediate? A generic intermediate?

       

      I have spent over 3 hours installing and re-keying the server and the end result is always the same. Trusted by the web client - not trusted by FileMaker or the Console on the server.

       

      FileMaker need to own up to the fact that this is a rubbish implementation of the protocol and fix it. Some decent instructions would be a start, instead of relying on all of us as free bug testers.

        • 1. Re: SSL in FileMaker 16 - hopeless?
          wimdecorte

          Are you asking for help or just venting?

          • 2. Re: SSL in FileMaker 16 - hopeless?
            DavidJondreau

            I too would love if cheaper certs were supported..."Free SSL for Everyone!" I say. But for business applications, $70/ year ain't bad.

             

            I don't know about bundles, but there were two things that I've had to make sure I do when I install certificates. One is to install the intermediate on FMS. It was optional in FMS14, but doesn't seem to be in FMS 16. The other is to choose the right operating system when downloading from GoDaddy.

            • 3. Re: SSL in FileMaker 16 - hopeless?
              aknudsen

              I have the $70 go daddy cert and have no issues. Remember to clear out the permitted hosts under preferences if you've not done so already.

              • 4. Re: SSL in FileMaker 16 - hopeless?
                RickWhitelaw

                How about LetsEncrypt? Free but not approved by FM.

                • 5. Re: SSL in FileMaker 16 - hopeless?
                  wimdecorte

                  A good SSL certificate does two things: it allows the traffic to be encrypted between host and client, and it validates (certifies) that you connect to who you think you connect to.  Part of issuance of a cert is that the certificate authority does some checking that you own the domain name.

                   

                  "Let's Encrypt" only does the first part: it makes HTTPS available by allowing the encryption.  But it does nothing at all to validate ownership.  As such it is not a very trusted Certificate Authority (CA) and its certs have been used for lots of shady activity , just because many people think that the encryption of traffic is what makes the connection safe.  And it does to some extent but not if you connect and flow data to an entity other than what you intend to...

                   

                  So: there is no such thing as a free lunch.

                  2 of 2 people found this helpful
                  • 6. Re: SSL in FileMaker 16 - hopeless?
                    jormond

                    If you want help, just say so. We would be glad to help. I have installed certificates on a dozen servers, and have never had an issue. Aside from the first one that I did, because I was a 'SSL newbie'.

                    • 7. Re: SSL in FileMaker 16 - hopeless?
                      PowerSlave

                      When we recently installed a cerificate on our FMS16 implementation, we did not bother with using the FileMaker server method, but instead used the method that is normally used in iis. Now both FMS and FileMaker server are satisfied with the certificate. Food for thought.

                      1 of 1 people found this helpful
                      • 8. Re: SSL in FileMaker 16 - hopeless?
                        PaulKneipp

                        The thing is, I have trawled through all the threads here on this topic, several times. And tried them all. After all, the definition of insanity is . . . But what I see is not consistent behaviour. Some people say they have no issue. Some perform exactly the same steps and get problems. Some say for server type choose "other". Some people say differently. There is obviously a problem. I have installed SSL certificates onto Mac and Windows servers many times and this whole process smacks of a bad design. In project management, this is what is called "the final 5%". This is the last stage of any project and it's actually the most important. If I were running FileMaker and there were specific needs for the final 5%; I'd be making sure that the certificate vendors would not receive a recommendation unless they were prepared to host a support FAQ on FMS. I just hate wasting time on vague processes. FileMaker server and Web Direct are superior products and this is just a bad fail as far as I'm concerned. For a start, why not put a working procedure for Windows and Mac servers? I don't have any problem paying for a certificate. I'd like it to work.

                        • 9. Re: SSL in FileMaker 16 - hopeless?
                          PaulKneipp

                          Thanks for the post. I presume you removed the FMS instance?

                          • 10. Re: SSL in FileMaker 16 - hopeless?
                            user19752

                            FM shows this in "Open Remote" Network path entry dialog

                            But using IP address make SSL connection unreliable, if the cert use domain name.

                            • 11. Re: SSL in FileMaker 16 - hopeless?
                              jormond

                              For GoDaddy:

                              • Signed Certificate file = the one with long string of alpha-numeric characters. ( example: 9032415i611b837e.crt )
                              • Private Key File = serverKey.pem ( this was created when you create the CSR, don't forget the password for the file ).
                              • Intermediate Certificate file: gd_bundle-g2-g1.crt ( this didn't used to be required but is in 16 ).

                               

                              If this is not importing, the likely you have the wrong key file, or wrong password for the key file.

                               

                              If it imports, but is not show as secured, make sure you stopped and restarted the Server process. ( fmsadmin restart server ) Make sure you allow sufficient time for the process to shut down all the way. I've run into problems by restarting it prematurely. It may take several minutes for the server process to reignite.

                               

                              If this is unsuccessful, generate a new CSR. Make sure you have all the info GoDaddy requires ( or whatever CA you are using. Comodo was the most difficult to figure out what info they require in the CSR, it is buried on their site. I found it by accident ). Then reissue the cert. Try to reimport.

                               

                              If this doesn't work, you may need to reinstall FMS. If you do this, be sure to rename the old folder. In case there are any linger piece that may be tripping you up.

                               

                              This process has worked successfully for me almost every time. The exception being if there was another problem on the server.

                               

                              As a side note, we have recently run into SSL issues with several other products. It's not just FM. We have been working with another vendor for 5 full business days trying to get something to work, that seems like it's a SSL problem. There are easier routes, but as Wim pointed out, they are not really that secure, because they do not actually verify the company or server.

                              2 of 2 people found this helpful
                              • 12. Re: SSL in FileMaker 16 - hopeless?
                                PaulKneipp

                                Very decent of you to post this. I have done all of this a few times but this summarises the procedure. I'm not having any issue with the import. It does work in a browser, however the error in the FMP client is "Hostname mismatch" Yet the cert checks out as fine. The only thing I haven't done is re-install FMS. Of course, I'm reluctant to do this, because the server is in use; and there is a bug in the version of VM ware which very occasionally causes the server to fail to restart if that were needed. IT are upgrading but it hasn't been done yet. I'm in the middle of one project so I'll have to wait. It's frustrating though. I've never had an SSL issue like this myself. It's as though it's half working. I had to fight to get this server in the environment I'm in and they watch me like a hawk. I hate security bugs because it's something they can pick on. Thanks for your help.

                                • 13. Re: SSL in FileMaker 16 - hopeless?
                                  CarlSchwarz

                                  PaulKneipp wrote:

                                   

                                  It does work in a browser, however the error in the FMP client is "Hostname mismatch" Yet the cert checks out as fine.

                                  Are you connecting to the server with the same FQDN as the SSL certificate?  If not then you will have that error.  The FQDN of the certificate and the address you type in FileMaker in the "Open Remote" or "Manage External Data Sources" must be exact.

                                  e.g. if your SSL FQDN = "yourbiz.com"  you can't use "yourbiz.local" or "192.168.0.2" or "server.yourbiz.com".  You must use SSL FQDN exactly.

                                  Secondly OSX will store whatever you used the first time you connected to the server in the keychain and even if you type the right FQDN later the old address may be cached and OSX can fall back to that.  Delete out old entries from keychain.

                                  1 of 1 people found this helpful
                                  • 14. Re: SSL in FileMaker 16 - hopeless?
                                    ch0c0halic

                                    Also delete any favorites you have for the Server and any Databases on it. These also store the host name at time of creation and will prevent future connections from working.

                                    1 of 1 people found this helpful
                                    1 2 Previous Next