10 Replies Latest reply on Aug 11, 2017 7:21 AM by taylorsharpe

    Can a valid SSL-certificate be invalid?

    MichaelHeider

      Hi,

      I've got a Apple mac OSX 10.11 server computer with FileMaker Server installed and a DNS-server routing the name of the server to it's own IP-address. With that configuration I can use valid SSL-certificate in the intranet - because the servername (with domainname) of the certificate is routed to the right machine.

       

      But, when I connect with a client machine to FileMaker server, the warningbox says, the certificate isn't valid. But when I hit "View Certificate" the certificate has a green OK-icon and the description says "This certificate is valid". So, what is right: Is the certificate invalid or is it valid?

      The same, when I open a file: The security icon is orange. But when I click on it, I get the same message: Green OK and "This certificate is valid".

       

      It seems on Mac OS with Mac clients FileMaker server can't decide whether a certificate is valid or not ... Can that be?

       

      Server:

      Mac OS 10.11.6 with server app running

      FileMaker Server 16.0.2

       

      Client:

      Mac OS 10.11.6

      FileMaker Pro 16.0.2 Advanced

       

      PS: The used SSL-certificate is a GeoTrust TrueBusiness for "fms01" with SAN for "fms04" (which is the LAN name of the server).

      PPS: The same certificate used with WIN server and similar configurations: No problem, valid certificate, green icons everywhere!

        • 1. Re: Can a valid SSL-certificate be invalid?
          philipHPG

          The certificate is valid, but it is not for the domain that you are using. The certificate is for fms01.michaelheidergmbh.com but you are trying to use it to connect to fms04.michaelheidergmbh.com.

          • 2. Re: Can a valid SSL-certificate be invalid?
            MichaelHeider

            Yes, that is right, but in the SAN part of the certificate "fms04.michaelheidergmbh.com" is also registered!

            Verified with windows server, that this works correctly!

            -Michael

            • 3. Re: Can a valid SSL-certificate be invalid?
              wimdecorte

              Did you import the intermediate certificate when you installed the cert in FMS?

               

              How are the users connecting?  Through a favorite host entry in FMP or finding in the list of local hosts?

              • 4. Re: Can a valid SSL-certificate be invalid?
                MichaelHeider

                Hi Wim,

                 

                no I didn't import a intermediate certificate. I use GeoTrust certificates for more than three years and did not need to import anything else than the SSL-certificate itself. Do you think we need to import intermediate certificates now?

                I use a similar certificate on a WIN server without any problems and there I didn't import a mediate certificate either.

                 

                The clients are connected via favorite host entry with the complete server name (incl. domain).

                 

                Maybe FMS on Mac doesn't check the SAN part of a SSL-certificate?

                 

                -Michael

                • 5. Re: Can a valid SSL-certificate be invalid?
                  wimdecorte

                  FMS16 seems to need it for best results.

                   

                  Get Outlook for iOS<https://aka.ms/o0ukef>

                  1 of 1 people found this helpful
                  • 6. Re: Can a valid SSL-certificate be invalid?
                    ch0c0halic

                    Check the release notes.

                     

                    Security

                     

                         • When importing a custom SSL certificate signed by an intermediate certificate authority, you must include the intermediatecertificate file. On the Admin Console Database Server > Security tab, for Intermediate Certificate File, click Browse and select the intermediate certificate file.

                     

                     

                    In FMS since the intermediate certificate data is not required for all certificates the UI can't require it. However, since most times we the installers don't know if there is an intermediate signing authority it is in our best interest to always install it.

                     

                    IMHO this is now a 'best practice' for FMS 16 (and beyond).

                    2 of 2 people found this helpful
                    • 7. Re: Can a valid SSL-certificate be invalid?
                      ErichWetzel

                      I have been installing FMS for more as long as FMS has been available, so I do have a bit of experience. I have found the same problem and was essentially told by FMI via this forum that there was something wrong with our installation. Problem with SSL verification of valid cert by FMP, mac network client  We use the suggested certificate type from GoDaddy. I have been installing the certificates in the manner suggested by FMI since they started requiring them. In my current case, I have rebuilt my FMS 15 twice and the results are the same. I'm in the process of building a test FMS 16 to see if the results are the same.

                       

                      We use network user homes and that appears to be our problem. For some reason the usual location where FileMaker puts certificates in the user home is not being accessed or used properly. In our case I know that FileMaker can put things there because once you delete the contents it forgets to automatically allow connection with a certificate that it cannot figure out.

                       

                      Location: youruserhome / Library / Application Support / FileMaker / FileMaker Pro / 16.0 / certificates will be here.

                       

                      Delete the contents here and on the next connection to your FMS you will be prompted by FMP to reauthorize it to connect to the server it cannot figure out the certificate for.

                       

                      When we connect to FMS with a local user that has a user home on the local client machine instead of the network user on the network user home, FMP recognizes our certificate and connects as expected.

                       

                      Let us know if you come up with anything.

                       

                      -Erich

                      • 8. Re: Can a valid SSL-certificate be invalid?
                        MichaelHeider

                        Hi,

                         

                        thanks to all!!!

                         

                        Importing the intermediate certificate did the trick! Everything is fine now!

                         

                        -Michael

                        • 9. Re: Can a valid SSL-certificate be invalid?
                          ch0c0halic

                          How about marking a correct answer? §^=)

                          • 10. Re: Can a valid SSL-certificate be invalid?
                            taylorsharpe

                            Good to hear about the intermediate certificate.  That seemed to change in 16 and I had never imported intermediate certificates until then. 

                             

                            By the way, why such an old version of the OS?  If you're interested in the latest security, I would upgrade to 10.12.6.  FileMaker 16 works just great with it.