1 2 Previous Next 22 Replies Latest reply on Mar 11, 2014 1:07 PM by justinc

    IIS7 w/ http-https redirect causing CWP error

    JoelShapiro

      Hi all

       

      I've got a client on IIS7 that's trying to set up a redirect so all http requests automatically go to https. Whenever they enable this redirect, loading a CWP page produces the following error:

       

      Error: XML error: Not well-formed (invalid token) at line 1

       

      When they disable the redirect, the page loads correctly.

       

      Anybody else seen this? Anybody got a fix?

       

      (FMS12, Windows Server 2008, 2-machine config)

       

      TIA,

      -Joel

        • 1. Re: IIS7 w/ http-https redirect causing CWP error
          steve.winter

          Assuming this is a single machine install, then add a condition to the rule which excludes any traffic from 127.0.0.1 from the rule... I can provide exact syntax in about 8 hours time (i.e. the morning

           

          Cheers

          Steve

          • 2. Re: IIS7 w/ http-https redirect causing CWP error
            JoelShapiro

            Thanks Steve, but this is a 2-machine config.

             

            Thoughts on that?  (in the morning, of course

             

            Cheers,

            -Joel

            • 3. Re: IIS7 w/ http-https redirect causing CWP error
              mdenyse

              Joel,

               

              FM's PHP API doesn't set CURLOPT_FOLLOWLOCATION for the curl_exec() call so redirects from FMS aren't followed. You can try:

               

              $__FM_CONFIG['curlOptions'] = array(CURLOPT_FOLLOWLOCATION => true);

               

               

              If that doesn't help, you may also want to try:

               

              $__FM_CONFIG['curlOptions'] = array(CURLOPT_SSL_VERIFYPEER => false);

               

              If that works then you know it's something about the SSL 'handshake' and not necessarily the redirects.

               

              Mark

              • 4. Re: IIS7 w/ http-https redirect causing CWP error
                JoelShapiro

                Thanks very much for this, Mark.  I'll check it out w/ their IT people tomorrow.

                 

                Best,

                -Joel

                • 5. Re: IIS7 w/ http-https redirect causing CWP error
                  databuzz

                  Hi Joel,

                   

                  I also experienced this recently when setting up a 2 machine deployment with SSL. I haven't got access to the php files at present but make sure in your connection settings where you specify the $hostname variable that you're specifying it with "https://you-server.com" etc as I believe you'll get that error if you haven't specified HTPS.

                   

                  cheers,

                  Andrew

                  • 6. Re: IIS7 w/ http-https redirect causing CWP error
                    JoelShapiro

                    Hi Andrew

                     

                    Thanks for the reply.  When I use https in the hostspec, I get:

                     

                    Error: Communication Error: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

                     

                    When I go to a static (non-CWP) page on the site, the cert appears to be valid, according to the browser(s).

                     

                    I'm gonna have them check (again) that they've got all the necessary ports open...

                     

                    Cheers,

                    -Joel

                    • 7. Re: IIS7 w/ http-https redirect causing CWP error
                      steve.winter

                      Hi Joel

                       

                      The simplest solution to this is follow Mark's advice above and use

                       

                      $__FM_CONFIG['curlOptions'] = array(CURLOPT_SSL_VERIFYPEER => false);

                       

                       

                      Although the browser is able to chain the certificate back to a root certificate, PHP isn't, so you get that error. It is also possible to provide the intermediate certificates to PHP for use with cURL - I've done this for regular cURL requests, but never tried to configure it with the FM API.

                       

                      Cheers

                      Steve

                       

                       

                      created by Joel Shapiro in Using Web Technologies - View the full discussion

                      Hi Andrew

                       

                       

                      Thanks for the reply.  When I use https in the hostspec, I get:

                       

                       

                      Error: Communication Error: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

                       

                       

                      When I go to a static (non-CWP) page on the site, the cert appears to be valid, according to the browser(s).

                       

                       

                      I'm gonna have them check (again) that they've got all the necessary ports open...

                       

                       

                      Cheers,

                       

                      -Joel

                       

                      Reply to this message by replying to this email -or- go to the message on FileMaker Technical Network

                      Start a new discussion in Using Web Technologies by email or at FileMaker Technical Network

                      Manage your email preferences.

                       

                      FileMaker Developer Conference 2014 • San Antonio, Texas • July 28-31 • www.filemaker.com/devcon

                       

                      Steve Winter

                      Matatiro Solutions Limited

                      steve@matatirosolutions.co.uk

                      p:  +44 23 8064 4181

                      m: +44 77 7852 4776

                      USA: +1 415 315 9912

                      Belgium: +32 485 821 123

                      Skype: matatirosolutions

                      2a St. Mary's Road

                      Bishopstoke SO50 6BP

                       

                      Registered in England and Wales: 6300320

                      Registered Office: 44 Southchurch Road, Southend, SS1 2LZ

                      VAT Registration Number: 916 8809 86

                      IMPORTANT: This message is private and confidential. If you have received this message in error, please notify us and remove it from your system.

                      • 8. Re: IIS7 w/ http-https redirect causing CWP error
                        JoelShapiro

                        Hi, I just wanted to circle back on this...  The client's having other issues -- some possibly-related -- so testing's been slower than I'd like.

                         

                        QUESTION for Mark/Steve/other-helpful-person:


                        Should I be setting $__FM_CONFIG['curlOptions'] inside filemaker-api.php?

                        (That's where I see other $__FM_CONFIG settings.  In fact, there's already a commented-out line there of:

                        $__FM_CONFIG['curlOptions'] = array(CURLOPT_SSL_VERIFYPEER => false);)

                         

                         

                        FWIW: I tried both of the suggested settings (inside filemaker-api.php):

                         

                        $__FM_CONFIG['curlOptions'] = array(CURLOPT_SSL_VERIFYPEER => false);

                        doesn't seem to make any difference -- it still produces:

                        "Error: XML error: Not well-formed (invalid token) at line 1"

                         

                        $__FM_CONFIG['curlOptions'] = array(CURLOPT_FOLLOWLOCATION => true);

                        produces the same error that I saw when I set the hostspec to an https URL:

                        "Error: Communication Error: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"

                         

                         

                        So as I said, the client's "other" problems may shed some light on this issue, but if I were to try these again, am I at least doing it in the right place?

                         

                        Thanks,

                        -Joel

                        • 9. Re: IIS7 w/ http-https redirect causing CWP error
                          steve_ssh

                          Hi Joel!

                           

                          Have you tried using both of those curl options simultaneously?

                           

                          My thought is this:

                           

                            1) With just:   CURLOPT_SSL_VERIFYPEER => false  set as a config

                           

                                 Curl knows to be lax about the SSL certificate chain, but it still does not know that it should follow the redirect.  As a result, the data it returns is not XML, it is a redirect command from the server.  FM PHP API would react to this at about line 40 of FMResultSet.php.

                           

                           

                            2) With just:   CURLOPT_FOLLOWLOCATION => true   set as a config

                           

                                 Curl knows to follow the redirect command, but it has not been instructed to be lax about the SSL certificate chain.  As such, it complains about the certificate.  By virtue of the fact that you get the certificate error, I would reason that you have indeed set the config in the proper place, as it appears to be taking effect, i.e. the redirect to use https is now being followed.

                           

                          Apologies in advance, because I am not experienced in this stuff, but reading everything in this post makes me think it would be very reasonable to try setting both of the curl configs at the same time and seeing what happens.

                           

                          As always, very best,

                           

                          -steve

                          • 10. Re: IIS7 w/ http-https redirect causing CWP error
                            JoelShapiro

                            Hiya Steve!

                             

                            Thanks for the reply

                             

                            I did in fact try both simultaneously.

                             

                            It still seemed that (CURLOPT_SSL_VERIFYPEER => false) made no difference, so when I had them both enabled I got the same results as when just (CURLOPT_FOLLOWLOCATION => true) was enabled.

                             

                            I think I even tried them with switching which line came first, although I'm not positive.  (If anyone thinks that'd make a difference, I'll try next time.)

                             

                            And again, the http-https redirect could be a red herring.  Hopefully they'll sort out their other issues soon so I can get back to testing.

                             

                            Best,

                            -Joel

                            • 11. Re: IIS7 w/ http-https redirect causing CWP error
                              ch0c0halic

                              You might also need:

                               

                              curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

                              • 12. Re: IIS7 w/ http-https redirect causing CWP error
                                JoelShapiro

                                Hi Jimmy(?)

                                 

                                Where would that go -- and what does $ch represent?

                                 

                                Thanks,

                                -Joel

                                • 13. Re: IIS7 w/ http-https redirect causing CWP error
                                  ch0c0halic

                                  Difference in languages. Yours would look like this.

                                   

                                  $__FM_CONFIG['curlOptions'] = array(CURLOPT_SSL_VERIFYHOST => false);

                                  • 14. Re: IIS7 w/ http-https redirect causing CWP error
                                    steve_ssh

                                    Hey Joel,

                                     

                                    So, I realized shortly after I made my post (but while away from computer), that I was not clear enough about my suggestion.

                                     

                                    Here goes:

                                     

                                    The line of code that I would suggest would be something like:

                                     

                                        $__FM_CONFIG['curlOptions'] = array( CURLOPT_SSL_VERIFYPEER => false, CURLOPT_FOLLOWLOCATION => true );

                                     

                                    In other words, we'd be configuring curlOptions by passing in an array (a dictionary to my mind) which specifies both of our desired configs within the same dictionary.

                                     

                                     

                                     

                                    My take on why I wouldn't expect it to work with two lines of code such as:

                                     

                                      $__FM_CONFIG['curlOptions'] = array(CURLOPT_SSL_VERIFYPEER => false);

                                     

                                         followed by:

                                     

                                      $__FM_CONFIG['curlOptions'] = array(CURLOPT_FOLLOWLOCATION => true);

                                     

                                    With two lines of code as directly above, we'd simply be setting a dictionary with a single config in the first line, and then overwriting that with a different dictionary (array) with a different config.  In other words, the second line gets used and the first line would be ignored.

                                     

                                     

                                     

                                    Perhaps you've also tried the the single line of code suggestion -- if not, that is what I had in mind.  The only thing I'm not so sure about is the proper spelling of the constants CURLOPT_SSL_VERIFYPEER and CURLOPT_FOLLOWLOCATION, but based on what you've seen I think you already have  CURLOPT_FOLLOWLOCATION  correct, and I imagine that  CURLOPT_SSL_VERIFYPEER  is probably correct, too.

                                     

                                    Hope things are good with you.

                                     

                                    Best,

                                     

                                    -steve

                                    1 2 Previous Next