6 Replies Latest reply on Oct 24, 2014 9:53 PM by robwoof

    FMS13 and certificates on Mac OS X 10.8

    robwoof

      Having just done install and configuration for FMS13 on both a single-machine and two-machine setup on Mac OS X 10.8, here are a few things I have learned by trial and error, along with a couple of helpful pages posted by others:

       

      General

      1) We are using a GoDaddy wildcard certificate (*.companyname.com.au). It was originally created from a Mac OS X Server 10.6 Certificate Request from a private key created on that machine. The certificate was successfully installed on several Mac OS X Server 10.7 machines as well by copying and installing the private key, wildard cert and intermediate cert.

      2) Since I couldn't use that private key in FMS13's Certificate Request, I used FMS13 certificate command to generate a new serverKey.pem serverand Request.pem as per the docs for the domain *.companyname.com.au. I then used that CSR to re-key our original GoDaddy cert. That generated a different cert with the same expiry date etc., but based on a different private key. That certificate installed without complaint on both FMS installations (on the Worker machine in the two-machine setup). Then I restarted the worker (two machine)/server (single machine).

      3) After installing the re-keyed cert, the "chain of trust" in the browser wasn't right. I then installed the GoDaddy intermediate in the System keychain and restarted. Now the certificate chain is fine - it shows the new intermediate certificate (I know it's the new one, it has a later expiry than the original) as well as the correct *.companyname.com.au cert.

       

      Single Machine

      1) Once the certificate is installed and the intermediate cert is in the System keychain, WebDirect is fine. However, if you switch on "Require secure connections" in the Database Server->Security section of the Admin Console and restart the database server, FileMaker Pro clients cannot connect at all. In addition, files do not appear on the WebDirect start page. So it is now switched off. So we have secure connections to WebDirect and Admin Console, but not in FMPro/Go.

       

      Two-Machine

      1) To install the cert on both machines, generate the request on the Worker, then copy serverKey.pem and serverRequest.pem from /Library/Filemaker Server/CStore/ to the same location on the Master. Copy the certificate files supplied in response to the certificate request to the master as well, and run the "fmsadmin certificate import" command, pointing to "your" certificate. make sure that if there is an intermediate certificate as well, import that into the System keychain using /Applications/Utilities/Keychain Access.app

      BUT

      2) When I first installed the certificate on the Master, I could not connect using FMPro/Go, and no files were visible on the WebDirect landing page. I had "Require secure connections" switched on. Not knowing what I know now, I uninstalled and reinstalled FMS from both the Master and the Worker, then reinstalled on both, but only installed the certificate on the Worker. As a result we have secure connections for WebDirect and FMPro/Go but not for Admin Console.

       

      If there's something I have missed, please feel free to share.

        • 1. Re: FMS13 and certificates on Mac OS X 10.8

          Did you happen to fix this?

           

          I just bought a 5 pack of certs from GoDaddy to be used on several Single Machines. So far, I've tested it on one server. It works for the admin console and web direct, but not with Pro.

           

          I tried a 90 day demo from Comodo and it worked perfectly.

          http://www.comodo.com/e-commerce/ssl-certificates/free-ssl-certificate.php

          • 2. Re: FMS13 and certificates on Mac OS X 10.8
            robwoof

            Thanks for your input. Could you expand on the Comodo cert comments - specifically, by "worked perfectly", do you mean that you get secure connections for WebDirect, Admin Console AND FMPro/Go? For me, if a certificate is installed via FMS for WebDirect, enabling "Secure Conections" for Pro/Go stops connection altogether.

            • 3. Re: FMS13 and certificates on Mac OS X 10.8
              eduncle

              I am seeing this issue too.  Win 2012, Single Server / FMS13v2, GoDaddy SSL cert. Enabling 'Require Secure Connections' prevents databases appearing in the WebDirect list of when connecting via FileMaker Pro Clients.

               

              Have an identical Mac OSX Server where it works fine.

               

              Would love to hear a solution.

              • 4. Re: FMS13 and certificates on Mac OS X 10.8
                robwoof

                More digging and experimenting has led to a possible explanation: FileMaker Pro clients only support certificates using SHA-1 signatures. New GoDaddy certs these days are SHA-2 (a.k.a. SHA-265). I only cottoned onto this possible reason when I searched FM's knowledge base to find supported CAs (http://help.filemaker.com/app/answers/detail/a_id/11413/kw/...) and there is a little sentence above the list:

                 

                The following is a comprehensive list of supported SSL vendors and their root authorities (please note that, currently, only SHA-1 certificates are supported)

                 

                ... which is probably why FM clients can't see files or connect. I've installed a certificate with SHA-256, and they don't understand SHA-256.

                 

                So I have the choice of using a certificate signing algorithm that is being rapidly deprecated (thanks, Google) or having unsecured database connections.

                • 5. Re: FMS13 and certificates on Mac OS X 10.8
                  mdiehr

                  Rob, I ran into a similar situation,  however eventually I was able to get the best of both worlds : Require Secure Connections is ON (so FileMaker server to client communications are encrypted, and I was able to install a custom SSL certificate under apache so that my site's HTTPS is using a proper certificate.

                   

                  What's interesting is that, after doing this, WebDirect also uses the custom SSL certificate.  This was an unexpected and pleasant surprise.

                   

                   

                  (Edit) to clarify : if I used the fmsadmin CERTIFICATE IMPORT command on my certificate (which is a Comodo-reseller) then filemaker pro wouldn't work, just like you saw.  I un-did that (by deleting the CStore files) and only used the SSL certificate in my custom apache.conf file.

                  1 of 1 people found this helpful
                  • 6. Re: FMS13 and certificates on Mac OS X 10.8
                    robwoof

                    Thanks for that info.

                     

                    The big downer is that it's getting hard to find CAs willing to issue SHA-1 certificates now that Google has begun its campaign to speed up the deprecation of that signing standard.

                     

                    I would like to hear from the folks at FileMaker - do I have a correct diagnosis of the situation, or is there something else causing this issue?