1 2 3 Previous Next 44 Replies Latest reply on Jul 14, 2015 12:14 AM by shirley

    FMS 13 Inexpensive SSL Certificate for Mac Development Machine

    taylorsharpe

      This walks you through installing a certificate for a Mac server inexpensively. Why would I want to do this? Primarily because I want to use my server as a web page sometimes and I don't want people getting those certificate warning prompts in their web browsers. It really turns people away.

       

      FileMaker has instructions on how to install a certificate, but it is a bit of a hassle and I didn't readily understand it on the first read. My criteria was that I wanted it for a Mac server that is a development machine in house and I did not want to spend but the minimum amount of money needed for the certificate. First of all, FileMaker has very limited support of SSL providers and they are Geotrust, Comodo, Verisgn, Thawte and GoDaddy (not using these will result in FileMake Go connections not working).

       

      When looking for domain services and wanting to be more on the cheap side of things (probably lesser quality too), I usually use GoDaddy. So I checked out the GoDaddy SSL's and their idea of cheap starts at $69.99 a year. Oh goodness, that isn't cheap and I'm not trying to secure a bank's computer... this is just my development machine. So I checked on the other approved SSL providers and they all are more expensive than GoDaddy except Comodo. Ahhhh.... something to check out!

       

      If you go to the Comodo web site, it sells the SSL certificates for $64.95 very similar to GoDaddy. Not what I wanted. But if you go to a reseller, it is a whole different deal. I found a web site at ww.ssls.com that resells Comodo SSL certificates for $25 for 5 years!!! That's only $4.99 a year! WOW!!! Now that is in my price range for a development machine. So I went to the web site. You will need to buy the "Comodo Positive SSL".

       

      Once you buy the certificate, it is added to your account under the "My SSL Account" pull down and is unassigned. But to assign it, you need a CSR. So, go back to your Mac computer. Go to your admin console https://[My Server IP]:16000 (e.g., https://127.0.0.1:16000) and log in. Go to the "Database Server" tab in the left hand column and then click the "Security" tab at the top. Look towards the bototm where it says "Secure Connections" and make sure the "Require secure connections" box is NOT checked (we will check it on later after installing the certificate).

       

      Untitled-3.jpg

       

      At this point, I assume you have already bought a domain name for your server and configured it so that the domain is pointing to this IP (maybe a bad aassumption). If you haven't, go buy one and set it up to point to this server IP. You must have a static IP to do this. I usually use GoDaddy or some other cheap domain name provider (don't buy anything else other than the domain... they will try to sell you all kinds of other things like hosting, email, etc.). This has to be working (test it) before proceeding.

       

      The next step is to make sure you have write authority to the CStore folder. Go to Finder and click on the "Go" pull down menu and select "Go To Folder". When the dialog box comes up, put in "/Library/FileMaker Server/" (without the quotes). This will open a Finder window of the FileMaker Server folder and one of the folders is "CStore" which holds all of the certificate information. Click the CStore folder once and press "Command-I" for Get Info. At the bottom is an area called "Sharing & Permission" (you my have to click the triangle to toggle it off and on). You should see three POSIX permissions for fmserver, fmsadmin and everyone. You need to add your name to the ACL. In the bottom right hand corner of the Get Info box is a pad lock icon. Click it and enter your administrator user ID and password for the operating system. After this, go to the bottom left of the Get Info and click the Plus button to add yourself. It will pop up a dialog box with all of the accounts on the computer. Select the account you are using now. It will insert it at the top of the list of permissions and it will show the privilege of "Read only". Change that to "Read & Write". When you are done, it should look like only with your user name instead of "taylorsharpe":

      Untitled-1.jpg

       

      The next step is to create the PEM file that you will give to NamesCheap who will use it to return the certificate. Go to your Applications Folder and then Utilities sub folder and open the "Terminal" application. Before you go further, you are going to need to know your company name that the SSL will be under, the County, State and City you live in too. The command to issue to general the PEM file is something like this:

       

      fmsadmin certificate create "/CN=yourdomainname.com/O=My Company Name/C=country/ST=state name/L=city name"

       

      So for my domain, it looked like:

       

      fmsadmin certificate create "/CN=filemaker.taylormadeservices.com/O=Taylor Made Services/C=US/ST=Texas/L=Dallas"

       

      FYI, the requirement to add the company and location information to the PEM file is a requirement of Comodo. Other certificate authorities don't require this. But since we want to go with the inexpensive one, this is what we have to do. Other certificate authorities often only require:

       

      fmsadmin certificate create yourdomain.com

       

      This creates a file in your CStore folder (see above) called "serverRequest.pem". Open this file with a text editor (I like Text Wrangler or BBEdit) and you'll see a lot of code like:

       

      -----BEGIN CERTIFICATE REQUEST-----

      CvTCCAaUCAQAweDEpMCcGA1UEAxMgZmlsZW1ha2VyLnRheWxvcm1hZGVzZXJ2

      aWNlcy5jb20xHTAbBgNVBAoTFFRheWxvciBNYWRlIFNlcnZpY2VzMQswCQYDVQQG

      EwJVUzEOMAwGA1UECBMFVGV4YXMxDzANBgNVBAcTBkRhbGxhczCCASIwDQYJKoZI

      hvcNAQEBBQADggEPADCCAQoCggEBAKA9TG6NY7qdsqBWViFE7B2WehWZ5zNjPPC+

      Ei0QZuB0Jy6BrJhPKIBybPlWhllX0SojTgJbxsumWplNKzKEqgH5JhOWyhhYsXRb

      Yj9W0pf4ddCLBWbXOAozrBOJ7MGbwSqQYJ8tikNlsMskL7f4VFCzdV4CRBoW3TV2

      PjAb8+Vhjqh2kGrZsYBUJlSxXzmI+1RL0rXK2u/jPmPer0CrE3LJKnZLbVt3l2wT

      SA/3VgInleU295WQ3h+Hp5D6+wPdhgL161nSEaN+J3je6INatWHVtQkmkGf5tB/8

      D7nFVaX1lm5Vtwk0ob41yf+XPbdjtFDM7miriNwgXsUz

      -----END CERTIFICATE REQUEST-----

       

      Copy everything from the Begin Certificate through the End Certificate lines into the clipboard (select All, Command-C).

       

      Now go back to your www.ssls.com web site, which has probably logged out. So log back in, click "MySSL Account" pull down and then select to activate your certificate. Up will pop a big box to paste this PEM file into. Paste it in there and follow the instructions for putting your company information, address, phone number, emails in. After you do all of this, they will send you an email to confirm you are who you are. You will have to click on a link and paste a code back into their web page. Once you have confirmed your email, they will send you the certificate as a zip file in an email. When you get the zip file (mine took about 15 minutes to come back in my email), save it to your downloads folder and open it. It will have a CRT file in there that is your domain name with underscores instead of periods and it will end in ".CRT". So my domain name CRT file looked like "filemaker_taylormadeservices_com.CRT". This is what you have to import back into FileMaker with the certificate import command.

       

      Go back to the Terminal application. You must know the file path to the CRT file. Mine was in my downloads folder, so it was at: "/Users/taylorsharpe/Downloads/filemaker_taylormadeservices_com/filemaker_taylormadeservices_com.CRT". With this location, here is what I needed to type into Terminal (this is all one line with no breaks... it is not two lines like displayed here):

       

      fmsadmin certificate import /Users/taylorsharpe/Downloads/filemaker_taylormadeservices_com/filemaker_taylormadeservices_com.CRT

       

      You now need to go back to your Admin Console under the Database Server in the left column and click Security tab at the top and now turn on "Require secure connections" by clicking the check box. This will not take effect until you restart your server. Even then, it did not take immediate effect for me as I think the certificate authority was still authorizing. I went to bed and when I work up, I could then navigate to http://filemaker.taylormadeservices.com/fmi/webd and up would pop all my web direct files and I could log in securely without getting the certificate warning.

       

      So the above is my story on how to get a cheap SSL certificate for a development machine. But I will suggest if you have a production machine with valuable data on it, you will probably want to go with a more expensive certificate. This was only about getting the bare minimum to avoid the certificate warning and doing it on the cheap.

       

       

       

       

       


        • 1. Re: FMS 13 Inexpensive SSL Certificate for Mac Development Machine
          BowdenData

          Taylor,

           

          What version of OS and FMS do you have on the machine that you did this on? I have a mac mini running 10.8.5 regular (not server) and FMS 13.0v2. Everything appears to be okay, but with the custom cert loaded, I can't see any databases in WebDirect or with FMP13 Open Remote dialog. With WebDirect, I do connect without any certficate error messages and when I look at the cert while connected (using Safari), it is the Comodo one and the cert domain matches my server domain name, etc.

           

          If I disable SSL in the FMS Admin Console, I see files in WebDirect and FMP Open Remote and connect fine. If I use the default FMI cert and enable SSL, I get the warning message in WebDirect, but can then see and connect to databases okay.

           

          Any other thoughts?

           

          Thanks,

          Doug

          • 2. Re: FMS 13 Inexpensive SSL Certificate for Mac Development Machine
            taylorsharpe

            You need to turn on Security in the FMS Admin Console to require SSL connections for this to be an issue because you are telling it to encrypt the connection to FileMaker Server.  Since most of my clients want that, I turn it on and they get the SSL certificate warning (sometimes called Phishing warning on Windows machines) when they navigate to the server for Web Direct connections.  I can tell people to just ignore the warnings, but the general public gets leery about security warnings and will tend to avoid anything you are wanting to share with them via WebDirect.  A number of my clients have [Guest] login for public information such as retail pricing, etc. 

             

            The reason for adding the SSL certificate is to avoid the SSL warning and assure those connecting that a third party certificate issuer is confirming the validity of your server. 

             

            FYI, I was running 10.8.5 on a Mac Pro with FMS 13.0v2.  Since then I have upgraded to Mac OS X 10.9.4 and FMS 13.0v3 and I had the same certificate reissued and it works just fine in the new OS.  I've also done this on another computer, a Mac Mini with OS X 10.9.3 and FMS 13.0v2 (maybe it was v1).  So far no problems and it is working well. 

            • 3. Re: FMS 13 Inexpensive SSL Certificate for Mac Development Machine
              BowdenData

              Taylor - thanks. I am aware of why and how for the SSL and certificates. My issue was that it was not working despite the process of generating and importing a cert for FM server being pretty straightforward. I was hoping that it might be because my server in question is on the older 10.8.5 and/or FMS being 13.0v2, but you had that exact combo when you first got your cert through this web site.

               

              Question - do you know why other basic certs from Comodo (via ssls.com) cost more than their Positive SSL? Is there any difference in functionality or it is matter of trust in that they do more verification of the person/company purchasing the cert?

               

              Thanks for your help.

               

              Doug

              • 4. Re: FMS 13 Inexpensive SSL Certificate for Mac Development Machine
                taylorsharpe

                Yes, there is a difference in SSL certificates.  Most offer some type of insurance if hacked and the better ones have a higher insurance.  There are some with a higher encyprtion rate than others too.  There are not only different encryption levels, but some certificates are good for multiple domains or they are a wildcard that supports everythign to the left of a domain such as *.domainname.com.  Some issuing authorities give better support than others, which is really nice the first few times you are installing one.  Lastly, there are newer "EV" SSL's where the issuing company does some extra checking up on your valididty as a real established company.  But from what I can tell, it is not any more secure and more a waste of money. 

                 

                The issuing certificate authority is only as good as that company's reputation.  Is it a company that has been around and recongnized for security?  Lastly, have their root servers ever been hacked or if so, how many times?  I like GoDaddy for usually being cheap, but their Root CA hacked a couple of times that I know of and probably more.  Granted they are the largest domain issuer in the world, but they probably at not the cutting edge if you really have something to secure like a bank. 

                 

                Off the top of my head, the big CA's out there are GeoTrust, Thawte, GlobalSign, RapidSSL, DigiCert, GoDaddy, Comodo. 

                • 5. Re: FMS 13 Inexpensive SSL Certificate for Mac Development Machine
                  charleshuff

                  I carefully followed you example and the comodo cert was installed.  However it keeps saying safari can't verify the identity of the website(75.144.42.17) This certificate is not valid(host name mismatch...)

                   

                  I called comodo, I called go daddy, no help.  Comodo said the cert was valid for www.briggsassociates.info and that the error must be due to redirections.... and go daddy said there are no redirections in my domain...

                   

                  I tried changing the name of my server to www.briggsassociates.info inside filemaker admin console.  I tried unchecking ssl, reinstall the cert

                   

                  with import command.  I rebooted the server.  I waited over night.  No Joy.  Comodo did say I needed to install the bundle file too but could not tell me how with fmsadmin to do that...

                   

                  I installed the server with the name 75.144.42.17 at that time we had no domain name. 

                   

                  Thanks for the help so far.  Any thoughts are greatly appreciated.  This is really getting me down.

                  • 6. Re: FMS 13 Inexpensive SSL Certificate for Mac Development Machine
                    AlanStirling

                    Hi Charles

                     

                    It is the DNS name of the IP Address of the server that needs to match.

                     

                    My quick test revealed that the address you provided: 75.144.42.17

                     

                    Returns the name: atlanta.hfc.comcastbusiness.net

                     

                    This needs to match the certificate name - exactly.

                     

                    So either your DNS has to be changed to match the certificate, or the certificate has to be changed to match the full domain name of the machine.

                     

                    Best wishes - Alan Stirling, London UK

                     

                    (Sorry if this appears in two sizes of text, but My iPad has not matched the larger text size when I pasted in the result)

                     

                    Alan Stirling Technology Ltd, 135 Lisson Grove, London NW1 6UP

                    +44 (0) 20 7724 2456 - alan@ast.fm - www.ast.fm.

                    FileMaker Certified Developer for versions; 7 8 9 10 11 12 13.

                    • 7. Re: FMS 13 Inexpensive SSL Certificate for Mac Development Machine
                      charleshuff

                      so, is this something I can change inside filemaker server (server name?) or is is something I must contact comcast for?

                       

                      also, how did you do a quick test?

                      • 8. Re: FMS 13 Inexpensive SSL Certificate for Mac Development Machine
                        sibrcode

                        Alan: that hostname would be the reverse-lookup for his IP address, which is definitely not a requirement for his SSL certificate. In fact, a web server hosting multiple SSL sites would by necessity only have one reverse-lookup address but have multiple SSL enabled sites.

                         

                        What does need to match is the hostname that users or systems referring to your site would use, which seems to match initially. But I notice you have this:

                        <body>

                        If you are not redirected automatically <a href="https://75.144.42.17/fmi/webd#">Click here

                        Any references or usage of the site w/o matching the cert will give the error you mention.

                         

                        Simon.

                        • 9. Re: FMS 13 Inexpensive SSL Certificate for Mac Development Machine
                          charleshuff

                          Simon,

                           

                          I am so confused, I just put this on the back shelf.....

                           

                          I changed the server name from atlanta.hfc.comcastbusiness.net (inside of filemaker server) and it didn't seem to change anything.

                           

                          The machine in question is company owned.  We got the domain briggsassocates.info from GoDaddy.  Do I need to get the certificate from GoDaddy? 

                           

                          You did say and I quote:

                           

                          What does need to match is the hostname that users or systems referring to your site would use, which seems to match initially. But I notice you have this:

                          If you are not redirected automatically <a href="https://75.144.42.17/fmi/webd#">Click here

                          I did put that there trying to fix my server to automatically show the web direct screens...  Is there a better way?

                           

                          I logged into the server, then used terminal with command hostname www.briggsassociates.info...

                          this seems to have changed my hostname (in the terminal) but the certificate still does not work.  Am I even on the right track?

                          ====update====

                          I changed my index.html page replacing every numeric 75.144.42.17 with www.briggsassociates.info and now the cert is working, I think....

                          so at this point I am unsure if the terminal step or the edit of index.html fixed things.  I am going to sleep on it for a few days...

                          • 10. Re: FMS 13 Inexpensive SSL Certificate for Mac Development Machine
                            iamsloper

                            I just bought a certificate and after i installed it, turned on secure connections, and restarted. Now FIleMaker clients can't see files in the open remote dialog. 

                             

                            I think this is a dns issue as the local host name (pre1server.private) isn't the same as the name on the certificate (office.pre1.com).  The server sits inside our firewall and we port forward to it.

                             

                            Should this setup work or does the host name of the mac server need to be office.pre1.com?

                             

                            Michael Sloper

                            Pre1 Software

                            • 11. Re: FMS 13 Inexpensive SSL Certificate for Mac Development Machine
                              taylorsharpe

                              It could be a dns issue, but if you just installed the certificate and it stopped working, that probably is the issue.  Go to the Admin Console and turn off security and then see if they can connect.  If so, then it is a certificate issue. 

                               

                              I've found to fix this sometimes (particularly for WebDirect connections), I can turn off security in the Admin console, then stop the Filemaker service, then turn it back on, then go to Security and turn on Security.  At first I would suspect that security was not turned on, but I know in WebDirect, the correct port 443 connection is made and a valid certificate shows up in a web browser URL.  So I suspect the same is happening with the client connections too. 

                              • 12. Re: FMS 13 Inexpensive SSL Certificate for Mac Development Machine
                                iamsloper

                                Once i turn off secure connections, the files show up in the open remote dialog again.

                                 

                                I did see this error in the logs:

                                 

                                10/1/14 9:03:38.358 AM com.filemaker.messages[348]: 2014-10-01 09:03:38.356 -0700 [IBSApp] Error: cannot Verify the Server certificate [/Library/FileMaker Server/CStore/serverCustom.pem] With any CA.

                                 

                                Maybe i need to wait a bit?

                                 

                                Thanks for your help!

                                 

                                Michael

                                • 13. Re: FMS 13 Inexpensive SSL Certificate for Mac Development Machine
                                  sibrcode

                                  Michael,

                                   

                                  This is the symptom you will see when the cert is not to FileMaker Server's liking.

                                   

                                  Only certain vendors and certain types of certs are accepted by FMS. Did you get this as a SHA-1 encoded cert? Unfortunately this is a requirement, and will become a problem as SHA-1 certs stop being accepted by browsers.

                                   

                                  I do have a script that will work around the vendor requirement by inserting the SSL vendor's root certs, but it is a slightly clunky process, since FMS re-writes the root.pem file on every reboot.

                                   

                                  Simon.

                                  • 14. Re: FMS 13 Inexpensive SSL Certificate for Mac Development Machine
                                    taylorsharpe

                                    Good point, Simon.  I ran into that exact same problem and had to have them revoke my SHA-2 cert and reissue it as SHA-1.  Hopefully FileMaker will fix this in the next version.  I do know there are some limitation with FileMaker working with Apple for the FMGo app where they have to presupply certificates because you can't add them later on.  So they get locked into only a few vendors.

                                     

                                    What I wish is that FileMaker would become an ICANN approved Certificate Issue Authority so that when they sell us software, the certificates are already included and work automatically with just configuring the domain name and IP.  When you get down to it, the Certificate Authorities don't collect any more information about you than you have to provide FileMaker to buy their software.  So why not take the hassle out of FileMaker users having to work out a certificate if FileMaker could be the issuer. 

                                    1 2 3 Previous Next