13 Replies Latest reply on Apr 14, 2015 1:02 PM by cpun

    FMS 13v5 - SSL blocks access to databases

    cpun

      I have a two-machine deployment and installed 13v5, both servers are Win2008 R2 SP1. I generated the PEM key on the DB server using fmsadmin certificate commands, received the SSL certificate and imported. No issues. I imported the SSL cert also on the Web server and got another SSL cert for the Web server too. The certs are the same names as the server names. I even made sure after importing the certs, closing the databases and reboot the servers. However, after a reboot, when I use FM Pro to connect to the DB server, it does not list any databases available to open remotely. I should also note that the SSL certs are InCommon/Comodo SHA-256, which according to FileMaker is supported.

       

      Is there any additional steps that I need to do in order for me to open the databases via FM Pro?

       

      I have also tried to remove the checkmark in the Admin Console that says "Require secure connections" but it made no difference.

        • 1. Re: FMS 13v5 - SSL blocks access to databases
          robwoof

          To help work through this:

           

          1) Do you have "Require secure connections" selected in the Admin Console under Database Server->Security?

          2) Are you able to see and connect to databases via WebDirect?

           

          Cheers,

          Rob

          • 2. Re: FMS 13v5 - SSL blocks access to databases
            cpun

            1) I did originally and no change.

            2) No.

            • 3. Re: FMS 13v5 - SSL blocks access to databases
              robwoof

              Interesting. What you describe is what I was seeing with FMS 13.0v3 and 13.0v4. If the certificate was in place and "Require Secure Connections" was on, no databases were available in FMPro or WebDirect.

               

              What happens if you go to <path_to_FM-Server>/CStore and remove serverCustom.pem, serverKey.Pem and serverRequest.pem, then stop and restart the Database Server (i.e. in the Admin Console, not by restarting the whole machine)? Do the databases become available then?

               

              R

              • 4. Re: FMS 13v5 - SSL blocks access to databases
                cpun

                I removed them and then I couldn't get the DB Server restarted via Admin Console so I had to reboot the whole server. After reboot, everything functioned normally.

                • 5. Re: FMS 13v5 - SSL blocks access to databases
                  BenGraham

                  I am finding with the v5 update it kills the SSL as well.  If we remove the serverCustom.pem, serverKey, and serverRequest.pem, it will again run on the FMI SSL, which they say we should not do.  I just got a new SSL for this update and it works for v1, v3, and v4. 

                   

                  Have you seen any other solutions to this problem. 

                   

                  Thanks,

                  Ben

                  • 6. Re: FMS 13v5 - SSL blocks access to databases
                    CICT

                    To confirm we've exactly the same problem and have seen other posts, such as http://fmforums.com/forum/topic/90722-ssl-certificate-installation/

                     

                    We've spent a lot of time on this building and rebuilding VMs using free trial certificates - we've tried both Geotrust and Comodo certificates and to date cannot access data files from FM Pro or FM Go with the certificate installed. For the record we're running 2 machine setups on Windows 2012 servers.

                     

                    If we switch off 'Require Secure Connection' the databases reappear, switch it on again and they are no longer available within Open Remote File.

                     

                    Andy

                    • 7. Re: FMS 13v5 - SSL blocks access to databases
                      Jonathan Jeffery

                      Same here. It doesn't seem like ssl certificates are much use in FM13. Let's hope that they sort this ridiculous situation out soon.

                      • 8. Re: FMS 13v5 - SSL blocks access to databases
                        taylorsharpe

                        I use SSL certificates a lot because users getting prompted with security risk warnings in their browser are unprofessional and just generally unacceptable in my opinion.  I use the cheap Comodo ones ($25 for 5 years) and they seem to work well. 

                         

                        Rumor is that Apple security raked FileMaker over the coals for not defaulting to a secure connections, etc.  I expect that FileMaker 14 will default to secure connections and hopefully and easier way to manage certificates. 

                         

                        I made a feature recommendation that FileMaker become an SSL certificate authorized reseller and they sell validated certificates with their software so that FileMaker customers don't have to even know about the certificates other than they just work. 

                         

                        Expect certificate management to change a lot in FM 14.  And I can only see it getting better than what we have now. 

                        • 9. Re: FMS 13v5 - SSL blocks access to databases
                          Jonathan Jeffery

                          I hope that FMnext will sort this stuff out — but at the moment I have half an implementation of SSL. I'm going to have to restart the server to get it back to using its default certificate .

                           

                          Good idea about Filemaker bundling SSL certificates along with FMServer — the current management of certificate is so arcane, that I'm sure most administrators don't even realise that they should install their own certificate.

                          • 10. Re: FMS 13v5 - SSL blocks access to databases
                            sibrcode

                            You should be able to get this to work.

                             

                            Pay very close attention to the info here: List of supported SSL certificate types and vendors for FileMaker platform | FileMaker

                             

                            It must be of the exact type mentioned, it is not enough to get the same vendor. However, it seems like vendors keep changing how they market their SSL certs, so this can be difficult. From the top level of Comodo's site it isn't obvious which (if any) of the ones mentioned is the Elite cert, so had to search for it instead: https://www.enterprisessl.com/ssl-certificate-products/ssl/ssl-certificate-elitessl.html

                             

                            Also, I've found that I must stop & start the service (or on Mac OS, restart the fmserver_helperd process) whenever changing certificates. Stopping and starting FMS from the admin console was not sufficient.

                             

                            Simon.

                            • 11. Re: FMS 13v5 - SSL blocks access to databases
                              taylorsharpe

                              The list of FM supported SSL certificates is very short and most (except Comodo) are pretty expensive.  Be aware that FM went with this short list as they were getting FileMaker Go out the door and as an App on the Apple store, you can't add additional certificate support later on.  They have to be included with the app.  So the ones listed are the ones FileMaker has included support on the FM Go apps.  However, if you don't use FM Go in your solution, then other certificates work too.  I used to do that until I found that I could get a FM supported Comodo certificate from SSLS.com for cheap.  Maybe in FM 14 there will be a much longer list of supported certificates, especially for FM Go.  The rumor is that FM Go for 14 has been re-written in Swift and if FM really took the time to re-write the whole app, I bet certificate support improvement will be better.  Lets hope so! 

                              • 12. Re: FMS 13v5 - SSL blocks access to databases
                                Jonathan Jeffery

                                Thanks for the extra advice.

                                 

                                As others have pointed out, it's silly (to say the least) that FileMaker choses which certificates to trust!

                                 

                                After ten years of working with certificates for web servers and mail servers, I find that FileMaker is going out of it's way to make things difficult!

                                 

                                J.

                                • 13. Re: FMS 13v5 - SSL blocks access to databases
                                  cpun

                                  Have you tried the v9 update yet?  I'm hesitant to update to it after going to v5.  Do you know if this fixed the SSL issue we've been experiencing?