SSL Renewal Problems

[MacFileman]

Hi... I have been using Filemaker Cloud for three months and like others, my certificate expired. This has become my worst nightmare.

I took my problem up directly with Filemaker Support and they put their best people on my case. They even remote logged into my computer to make sure that I was doing everything exact..which I did. This is what they instructed me to do....

1) Buy A domain Name (I had one already)

2) We created a CSR/KEY File on my mac using terminal. Pretty Straight Forward, but they had me list my domain name as the "Common Name"

3) From my iCloud Dashboard I renewed my Certificate (Commodo) with the CSR we Created. I inserted my CSR and Paid for it. I received my actual certificate pretty rapidly...a few minutes.

4) Logged back into my console and "imported" my new certificate. Things were feeling good.... server rebooted.

5) They had me log into my registrar (Network Solutions) and then point my domain using CNAME at the new server location. We actually called Network Solutions and had them do it exactly.

Now I am just waiting for it to point... been a few days. Something feels way off. How is it possible that I am securing my domain when my files aren't there? If I hit the filemaker cloud server directly, it says this is unsecure. I feel like the forwarding is not working because I am forwarding into an unsecure website.

Note: this is all under the direct guidance of filemaker support!

I read a few other posts around the internet and here. Anyone else having the struggles I am having? I am losing my cool with Filemaker. Due to the seriousness of the nature, I make drop Amazon Web Services and buy a server and just do it myself, I am at a critical level, these needs to be done now!

Thanks for letting me vent... feedback welcome!

 

Mike

 

 

 

 

 

 

 

 

Edited March 2, 2017 by MacFileman
Type Adjustment

[John May - Point In Space]

You need to point a (sub)domain being used for SSL with an A record, not a CNAME record.

- John

[MacFileman]

Hey... you might be on to something. Specifically, these are screen shots of what FM Support had me do. Should I be using a sub domain? I am not using any subdomains.

 

 

 

Edited March 2, 2017 by MacFileman
Added copy

[John May - Point In Space]

I don't really understand those (proprietary) DNS configuration screens - we just configure BIND directly here.

You can use any (sub)domain you want for your certificate, as long as it has an associated A and not CNAME record.

- John

[MacFileman]

I am not this savvy with web stuff... I am going to run this by FM Support today and I will let you know how this works out.

And thanks for input!

[John May - Point In Space]

This is the problem with FileMaker Cloud - there just isn't any competent support behind it.

Have a look at our services for an alternative:

http://www.pointinspace.com/

We've been providing professional FileMaker Hosting for over 18 years.  We offer shared accounts and virtual dedicated servers running the full version of FileMaker Server (no limitations like FileMaker Cloud), and include complete management with all of our accouts.  For example, we would easily be able to assist with the SSL renewal issues you are having.

- John

[Josh Ormond]

2 hours ago, MacFileman said:

I am not this savvy with web stuff... I am going to run this by FM Support today and I will let you know how this works out.

And thanks for input!

This may or may not apply to you: One really important note: Comodo SSL Certs require additional information, that other cert authorities do not require in the CSR. Nothing in the FMI documentation told me you needed additional info. And with GoDaddy and other provides, not all of this was needed.

They require a few pieces of info that I don't remember running into with other companies. I could never get them to work without all of this info ( from the Comodo website ):

Host Name:	Enter the name to be used to access the certificate. This name is usually the fully qualified domain name (FQDN).
	For example, www.yourdomain.com or yourdomain.com
Contact Email Address:	Enter an email address at which you can be contacted.
Company or Organization:	Enter the legally registered name of your organization or company.
Department:	Enter the name of your department within the organization. For example, you can enter IT or Web Security.
Town or City:	Enter the town or city where your organization or company is located.
State or Province:	Enter the state or providence where your organization or company is located.
Country:	In the drop-down list, select the country where your organization or company is located.

[MacFileman]

On 3/2/2017 at 8:52 AM, Josh Ormond said:

This may or may not apply to you: One really important note: Comodo SSL Certs require additional information, that other cert authorities do not require in the CSR. Nothing in the FMI documentation told me you needed additional info. And with GoDaddy and other provides, not all of this was needed.

They require a few pieces of info that I don't remember running into with other companies. I could never get them to work without all of this info ( from the Comodo website ):

Host Name:	Enter the name to be used to access the certificate. This name is usually the fully qualified domain name (FQDN).
	For example, www.yourdomain.com or yourdomain.com
Contact Email Address:	Enter an email address at which you can be contacted.
Company or Organization:	Enter the legally registered name of your organization or company.
Department:	Enter the name of your department within the organization. For example, you can enter IT or Web Security.
Town or City:	Enter the town or city where your organization or company is located.
State or Province:	Enter the state or providence where your organization or company is located.
Country:	In the drop-down list, select the country where your organization or company is located.

Interesting... I think part of this though depends on how you generate your CSR and KEY file. I did mine through TERMINAL on my Mac. File maker support had me generate it by entering the following text in Terminal...

openssl req -out csr.csr -new -sha256 -newkey rsa:2048 -nodes -keyout key.key

Upon entering this code, Terminal generates a series of Questions, like the ones above you posted. When I was finished, Terminal then generated a .key and .csr file which is used at the Comodo to purchase your SSL Certificate.

 

At this time, Filemaker is spinning this back to issues at network solutions, which may be the case. It may not be... told to wait another day by Network Solutions, by the are escalating my issue.

This all said, I intend to to keep this thread updated and probably create a brand new thread with "How to do this as per Filemaker"

- I am aware Claus had a great solution, which I thoroughly inspected. Half of me wishes I went down that path,, securing the actual FMI server makes most sense since that is where the files reside, but I need Filemaker Support behind the product, his method was unsupported.

- I am also entertaining Point in Space... probably eliminate every headache imaginable.

- I am also entertaining just making my own server internally. Kind of a Headache, but I own FM Server 15

One thing is extremely clear. Filemaker Cloud is not as simple or friendly. It is very new and they appear to be "winging it" as they go. Amazon Web Server is just a pain in the rear. I got that part up fairly easily, but would be difficult for most users.

 

 

Edited November 3, 2017 by Lee Smith
removed unnecessary white space

[John May - Point In Space]

Note that our pricing is competitive with AWS as well, once you factor in their hidden backup and processor time charges.

- John

[MacFileman]

15 minutes ago, John May - Point In Space said:

Note that our pricing is competitive with AWS as well, once you factor in their hidden backup and processor time charges.

- John

Still tempting... need a few days before I make a drastic move like that, but thanks!

[Josh Ormond]

If that is the code you used to generate the CSR, that is likely at least partially why it's not working. I fought with this with a Comodo cert for while.

This is Comodo's sample code from their website. As you can see, it has the additional info:

openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr -subj "/C=GB/ST=Yorks/L=York/O=MyCompany Ltd./OU=IT/CN=mysubdomain.mydomain.com"

 

[MacFileman]

1 hour ago, Josh Ormond said:

If that is the code you used to generate the CSR, that is likely at least partially why it's not working. I fought with this with a Comodo cert for while.

This is Comodo's sample code from their website. As you can see, it has the additional info:

openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr -subj "/C=GB/ST=Yorks/L=York/O=MyCompany Ltd./OU=IT/CN=mysubdomain.mydomain.com"

 

The code I posted earlier did work. I was able to get the certificate and install into my Filemaker Cloud and it rebooted, etc. There was a minor glitch, the password I put into Terminal for the CSR and Key was not the password when I installed it. (We might be talking about different issues) It turns out, there was no password at all and that field was left blank for it to work.

My actual problem is getting my website that is now secured to point to my FMI server...I am possible having a problem now with my Registrar and the CNAME Panel pointing it correctly, If I make a change in a setting it is like a 24-48 wait time... very frustrating. FIlemaker says it my Registrar.

Right now I am in Limbo and my registrar, Network Solutions, is also looking into the matter. I am trying t be patient, but the whole process does not feel right. I am securing a website where my files are not located, but Filemaker assures me this is the process.

 

 

[MacFileman]

Current update......

So, the first simple domain I bought with Network Solutions will not point to the FM Cloud Server. After all my back and fourth with FM Support... I bought a new domain from a registrar of their choice, iPage. I gave them the credentials to point it themselves. They logged in and made the settings. New domain is not pointing to my server...I have to laugh at this point. It might by morning, I will give them the benefit of the doubt.

I discussed this with my IT guru who happens to be away for two weeks magically while my SSL Cloud Certificate expired. Coincidence? Anyway, he feels its rather ridiculous to buy a website to "point" to the cloud server, and secure the site that the files are not even on. This is extremely convoluted he says.

For the nonbelievers, I am working directly with FM Support to re-secure my FM Cloud Files. I have spent 10+ hours this week on the phone with them. I thought I would also share their published recomandation.

http://help.filemaker.com/app/answers/detail/a_id/16125/track/AvMawQoYDv8S~ZOfGmQc~yJfbe8qNy75Mv_g~zj~PP9p

I have followed these steps forward and backwards.... something is up! I love Filemaker, we all do here... but the cloud is not thought out on their part. Filemaker is a huge company, why don't they just put in their own servers, secure it all and cut this third party non-sense out with Amazon and Comodo?

Updates coming tomorrow!

 

Mike

 

 

 

 

 

 

 

 

 

 

Edited March 3, 2017 by MacFileman
Typo

[MacFileman]

Last update....setting up a Filemaker Server is way easier then dealing with Filemaker Cloud! I am pleased to report that I just canceled my AWS Account. I had a server up and running in under 10 minutes. 

My advice... do not do Filemaker Cloud until they get their act together.

 

Sorry, John May at Point in Space... I had the computer and I own Filemaker Server... just easier and no monthly Fees.

 

Edited November 3, 2017 by Lee Smith
white space

[Claus Lavendt]

Just want to note that FileMaker Cloud is not a bad product. For some, it is a good option.

Also be aware that this is really version 1.2 og the cloud, so it does have some rough edges. In particular, the SSL part was way too difficult, even for advanced admins. That's the reason I created a free tool and a video with Richard to help out.
I am glad to see that FMI did listen to my suggestions regarding the SSL process, so they have built-in an easy way to renew the Comodo certificate via FileMaker Store.
This is an easy way for people, who is ok with the default domain (myserver.fmi.filemaker-cloud.com)
 

In case you want to use your own domain name, you will need to setup a CNAME record in your public DNS, that points to the FileMaker provided FQDN of your instance. The reason is that FM Cloud instances does not have static IP addresses so the IP does rotate. You can only setup an A-Record to a static IP.
Your SSL certificate needs to be for your own domain name and you will need to do most of the complicated parts manually.
However, even though my tool was created to renew the Comodo certificate, you can still use it to create a CSR and then you can use the Cloud Admin Console to import the signed SSL certificate you get from you vendor of choice. (if supported by FileMaker)
Domain name purchase can happen through any seller of your choice.

Using a FileMaker Hosting provider is also a good option for some, and we have several in the community, who also provide great support.