Jump to content
Server Maintenance This Week. ×

FMServer 14 SSL for WebDirect Only is possible

xochi

By xochi
in FileMaker Server 14

 Share

This topic is 3268 days old. Please don't post here. Open a new topic instead.

Recommended Posts

xochi Mentor

xochi

Posted
Posted

I have an OS X server (10.10.3 running Server.app) which is accessed two ways: via an internal LAN network using FileMaker Pro,  also via WebDirect to the public via a WAN connection through a firewall.

What I wanted was to have this setup:

  • LAN  / FileMaker Pro : no SSL (since this is a secure network)
  • WAN / WebDirect : SSL 
  • Using a cheap-o $15/year Comodo-reseller SSL certificate.

My first try was to install FMS14, and then enable SSL and install the certificates using the Admin console / Database Server / Security / "Import Certificates" button, where I imported the Key as well as a PEM file that I hand-made that included the Certificate first, and intermediate certificates immediately after.  

Although this imported, FileMaker server put up a warning that the SSL certificate wasn't from an approved vendor.  Fair enough.

Then I restarted FMServer but it wouldn't serve databases on the LAN via FMPro to FM Pro 14v1.  Disappointing, but as expected.

Here's the weird part:  I couldn't figure out to un-do that certificate installation, so ended up doing a complete uninstall and re-install of FMS14 from scratch.   This time I did not enable SSL or install any certificates.

The magic is this:

  • LAN  / FileMaker Pro : files are served to FMPro and SSL is off.
  • WAN / WebDirect : SSL !  YES - the certificate is good and verifies.
  • Using a cheap-o $15/year Comodo-reseller SSL certificate.

Somehow, it looks as if my install/uninstall/reinstall steps accidentally let FileMaker's HTTP/WebDirect server keep usingthe SSL certificate, while preventing FMServerd from using it at all.   Just like I wanted.

 

Bizarre, but I'll take it.

 

 

Link to comment
Share on other sites
James Gill Proficient

James Gill

Posted
Posted (edited)

I wouldn't use it.  Something weird happened, and you shouldn't be surprised when it "breaks" and then nothing works because you installed a patch, OS X released an SSL update, or any number of other scenarios happen.  

 

Why not use SSL on the LAN as well?  I know it's a secure network but Filemaker hasn't really given us any way to control when connections use HTTP vs. HTTPS on a particular interface/service.  You COULD accomplish this with a 2 machine deployment pretty easily, but of course that takes more than a single server license, but the easiest thing to do would be to create a split DNS zone so that you can use the servers FQDN on the LAN and still get the internal IP address.  You already have the requirements to do it (Mac OS X Server)...

 

 

Edited by James Gill
Link to comment
Share on other sites
xochi Mentor

xochi

Posted
  • Author
Posted

Well, the good news is that for a reason totally unrelated to filemaker (a bug in OS X Server 4.1) I'm restoring the entire server from a prior time machine backup.  

So I'll need to reinstall FMS14 and see if I can reproduce the "bug".

I would be happy to use SSL over LAN, I just don't want to pay $280 per year or whatever for an "approved" SSL certificate when perfectly good ones are available for $15.   Nor do I want to do anything fancy such as set up a 2 machine configuration or split DNS...

FMS14 really should just give us fine-grained control over this, e.g.

 

1. Use SSL for Filemaker Pro traffic?  What certificate?

2. Use SSL for WebDirect traffic?  What certificate?

etc.

 

 

Link to comment
Share on other sites
xochi Mentor

xochi

Posted
  • Author
Posted

A related question: It seems that FMS14 server admin doesn't have a way to "remove" a certificate once installed.   You can turn off the "use SSL" checkbox, but as far as I can tell, the certificate is still installed.   It seems like we need a command  to "revert to default FM SSL certificate".    The command-line tool doesn't seem to have this option either. 

Anyone know how? 

Link to comment
Share on other sites
tcfitzgerald Apprentice

tcfitzgerald

Posted
Posted

Yes, you can just delete the serverCustom.pem, and restart the FM services.  That will remove it from use on the database server, but not the web server.  You will have to manually adjust the Apache settings for that (probably adjust the http.conf that WebDirect is using, it may have also copied the cert somewhere specific for Apache).  Having never used FileMaker server on a Mac, i'm not sure what the official recommendations are for that.

Also, namecheap resells several of the supported certs:  https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx

I use the $39 thawte SSL123 on my personal dev server and it works fine.

Link to comment
Share on other sites

This topic is 3268 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept