BrentHedden

Web traffic is encrypted, but not database connections

9 posts in this topic

Using FileMaker Server 14.0.4.413 on Windows Server 2012 R2.  I received a certificate from Comodo, and installed it through the command line tool as instructed from FM Inc. No errors give, and the ServerCustom.pem file was created as expected.

After rebooting the server, the web traffic (the Admin Console connection) shows the green lock indicating HTTPS is working. But when I check the 'Use SSL for database connections' in the Admin Console, the warning message underneath the checkbox states that the custom SSL cert installed did not originate from a CA supported by FileMaker.  With this option checked, no WebDirect or FMPro clients can see the hosted files.  

Is there a step that I didn't follow or overlooked?  I've installed certs on other FMServers without an issue, so I'm scratching my head on why this instance isn't working as expected.

 

Share this post


Link to post
Share on other sites

Without seeing the list you followed it's kind of hard to know if you skipped a step; or the author of the list did.

Edited by ggt667

Share this post


Link to post
Share on other sites

What was the exact cert you purchased? If it's not the EliteSSL, its not supported. I ran into the same issue trying to get the correct cert from Comodo. Though I couldn't get the database engine to launch at all with an incorrect cert.

1 person likes this

Share this post


Link to post
Share on other sites

I'm following these instructions specifically. 

You're probably right, Josh.  Another department handles the actual purchase of certs, so it's very susceptible that they got the wrong type.  I'm checking on that now.  A bit frustrating that FM would accept and import the wrong type when their specs state that ONLY the Elite type is compatible.  But I can also see it being handy if someone only needed to worry about web traffic and not the internal communications.  Which would seem like a rare case with using FileMaker.....

Share this post


Link to post
Share on other sites

Right, and the other thing to remember, is that most certs are really the same...or at least function the same so FM doesn't know it's not a compatible cert. It really has to do with what is going on at the Cert Authority end. If I understand it correctly.

Share this post


Link to post
Share on other sites

I believe there are also issues with certs issued by Comodo resellers.  Something to check...

Share this post


Link to post
Share on other sites

For anyone who is reading this after the fact - If you use Comodo as the vendor, then you HAVE to get the EliteSSL type in order to encrypt FMP traffic.  The base cert they offer only covers web traffic, and not internal traffic.  It costs more money, but it's the only way to make this work.

Share this post


Link to post
Share on other sites

so for the past 3 weeks i've been dealing with this myself I had a GeoTrust QuickSSL Premium that was working just fine and one day without warning my SSL expired -

( would be nice if FMS would send notice that SSL Cert is expiring like other web servers do)

I thought ok lets renew because this SSL worked just fine. But low and behold the latest update put my SSL on the chopping block only indicated by three little asterisk in a footnote on the KB article

Quote

*** New certificates issued after October 2014 (Entrust AdvantageSSL) or February 2016 (GeoTrust QuickSSL Premium) are not supported.

And because I got no "error" during installation I thought everything was fine - but when installed and running FMP got a connection failed when attempting to connect to server. But not after many restarts and reinstallation's of FMS and several times revoking and reissuing this SSL from the CA.

FMI needs to fix the KB matrix and make deprecated and unsupported SSL in BIG BOLD RED not some afterthought footnote.

This issue affected me and a client because they had the same SSL. And I was spinning my wheels for so many days trying to get something working that would not work.

 

 

Share this post


Link to post
Share on other sites
Guest
You are commenting as a guest. If you have an account, please sign in.
Reply to this topic...

×   You have pasted content with formatting.   Remove formatting

  Only 75 emoticons maximum are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor