Intermediate Certificate Installation Woes

[Richard Fincher]

My production Filemaker Server 14 running on Mac OS X 10.11 El Capitan (Not Mac OS X Server) has been running fine for a year since I last installed the Thawte SSL Certificate.  After renewing the certifate this year, I've tried various different methods of importing the new certificate, which came with an intermediate certificate, but I can't seem to get the intermediate certificate installed.  I've been mostly using something like:

sudo fmsadmin certificate import --keyfile /Users/richardfincher/Desktop/GBROOMX36-4X/private.key /Users/richardfincher//Desktop/GBROOMX36-4X/ssl_certificate.crt

 

 I've also tried importing it through the web control panel.  It was necessary to remove the old private key thus.:

sudo rm /Library/FileMaker\ Server/CStore/serverKey.pem

After it is (apparently) installed, I usually restart with :

sudo fmsadmin restart adminserver

although a few times I have rebooted the server (not a VM)

 

Any thoughts welcome....

 

Oh, one thing is, a year ago it might have been still onMac OS X 10.8.5 Mountain Lion, which was the previous OS before I upgraded it.

[Josh Ormond]

You need to restart the database server, not the admin console. 

sudo fmsadmin restart server

[Richard Fincher]

Thanks, but even starting the whole box doesn't help.

i think I'm not using the right syntax to import the intermediate cert.  not sure if I'm even supposed to be concatenating it with the issued certificate or importing them separately, as FMS14 makes no reference to intermediate certificates.  If I didn't know better, I'd suspect it couldn't import them at all (but I did it last year)

[Josh Ormond]

My initial thought is that you need to concatenate the intermediate cert and issued certificate files.

[Richard Fincher]

Agreed.  I tried in both orders.  No joy.  One way it accepts the submission but doesn't serve it via https.  The other it doesn't accept.  Suspect it's only accepting the first one and ignoring anything after that.  

[Josh Ormond]

Weird. And this is just a renewal of a previous cert? Has the encryption level changed? SHA-1 vs whatever they use now?

[Richard Fincher]

Yes, this is just a renewal of an existing certificate.  (Thawte)

although I do remember it not being a picnic last year also.

thawte are now Symantec / DigiCert, so there may have been a change of intermediate certificate, but I didn't use last years one, I am trying to import the one I was sent this year.  Perhaps they sent me the wrong one?  

 

The SHA1 definitely rings a bell, will read some more about that.

 

also, my command line OpenSSL tests show that no Intermediate cert is being exchanged via https on ports 443 and 16000 by FMS at all, it's not that it's sending the wrong one, it's just sending the issued cert on its own.

 

[Richard Fincher]

I have arrived at a temporary solution, which was, appending the intermediate certificate to the "root.pem" file using vi, which is in the CStore directory.  It is reset when the server is rebooted, but I can live with that for now.