WPE not responding w/ SSL

[yerin]

I'm currently running FileMaker Server 8.04 Advanced on a Mac OS X 10.4.6 Server. In getting this setup, the Admin Console talks with the Publishing Engine fine when SSL is NOT enabled. However, as soon as I turn on SSL via the Server Admin program, the Admin Console claims that the Publishing Engine is not responding. (In addition to the error message at the top of the Admin console that says "An unexpected error has occurred.")

The exact message I see for the WPE is "The Publishing Engine is not responding. If the Publishing Engine has not yet been configured, click here to continue."

All of the components are running on the same machine. I have all the ports that I can think of turned on on the Firewall.

This all works on Port 80, but I really need it to work on 443.

Thanks muchly in advance!

[Steven H. Blackwell]

You must use the certificate name from the domain to refer to the Server, not the IP address, when using SSL in this fashion.

Also, please remember that unless the web server and the WPE are on the same machine that the channel between them is not encrypted.

Steven

[yerin]

The certificate name does refer to the hostname and not IP address of the Server. And both the web server and WPE are on the same machine.

After doing some poking around, I discovered that connections from other machines to the httpd server documents root does not result in OpenSSL errors in my SSL log, but as soon as I attempt to connect via the fmi/config pages, I'm getting OpenSSL handshake errors (certificate unknown). It appears that maybe I may need a root certificate for our site installed, but I'm not sure where.

Here's part of the error log btw in case you're interested:

[24/Aug/2006 17:00:12 01219] [info]  Connection to child 1 established (server keyserver1.cc.cmu.edu:443, client 127.0.0.1)

[24/Aug/2006 17:00:12 01219] [info]  Seeding PRNG with 1160 bytes of entropy

[24/Aug/2006 17:00:12 01219] [trace] OpenSSL: Handshake: start

[24/Aug/2006 17:00:12 01219] [trace] OpenSSL: Loop: before/accept initialization

[24/Aug/2006 17:00:12 01219] [trace] OpenSSL: Loop: SSLv3 read client hello A

[24/Aug/2006 17:00:12 01219] [trace] OpenSSL: Loop: SSLv3 write server hello A

[24/Aug/2006 17:00:12 01219] [trace] OpenSSL: Loop: SSLv3 write certificate A

[24/Aug/2006 17:00:12 01219] [trace] OpenSSL: Loop: SSLv3 write server done A

[24/Aug/2006 17:00:12 01219] [trace] OpenSSL: Loop: SSLv3 flush data

[24/Aug/2006 17:00:12 01219] [trace] OpenSSL: Read: SSLv3 read client certificate A

[24/Aug/2006 17:00:12 01219] [trace] OpenSSL: Exit: failed in SSLv3 read client certificate A

[24/Aug/2006 17:00:12 01219] [error] SSL handshake failed (server keyserver1.cc.cmu.edu:443, client 127.0.0.1) (OpenSSL library error follows)

[24/Aug/2006 17:00:12 01219] [error] OpenSSL: error:14094416:lib(20):func(148):reason(1046)

[Steven H. Blackwell]

The certificate name does refer to the hostname and not IP address of the Server. And both the web server and WPE are on the same machine.

What about in the WPE configuration setup? Is it referenced there as well by name, not by IP address.

Steven

[yerin]

Hrm. I'm actually not sure where you would set specify the IP for the WPE (I'm new to FileMaker Server). When you bring up /config/fmi in the https web page, it claims that the Web Server is on 128.2.10.142 (I haven't found where you can change this). And it says that the Publishing Engine isn't responding on localhost even though it is definitely installed on the same machine. I've even tried to change this to the hostname, but the server won't let me commit any changes (the button is grey'd out).

If screenshots would help, I can send those over. Any of the configuration that's been done has been without using SSL (such as IP restrictions to the Admin console). As soon as I turn on SSL, load up the admin console on https, log in (successfully), it has "An unexpected error has occurred" in red at the top of the Overview screen.

I'm sorry if i'm not quite following you :)

[yerin]

if it helps, i just uninstalled, deleted all FileMaker server directories and files, and then reinstalled from scratch both the Web Publishing app and the Server Advanced.

i'm still at the same place/problem.

[yerin]

Well, after much pain, I broke down and called FileMaker Support (and used my one free tech support call). The answer I got was this:

You CANNOT run the /fmi/config setup for the Web Publishing Engine over an SSL connection. All the setup for the Databases must be done over http (Port 80) first. Then after it's setup, you can turn on SSL (SSL) and acces the databases via https.

[PBainbridge]

I've tried that one unfortunately. I have two domains on one OS X 10.4 Server, one uses ssl for secure connections, the other is an open website. If I carry out the setup over port 80 for the secure domain (ssl disabled) and then turn ssl back on, I can indeed log in using ssl .. but I can also log in to the databases on port 80 (of either domain) as the Web Admin Console picks up the IP address only, not the domain. Specifying the Publishing Engine as being on a different server (with the name of the https domain) doesn't seem to stop port 80 access either. Any ideas what I'm doing wrong?

Does anyone know of a solution to this

[txjcfsr]

I'm having the same issues on a Mac, using Apache, with SSL. I can't access the WPE to restart it, or anything. I have tried using a URL for port 80, to no avail.

Does anyone know how to get around this?

[txjcfsr]

OK...went to my other mac using SSL via Apache with FMSA8 and had no problem accessing the admin pages. This has to be an error with the SSL configuration, or a permissions issue. Will post more data when I have time to work on this further.

Thanks

[PBainbridge]

Accessing the admin pages over ssl shouldn't be a problem, but the WPE ID and password are not accepted. However, as Yerin was told by FM Support, the admin SHOULD be over port 80. This has no bearing on how the end users will access the pages.

Personally I have used apache mod_rewrite and mod_alias to ensure that all requests to /fmi/iwp (at any domain) now go to the correct domain on port 443.

[txjcfsr]

OK..went back in and modified apache configuration and am now able to access the admin page with SSL running on mod_ssl via apache.

The problem was not with filemaker, per se, it was due to configuration in apache. The only issue is that I am not aware of what it was specifically, I just compared the apache configuration to another server that I had, on which I was able to access the admin page via ssl, and compared them line by line. After making a few changes, it worked.

My advise is to review the apache settings.