The SSL Certificate on this server could not be verified -SCSetBaseURL

[jrie818]

Just upgraded to FileMaker Server 12 Advanced. Installed SuperContainer 2.864. Have my SSL Certificate installed and verified. IWP is working fine. I can upload and download files using IWP. I can also access the SuperContainer via web browser, I can upload and download as well.

 

But when I load the SCSetBaseURL on my script and check for an error, this is what I get.

 

"Unable to connect to https://myserver.com/SuperContainer/Files. The SSL certificate on this server could not be verified."

 

So I cannot use the companion plugin inside my FileMaker solution.

 

Is there anything I need to reset so that the plugin would recognize that the SSL certificate is valid?

 

Please help, thanks!

[sarah360works]

Hello Jrie,

 

 

The companion plugin uses Java, which does not trust self signed certificates or certain authorities. There are no options in the plugin to trust the certificate, but you can import the certificate into Java and let it trust the certificate. Please make sure you find the correct Java directory, as you may have multiple versions of Java installed.  You will need to do this for each machine accessing the solution.

 

 

First, export the certificate from your web server. Use Firefox to go to the https:// address of your server. From the menu bar, go to Tools->Page Info->Security->View Certificate->Details->Export. Leave the format set to 'X.509 Certificate (PEM)' and save the certificate file somewhere on your hard drive.

 

Next, import the certificate into your Java key store.

 

For OS X, go into Terminal and then cd into your Java lib/security directory, like this:

cd /Library/Java/Home/lib/security/

On Windows, Java may be installed in your Program Files. Using the Command window running as administrator, use the dir command to navigate to the Java lib/security directory.

 

In both Windows and Mac, run the following command to add the certificate to your keystore. Add sudo to the beginning of the command for Mac users.

keytool -importcert -file /path/to/theCertficate.com -trustcacerts -alias myServerName -keystore cacerts

Replace /path/to/theCertificate.com with the path to the certificate that you exported in step 1, and replace myServerName with some descriptive name of your server. This can be anything; it's just a reference for if you need to edit/delete it later.

 

You may be prompted for a keystore password - if you've never changed it, it will be 'changeit' or 'changeme'.

 

You'll be asked whether to trust the certificate - just put in 'yes' without quotes.

 

I hope this helps. Please let me know how it goes! 

 

Thank you,

Sarah Mulligan

360Works

[jrie818]

Thank you! Greatly appreciated. I will try that one out.

 

In the meantime, I read something in the companion plugin documentation about the SCSetBaseURL parameter selfSignedSSL.

 

It says "Example: selfSignedSSL=1". But it doesn't say what it means. Does it mean to allow self signed SSL if value is "1"? What about other values? Does "0" or "2" mean anything? One more thing, in the main documentation it also mentioned "selfsignedssl" parameter and i tried using it and it didn't work. But after reading the companion plugin documentation and tried "selfSignedSSL=1" parameter, it worked. So I guess, the parameter is case sensitive.

 

Can you give us more info about this parameter? And what does it mean regarding security?

I'd prefer to do it this way because I have clients that uses different computers from different places. It would be impossible for me to configure Java in each of the computers that they are going to use.

[Valentin]

You're better off using the "selfSignedSSL=1" flag, this flag tells SuperContainer plugin not to validate the SSL certificate, which it is impossible to validate a self signed cert. b/c there is not authority that's backing it.

 

What Sarah suggested is importing the certificate into the Java root certificate store, this is a better solution from security standpoint as long as you are sure that you're getting the correct certificate from the web server, i.e. there no man-in-the-middle attack and no one is spoofing your DNS, that's the whole point of SSL certificate validation.  But you would need to do this import on every machine that uses the companion plugin.

 

as for the meaning of '1', this is a binary flag so 0 would turn off acceptance of self singed certificates, this is the default behavior, 1 would turn it on, so would 2, so would selfSignedSSL=true, we put the selfSignedSSL=1 in the docs for simplicity.

[toolhead]

it looks like this thread is referring to installing SSL FMS 12 on OS X Mavericks
Does anyone a how to guide for installing SSL on FMS 13 server?