Jump to content
Claris Engage 2025 - March 25-26 Austin Texas ×

This topic is 3470 days old. Please don't post here. Open a new topic instead.

Recommended Posts

Posted

I have an OS X server (10.10.3 running Server.app) which is accessed two ways: via an internal LAN network using FileMaker Pro,  also via WebDirect to the public via a WAN connection through a firewall.

What I wanted was to have this setup:

  • LAN  / FileMaker Pro : no SSL (since this is a secure network)
  • WAN / WebDirect : SSL 
  • Using a cheap-o $15/year Comodo-reseller SSL certificate.

My first try was to install FMS14, and then enable SSL and install the certificates using the Admin console / Database Server / Security / "Import Certificates" button, where I imported the Key as well as a PEM file that I hand-made that included the Certificate first, and intermediate certificates immediately after.  

Although this imported, FileMaker server put up a warning that the SSL certificate wasn't from an approved vendor.  Fair enough.

Then I restarted FMServer but it wouldn't serve databases on the LAN via FMPro to FM Pro 14v1.  Disappointing, but as expected.

Here's the weird part:  I couldn't figure out to un-do that certificate installation, so ended up doing a complete uninstall and re-install of FMS14 from scratch.   This time I did not enable SSL or install any certificates.

The magic is this:

  • LAN  / FileMaker Pro : files are served to FMPro and SSL is off.
  • WAN / WebDirect : SSL !  YES - the certificate is good and verifies.
  • Using a cheap-o $15/year Comodo-reseller SSL certificate.

Somehow, it looks as if my install/uninstall/reinstall steps accidentally let FileMaker's HTTP/WebDirect server keep usingthe SSL certificate, while preventing FMServerd from using it at all.   Just like I wanted.

 

Bizarre, but I'll take it.

 

 

Posted (edited)

I wouldn't use it.  Something weird happened, and you shouldn't be surprised when it "breaks" and then nothing works because you installed a patch, OS X released an SSL update, or any number of other scenarios happen.  

 

Why not use SSL on the LAN as well?  I know it's a secure network but Filemaker hasn't really given us any way to control when connections use HTTP vs. HTTPS on a particular interface/service.  You COULD accomplish this with a 2 machine deployment pretty easily, but of course that takes more than a single server license, but the easiest thing to do would be to create a split DNS zone so that you can use the servers FQDN on the LAN and still get the internal IP address.  You already have the requirements to do it (Mac OS X Server)...

 

 

Edited by James Gill
Posted

Well, the good news is that for a reason totally unrelated to filemaker (a bug in OS X Server 4.1) I'm restoring the entire server from a prior time machine backup.  

So I'll need to reinstall FMS14 and see if I can reproduce the "bug".

I would be happy to use SSL over LAN, I just don't want to pay $280 per year or whatever for an "approved" SSL certificate when perfectly good ones are available for $15.   Nor do I want to do anything fancy such as set up a 2 machine configuration or split DNS...

FMS14 really should just give us fine-grained control over this, e.g.

 

1. Use SSL for Filemaker Pro traffic?  What certificate?

2. Use SSL for WebDirect traffic?  What certificate?

etc.

 

 

Posted

A related question: It seems that FMS14 server admin doesn't have a way to "remove" a certificate once installed.   You can turn off the "use SSL" checkbox, but as far as I can tell, the certificate is still installed.   It seems like we need a command  to "revert to default FM SSL certificate".    The command-line tool doesn't seem to have this option either. 

Anyone know how? 

Posted

Haven't tried it yet on FMS14, but in 13 you can just delete the "custom" files from the FMS CRoot folder...

Posted

FMS14 is the same.  Had to do it a number of times because of the SSL cert bug preventing me from using SSL certs on FMS14.

Posted

Yes, you can just delete the serverCustom.pem, and restart the FM services.  That will remove it from use on the database server, but not the web server.  You will have to manually adjust the Apache settings for that (probably adjust the http.conf that WebDirect is using, it may have also copied the cert somewhere specific for Apache).  Having never used FileMaker server on a Mac, i'm not sure what the official recommendations are for that.

Also, namecheap resells several of the supported certs:  https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx

I use the $39 thawte SSL123 on my personal dev server and it works fine.

This topic is 3470 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.