Web traffic is encrypted, but not database connections

[BrentHedden]

Using FileMaker Server 14.0.4.413 on Windows Server 2012 R2.  I received a certificate from Comodo, and installed it through the command line tool as instructed from FM Inc. No errors give, and the ServerCustom.pem file was created as expected.

After rebooting the server, the web traffic (the Admin Console connection) shows the green lock indicating HTTPS is working. But when I check the 'Use SSL for database connections' in the Admin Console, the warning message underneath the checkbox states that the custom SSL cert installed did not originate from a CA supported by FileMaker.  With this option checked, no WebDirect or FMPro clients can see the hosted files.  

Is there a step that I didn't follow or overlooked?  I've installed certs on other FMServers without an issue, so I'm scratching my head on why this instance isn't working as expected.

 

[ggt667]

Without seeing the list you followed it's kind of hard to know if you skipped a step; or the author of the list did.

Edited April 21, 2016 by ggt667

[Josh Ormond]

What was the exact cert you purchased? If it's not the EliteSSL, its not supported. I ran into the same issue trying to get the correct cert from Comodo. Though I couldn't get the database engine to launch at all with an incorrect cert.

[BrentHedden]

I'm following these instructions specifically. 

You're probably right, Josh.  Another department handles the actual purchase of certs, so it's very susceptible that they got the wrong type.  I'm checking on that now.  A bit frustrating that FM would accept and import the wrong type when their specs state that ONLY the Elite type is compatible.  But I can also see it being handy if someone only needed to worry about web traffic and not the internal communications.  Which would seem like a rare case with using FileMaker.....

[Josh Ormond]

Right, and the other thing to remember, is that most certs are really the same...or at least function the same so FM doesn't know it's not a compatible cert. It really has to do with what is going on at the Cert Authority end. If I understand it correctly.

[Wim Decorte]

I believe there are also issues with certs issued by Comodo resellers.  Something to check...

[BrentHedden]

For anyone who is reading this after the fact - If you use Comodo as the vendor, then you HAVE to get the EliteSSL type in order to encrypt FMP traffic.  The base cert they offer only covers web traffic, and not internal traffic.  It costs more money, but it's the only way to make this work.

[Wim Decorte]

Ayep, can't really deviate from this list: https://help.filemaker.com/app/answers/detail/a_id/11413

 

[Ocean West]

so for the past 3 weeks i've been dealing with this myself I had a GeoTrust QuickSSL Premium that was working just fine and one day without warning my SSL expired -

( would be nice if FMS would send notice that SSL Cert is expiring like other web servers do)

I thought ok lets renew because this SSL worked just fine. But low and behold the latest update put my SSL on the chopping block only indicated by three little asterisk in a footnote on the KB article

Quote

*** New certificates issued after October 2014 (Entrust AdvantageSSL) or February 2016 (GeoTrust QuickSSL Premium) are not supported.

And because I got no "error" during installation I thought everything was fine - but when installed and running FMP got a connection failed when attempting to connect to server. But not after many restarts and reinstallation's of FMS and several times revoking and reissuing this SSL from the CA.

FMI needs to fix the KB matrix and make deprecated and unsupported SSL in BIG BOLD RED not some afterthought footnote.

This issue affected me and a client because they had the same SSL. And I was spinning my wheels for so many days trying to get something working that would not work.