When connecting to FMS via an FMP client we’re getting an alert "FileMaker Pro can’t verify the identity of “[domain.name.com]”
It goes on to say “An SSL certificate encrypts data sent to and from the host to keep the data private. The certificate for this host is invalid and it can’t be verified. Do you want to connect anyway?”
It connects, but instead of getting a green icon, we’re getting an orange one.
Thanks for the quick reply.
It has worked in the past, on an earlier version of FMS/FMP. Plenty has changed since then.
We set up the server, certificate and control the domain. Preferable not to post on a public forum.
The domain is managed on a hosting provider. We use a subdomain dedicated to FMS whose A-Record points the IP address where FMS is hosted.
#1 Is the FMP popup we get when connecting to FMS from FMP
#2 is the popup after clicking “view certificate” in #1
#3 & #4 are grabs from the “details” section where “critical” is listed as “YES”
The process we used:
Generated the certs using Certbot
Imported certs to FMS Console UI > Database Server > Security > Import Certificate…
With “cert.pem” imported to “Signed Certificate File” and “privkey.pem” imported to “Private Key File”
@ovunque, since you created this under “Server” instead of “Help”, you missed out on the standard questionnaire for new help topics, including the note about domain names. It’s much, much easier for us to help in most cases when you provide the real domain name. You’re not actually concealing anything that isn’t already made publicly available the moment you issue a certificate. All Let’s Encrypt certificates are permanently logged to the publicly-available Certificate Transparency logs. As such, obfuscating this information is not increasing secrecy of the domain names, but rather hindering the community in assisting you.
Not using the intermediate certificate (chain.pem). Should we?
The two domain are indeed exactly the same. The first one, of course tags the FMS port :5003.
The port isn’t important - certificates are port-agnostic. However, some browsers will return errors if you’re not service the chain as well. How to do this varies among webservers. Sometimes you just append it to the certificate (this is what fullchain.pem is), and sometimes you specify them separately.
Thanks jared.m for the note about domains. It didn’t seem wise to be announcing a domain that is currently in the middle of being secured and not quite working (it’s a database server, not a web host) The databases themselves are also secured and encrypted, but just the same. But I understand what you’re trying to communicate.
Regarding chain.pem, I suspect you’re honing in on where the problem is.
The GetSSL.sh script passes /Library/FileMaker Server/HTTPServer/htdocs to Certbot as the webroot, and Certbot writes to .well-known/acme-challenge/ within the htdocs direcetory.
It's very easy to figure out what the domain is from the certificate expiry time, which is in one of the screenshots.
_az The GetSSL.sh script passes /Library/FileMaker Server/HTTPServer/htdocs to Certbot as the webroot, and Certbot writes to .well-known/acme-challenge/ within the htdocs direcetory.