Solved

FME Server HTTPS configuration - hostname

  • 15 September 2022
  • 6 replies
  • 18 views

Userlevel 3
Badge +26

I am trying to configure FME Server for HTTPS using a client provided pfx certificate. I have used this documentation, successfully completing steps 1-6. However I'm getting this error:imageI suspect there is an issue with the certificate, but I'm unsure where to begin looking, or how to fix.

 

When looking at the certificate details, the Owner CN is '*.<client_website>.com, which differs from the local host FME Server is installed with. Is this the same as the hostname?

icon

Best answer by hkingsbury 15 September 2022, 22:52

View original

6 replies

Userlevel 5
Badge +29

You're accessing "localhost" not the url/hostname that the SSL Cert is for - so the above is expected. Its the browser saying "you asked me to go here (localhost) but the website is saying its (abc.xyz), are you sure you're in the right place"

 

During setup, i'd expect this, however if you're getting it when accessing FME Server via the URL that matches the SSL Cert then there is likely another issue

Userlevel 3
Badge +26

You're accessing "localhost" not the url/hostname that the SSL Cert is for - so the above is expected. Its the browser saying "you asked me to go here (localhost) but the website is saying its (abc.xyz), are you sure you're in the right place"

 

During setup, i'd expect this, however if you're getting it when accessing FME Server via the URL that matches the SSL Cert then there is likely another issue

Very new to Server config, so bear with me.

 

Previously this install of Server was configured as http://awsapps044/fmeserver. Everything worked fine with this url. We were tasked with upgrading this to a secure configuration, and was provided the pfx certificate to use. After doing steps 1-6, I also got the same error in the original post when trying to access via https://awsapps044/fmeserver. I verified the certificate was successfully imported using the Helpful Tomcat Commands here: FME Server Troubleshooting: Configuring for HTTPS/SSL (safe.com)

 

I suspect I will need to request a new certificate from the client. If so, would that be a certificate for https://awsapps044/fmeserver?

Userlevel 5
Badge +29

Very new to Server config, so bear with me.

 

Previously this install of Server was configured as http://awsapps044/fmeserver. Everything worked fine with this url. We were tasked with upgrading this to a secure configuration, and was provided the pfx certificate to use. After doing steps 1-6, I also got the same error in the original post when trying to access via https://awsapps044/fmeserver. I verified the certificate was successfully imported using the Helpful Tomcat Commands here: FME Server Troubleshooting: Configuring for HTTPS/SSL (safe.com)

 

I suspect I will need to request a new certificate from the client. If so, would that be a certificate for https://awsapps044/fmeserver?

The URL that the client uses to connect to FME Server needs to match the URL in the SSL Cert, so if they're only going to use the machinename to access it, then the cert needs to match that.

 

This also includes any external applications and users, so if there is a user/applicaiton accessing FME Server externally from the cleints network, then the machinename SSL Cert will cause errors.

 

It's probably best to have a chat with your clients network/IT department to understand how their network is configured and how they want it all to behave.

Userlevel 3
Badge +26

Very new to Server config, so bear with me.

 

Previously this install of Server was configured as http://awsapps044/fmeserver. Everything worked fine with this url. We were tasked with upgrading this to a secure configuration, and was provided the pfx certificate to use. After doing steps 1-6, I also got the same error in the original post when trying to access via https://awsapps044/fmeserver. I verified the certificate was successfully imported using the Helpful Tomcat Commands here: FME Server Troubleshooting: Configuring for HTTPS/SSL (safe.com)

 

I suspect I will need to request a new certificate from the client. If so, would that be a certificate for https://awsapps044/fmeserver?

Thanks @hkingsbury​ - This is very helpful.

Userlevel 3
Badge +26

Very new to Server config, so bear with me.

 

Previously this install of Server was configured as http://awsapps044/fmeserver. Everything worked fine with this url. We were tasked with upgrading this to a secure configuration, and was provided the pfx certificate to use. After doing steps 1-6, I also got the same error in the original post when trying to access via https://awsapps044/fmeserver. I verified the certificate was successfully imported using the Helpful Tomcat Commands here: FME Server Troubleshooting: Configuring for HTTPS/SSL (safe.com)

 

I suspect I will need to request a new certificate from the client. If so, would that be a certificate for https://awsapps044/fmeserver?

One more question - if the client wishes to access FME Server both internally and externally, can both URLs be defined in a single SSL cert?

Userlevel 5
Badge +29

Very new to Server config, so bear with me.

 

Previously this install of Server was configured as http://awsapps044/fmeserver. Everything worked fine with this url. We were tasked with upgrading this to a secure configuration, and was provided the pfx certificate to use. After doing steps 1-6, I also got the same error in the original post when trying to access via https://awsapps044/fmeserver. I verified the certificate was successfully imported using the Helpful Tomcat Commands here: FME Server Troubleshooting: Configuring for HTTPS/SSL (safe.com)

 

I suspect I will need to request a new certificate from the client. If so, would that be a certificate for https://awsapps044/fmeserver?

yes/no/maybe. really depends on how the whole network infrastructure is setup. Here are two examples I commonly see:

  1. Machine is only access through the full url over https. There may be different routing for an internal client vs external, but only the url is used
  2. Internally, the machine is only access via http, either through the machine name or url (no ssl certs to worry about). The internal network config makes sure to only route the url via http. External access is via https only. When an external users request reaches the network, the first hop is through a load balancer/firewall. This decrypts the https and re routes it internally through http

Reply