All migrations fail with the error “Build server is unreachable: fetch failed”
Hi Mike
The Destination server needs to be able to see the source server over the network. If it can’t, this is exactly the error you will get.
Do you have firewalls or anything else that might be preventing the two servers from communicating?
Thanks
Todd
Actually, the target is the same server.
Ok so no firewall, but it can still happen on the same server. OttoFMS still makes a request to Itself to grab the files. It is playing both roles. So what are the Urls you are using when you setup the server? Do you have a fully qualified domain name? Does it have a valid cert?
You can send us the JSON deployment object if you want us to take a look.
You can Direct message me here with the information if you want.
Thanks
Todd
Update to let you know we’ve been working feverishly, learning more than we ever wanted to know about encryption certificate management, and making some progress. We’ve found some evidence that our IT guy who handles our wildcard certificate, may have used a different technique (versus what he’d done on our older Windows Server based FMS) to create the container file (PFX, I think) that we use to create the three files plus passphrase that we upload in the FileMaker Server Admin console. Additionally, we’re looking at the SSL certificate(s) that may or may not have been installed on this Linux server itself when it was provisioned. Perhaps, internally OttoFMS/Deploy uses a CURL command that fails if it doesn’t see the full chain of certificates including our intermediate (Network Solutions) certificate.
The ball is currently in our IT guy’s court. We should have another update later today, and if the theory pans out, it will be all good.
Thanks Mike,
It is becoming increasingly difficult to run any http requests without valid certs on the target server. Browsers do not allow it, and increasingly things like node.js and other runtimes make it very hard to do.
If your certs are not valid then Otto currently won’t work.
We intend to look at this again after Engage and see if we can improve this situation, but I don’t know if we will succeed.
Thanks
Todd
Good to know you’ll be looking at it deeper soon. We’ll have a very thoroughly investigated and hopefully well-documented use case for you to consider. I’ll be happy to share everything we learn.
Problem solved. Hours of troubleshooting by people much smarter than me led to our whole team getting far more educated on managing SSL certificates. Here’s just a quick snapshot of what happened. Our team will write up a more detailed accurate explanation for our future selves that I’m open to sharing here if ya wish.
We discovered that when our Microsoft-centric IT guy got this year’s cert renewal, he used his typical Microsoft IIS-based tool set in its default config to build a PFX file for us troublemaker FileMaker Server developer/operators as he reluctantly does every year. However, unbeknownst to anyone, the default configuration now doesn’t add the intermediate cert to the PFX.
So, us FMS DevOps folks did the thing we do to extract the three separate files from the PFX as needed by FMS, i.e. our ‘Signed Certificate File’, our ‘Private Key file’, and the 'Intermediate Certificate File". At this point, had we been paying closer attention we might have noticed the problem, The intermediate certificate file was nearly 0 kbytes. However, FMS was happy. Nothing else complained. Everything seemed to be working fine for a few weeks.
Then I got to the point in the project where I wanted to use OttoDeply to move some FileMaker “schema” and some FileMaker data between an app on this FMS. That’s when all all hell broke loose. Turns out some things, FileMaker itself, web browsers… may overlook or fill-in the gap in the chain left by a missing intermediate cert (in our case, Network Solutions) between the signed cert (in our case a wildcard domain cert) and the Root Certificate (RSA Root CA). But, others like a basic CURL (without a -k) and OttoFMS require that the server itself includes the intermediate cert in order to verify the full certificate hierarchy chain.
Anyway, take this with a grain of salt. I’m the opposite of an expert on this topic. So, the above probably contains terrible abuses of the terminology and may be complete BS for all I know. It’s the gist of what I gathered in the process of a week working with teammates who got us from OttoFMS/Deploy not working to working.
1 Like
Thanks Mike
We appreciate you taking the time to update us on your situation.
Todd
Hello Mike and Todd,
I encountered the same issue on an AWS Ubuntu server.
Typically, I install the servers without the Intermediate Certificate File, which operates without any issues without OttoFMS. Thanks to Mike, I also tried this approach and retroactively installed the SSL certificate with the Intermediate Certificate.
After a reboot, creating a copy on the same server worked.
However, what unfortunately still doesn’t work is the migration; I will create a new thread for that.
Thank you for the great work and congratulations on the new product, OttoFMS!
cheers,
Rico