Using https

Even if you are running ftrack as a local installation you might want to run it over https for improved security. Perhaps you want to allow external access from outside your firewall or just have it accessible from the guest WIFI.

SSL certificate

To run ftrack over https you need a signed SSL certificate. The easiest way to get a valid SSL certificate is buying one from a trusted certificate authority or get one from https://letsencrypt.org which is free and recommended. You can also create and sign one yourself but that often requires more work.

Note

If you create and sign your own certificate you need to install it on all computers that will be accessing ftrack for it to appear valid and get a secure connection.

Configure ftrack server

Your SSL certificate should be divided into two separate files, a .key and a .pem file. The ftrack server will look for them in:

/opt/server.pem
/opt/server.key

server.key contains the private key and server.pem the certificate and any additional certificates provided by the signing authority.

ftrack provides an additional start script for https. Stop the server and do the following:

cp /opt/ftrack/init.d/ftrack_ssl_large /etc/init.d/
chmod +x /etc/init.d/ftrack_ssl_large
chkconfig supervisord_local off
service supervisord_local stop
chkconfig ftrack_ssl_large on
service ftrack_ssl_large start

Your server is now running over https instead. Make sure settings such as ftrack.server_url are updated to say https:// instead of http://.

You may encounter issues with internal services in ftrack depending on how your certificate was signed. Check the diagnostics page in ftrack system settings to ensure that all services are working.

For non self signed certificates you should update /opt/ftrack/supervisord/supervisord_ssl_large.conf by removing the REQUESTS_CA_BUNDLE environment variable.

Tip

If you are making changes to the supervisor configuration files, you can copy them to another location such as /opt/ftrack_config and update the init.d scripts to start ftrack using the copy instead. That way you dont have to worry about the change being lost when upgrading the server. Be aware that sometimes there are changes to the default configuration files and it is therefore recommended to compare the files using a diff when upgrading.

Event server

If you are having problems with the event server check the event hub logs for more information. If the event hub is not able to verify the SSL certificate you might have to specify the REQUESTS_CA_BUNDLE environment variable.

Note

REQUESTS_CA_BUNDLE is already set to /opt/server.pem in /opt/ftrack/supervisord/supervisord_ssl_large.conf.

Thumbnails

If thumbnails are not showing up in the web UI it could be the result of the internal image scaling service not working with your SSL certificate. The logs for SSL issues. If Thumbor is not able to verify the certificate you might have to add it to the root certificates:

yum install ca-certificates
update-ca-trust enable
cp /opt/server.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

Did this answer your question?