Using https
Instructions to change your on-premise installation of ftrack to use HTTPS/SSL
Fredrik Limsater avatar
Written by Fredrik Limsater
Updated over a week ago

๐Ÿ’ก Note that this article is about the Classic on-prem installation package targeting Centos6. A new ftrack installation package is available, please read more here.

It is recommended to always run ftrack over https for improved security.

To run ftrack over https you need a signed SSL certificate. The easiest way to get a valid SSL certificate is buying one from a trusted certificate authority or get one from https://letsencrypt.org which is free. You can also create and sign one yourself but that often requires more work as all client connecting to the server must be setup to trust the certificate.

Configure ftrack server

Your SSL certificate should be divided into two separate files, a .key and a .pem file. The ftrack server will look for them in:

/opt/server.pem
/opt/server.key

server.key contains the private key and server.pem the certificate and any additional certificates provided by the signing authority.

ftrack provides an additional start script for https. Stop the server and do the following:

cp /opt/ftrack/init.d/ftrack_ssl_large /etc/init.d/
chmod +x /etc/init.d/ftrack_ssl_large
chkconfig supervisord_local off
service supervisord_local stop
chkconfig ftrack_ssl_large on
service ftrack_ssl_large start

Your server is now running over https instead. Make sure settings such as ftrack.server_url are updated to say https:// instead of http://.

You may encounter issues with internal services in ftrack depending on how your certificate was signed. Check the diagnostics page in ftrack system settings to ensure that all services are working.

For non self signed certificates you should update /opt/ftrack/supervisord/supervisord_ssl_large.conf by removing the REQUESTS_CA_BUNDLE environment variable.

Note:

After modifying the config file(s), ftrack service must be stopped and started again, for the changes to apply.

Tip

If you are making changes to the supervisor configuration files, you can copy them to another location such as /opt/ftrack_config and update the init.d scripts to start ftrack using the copy instead. That way you dont have to worry about the change being lost when upgrading the server. Be aware that sometimes there are changes to the default configuration files and it is therefore recommended to compare the files using a diff when upgrading.

Troubleshooting

Curl

curl can be used to check if the certificate appears to be working correctly on the server. Run this command to check if server is able to recognise the ssl certificate properly:

curl -I -X GET https://YOUR-SERVER-URL

If you get a "HTTP/1.1 200 OK" in the response then the certificate is working correctly on the server and you can move on to other troubleshooting steps.

If you get an error related to SSL and the certificate it is likely that the server does not regognise the certificate and its signing authority as a valid authority. The cause of this is likely that your server.pem file does not contain enough information or the server does not recognise the authority.

First you need to make sure that server.pem does contain the full certificate chain, and not just the certificate. Then stop and start the ftrack server and try again with the curl command.

Second, if the curl command is still showing an error you may have to add the certificate authority to the server as a recognised authority by doing:

yum install ca-certificates
update-ca-trust enable
cp /opt/server.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

Event server

If you are having problems with the event server check the event hub logs for more information. If the event hub is not able to verify the SSL certificate you might have to specify the REQUESTS_CA_BUNDLE environment variable.

REQUESTS_CA_BUNDLE is already set to /opt/server.pem in /opt/ftrack/supervisord/supervisord_ssl_large.conf. If you certificate is not self signed then you will have to remove it from the configuration file.

Thumbnails

If thumbnails are not showing up in the web UI it could be the result of the internal image scaling service not working with your SSL certificate. The logs for SSL issues. If Thumbor is not able to verify the certificate you might have to add it to the root certificates:

yum install ca-certificates
update-ca-trust enable
cp /opt/server.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

Configure clients

If you are using a self signed certificate, you must configure all clients connecting to the server to trust the certificate. Clients include browsers, ftrack connect, tools using the ftrack API etc.

ftrack python API client
The ftrack python API client use python requests lib and can be configured to use a certificate using the REQUESTS_CA_BUNDLE environment variable. The event hub in the ftrack python API client is not using requests, but can be configured to use a certificate via the WEBSOCKET_CLIENT_CA_BUNDLE environment variable.

Did this answer your question?