Using https

It is recommended to always run ftrack over https for improved security.

To run ftrack over https you need a signed SSL certificate. The easiest way to get a valid SSL certificate is buying one from a trusted certificate authority or get one from https://letsencrypt.org which is free. You can also create and sign one yourself but that often requires more work.

Note

If you create and sign your own certificate you need to install it on all devices that will be accessing ftrack for it to appear valid and get a secure connection.

Configure ftrack server

Your SSL certificate should be divided into two separate files, a .key and a .pem file. The ftrack server will look for them in:

/opt/server.pem
/opt/server.key

server.key contains the private key and server.pem the certificate and any additional certificates provided by the signing authority.

ftrack provides an additional start script for https. Stop the server and do the following:

cp /opt/ftrack/init.d/ftrack_ssl_large /etc/init.d/
chmod +x /etc/init.d/ftrack_ssl_large
chkconfig supervisord_local off
service supervisord_local stop
chkconfig ftrack_ssl_large on
service ftrack_ssl_large start

Your server is now running over https instead. Make sure settings such as ftrack.server_url are updated to say https:// instead of http://.

You may encounter issues with internal services in ftrack depending on how your certificate was signed. Check the diagnostics page in ftrack system settings to ensure that all services are working.

For non self signed certificates you should update /opt/ftrack/supervisord/supervisord_ssl_large.conf by removing the REQUESTS_CA_BUNDLE environment variable.

Tip

If you are making changes to the supervisor configuration files, you can copy them to another location such as /opt/ftrack_config and update the init.d scripts to start ftrack using the copy instead. That way you dont have to worry about the change being lost when upgrading the server. Be aware that sometimes there are changes to the default configuration files and it is therefore recommended to compare the files using a diff when upgrading.

Troubleshooting

Curl

curl can be used to check if the certificate appears to be working correctly on the server. Run this command to check if server is able to recognise the ssl certificate properly:

curl -I -X GET https://YOUR-SERVER-URL

If you get a "HTTP/1.1 200 OK" in the response then the certificate is working correctly on the server and you can move on to other troubleshooting steps.

If you get an error related to SSL and the certificate it is likely that the server does not regognise the certificate and its signing authority as a valid authority. The cause of this is likely that your server.pem file does not contain enough information or the server does not recognise the authority.

First you need to make sure that server.pem does contain the full certificate chain, and not just the certificate. Then stop and start the ftrack server and try again with the curl command.

Second, if the curl command is still showing an error you may have to add the certificate authority to the server as a recognised authority by doing:

yum install ca-certificates
update-ca-trust enable
cp /opt/server.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

Event server

If you are having problems with the event server check the event hub logs for more information. If the event hub is not able to verify the SSL certificate you might have to specify the REQUESTS_CA_BUNDLE environment variable.

REQUESTS_CA_BUNDLE is already set to /opt/server.pem in /opt/ftrack/supervisord/supervisord_ssl_large.conf. If you certificate is not self signed then you will have to remove it from the configuration file.

Thumbnails

If thumbnails are not showing up in the web UI it could be the result of the internal image scaling service not working with your SSL certificate. The logs for SSL issues. If Thumbor is not able to verify the certificate you might have to add it to the root certificates:

yum install ca-certificates
update-ca-trust enable
cp /opt/server.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

Did this answer your question?