Open Radar

 
Summary:
When hosting SSL websites using the macOS Server.app websites feature, the SSL certificate presented with the website can be overwritten with the Xcode Server automated SSL certificate after a system restart.

With the Xcode Server service migrating to the Xcode.app from Server.app in Xcode 9, the ability to use a custom SSL certificate for the service was removed. Now, when activating the Xcode Server service, it creates it's own, locally signed SSL certificate to secure the service.

If the Xcode Server service is active, and the system is restarted, all SSL websites hosted are then presented with the locally signed certificate. Whereas if the Xcode Server service is disable, and the system is restarted, the SSL websites are presented with the correctly assigned certificates.

If the system is restarted, previously having the Xcode Server Service on, disabling and re-enabling the service, will correct the situation presenting the right certificates for each website and service.

Steps to Reproduce:
• Install Server.app.
• Setup a website with an SSL certificate.
• Install Xcode.app
• Setup/Start the Xcode Server service.
• Restart macOS.

Expected Results:
The website presented through the macOS Server.app should continue to be presented with the correct SSL certificate.

Actual Results:
The website presents with the Xcode Server automatic certificate causing a hostname mismatch and security warning.

Version/Build:
macOS High Sierra 10.13.3 (17D47)
Server.app 5.5 (17S1220)
Xcode 9.2 (9C40b)