Problems Changing Password

This is working as designed. Unfortunately the option is badly named. A better explaination of that option is that it would say "Require password change at by logging into account at a Mac login screen before the account can be used.".

In other words, setting that option means that the account can be used for only one thing: sitting at a Mac login screen and using it to log in. Once this is done the login process will automatically pop up the 'enter new password' sheet and once this is done the account will be enabled with the new password. Until this is done, all other services will see this account as having been disabled. There's obviously something wrong with the FTP server since that should be blocking the account too.

You do, of course, have the ability not to do this: just change the user's password to something you know, tell the user to change it, and don't select the 'require password change at next login' checkbox.

When you write

Two services only are available to users, namely Wiki and FTP. After resetting a user's password in the Server app they can no longer log in to the Wiki server with any password, new or old. They can still access FTP using the old password.

Do you have the 'Require password changing at next login' checkbox ticked ? If so, they need to do that before they regain access to Wiki and FTP. If this box is set you absolutely need to sit at a Mac and login at the login prompt before you can do anything else with that account, including using the web interface to change your password. If you don't want this, just leave that checkbox unchecked. In fact you can go in via Workgroup Manager and uncheck it for those accounts now, and check to see if that fixes your problem.

I assume, by the way, that you're using Open Directory to hold your accounts, you have only one Open Directory server (rather than a tree of them) and that changes you make to account details haven't disappeared then next time you go into Workgroup Manager.

Glad you got it working. From your above message you seem to have had more problems than just that one setting. It's possible you have somehow corrupted your Open Directory database.

That's a problem I had myself at one point though I had it with 10.7 not 10.8. If you continue to have problems like this it might be an idea to backup and restore your Open Directory data. This is an option from the 'gear' icon in Server.app. I'm hoping that some part of that process might force the system to remake or reindex its data and get rid of the corruption.

The untrusted cert may be because you're using a cert you made yourself, or that the trust chain is actually broken because of problems further along the chain, but it also might be because your cert uses one domain name for the server but the client is addressing the server by another name. It's possible to make certs which include both domain names in but that's harder.