Apache SSL on Mac OSX Lion 10.7
I have recently upgraded to OSX Lion from Snow Leopard, whilst setting up my development environment I needed to configure the built in Apache server to support SSL. Below are instructions on what needed to be done. Please note that the below is based on a clean install of OSX 10.7.2 and if you did an upgrade or are running a different version of Lion then the instructions below may need to be tweaked to suit your setup.
Generate a host key
First off we'll make a home for the new SSL files. I used /private/etc/apache2/ssl. We need to change to the new directory and then run a ssh-keygen command to create the server key file. Open up a terminal window and enter the commands below.
|
1 2 3 |
mkdir /private/etc/apache2/ssl cd /private/etc/apache2/ssl sudo ssh-keygen -f server.key |
Generate a certificate request file
This command creates a certificate request file. A certificate request file contains information about your organisation that will be used in the SSL certificate. You will be asked various questions, fill these in as appropriate or leave blank. Please note that you shouldn't set a pass phrase on the certificate, just leave this blank when it asks for a pass phrase.
|
1 |
sudo openssl req -new -key server.key -out request.csr |
Create the SSL certificate
Create a self signed SSL certificate using the request file.
|
1 |
sudo openssl x509 -req -days 365 -in request.csr -signkey server.key -out server.crt |
Configure Apache
Create a backup of /private/etc/apache2/httpd.conf.
In /private/etc/apache2/httpd.conf, make sure the SSL module is enabled (remove the # from the start of the line)
|
1 |
LoadModule ssl_module libexec/apache2/mod_ssl.so |
In the same file search for the below line and uncomment it (remove the #)
|
1 |
Include /private/etc/apache2/extra/httpd-ssl.conf |
Edit /private/etc/apache2/extra/httpd-ssl.conf, search for the lines that start with SSLCertificateFile, SSLCertificateKeyFile and update them to match the below:
|
1 2 |
SSLCertificateFile "/private/etc/apache2/ssl/server.crt" SSLCertificateKeyFile "/private/etc/apache2/ssl/server.key" |
In the same file comment out (add a # to the beginning of the line) the lines that start with SSLCACertificatePath and SSLCARevocationPath
Configure the vhosts
In /private/etc/apache2/httpd.conf, search for the below line and uncomment it (remove the #)
|
1 |
Include /private/etc/apache2/extra/httpd-vhosts.conf |
Now open /private/etc/apache2/extra/httpd-vhosts.conf and add the line below under the port 80 NameVirtualHost directive
|
1 |
NameVirtualHost *:443 |
Now you can configure a basic SSL vhost by adding the code below to the end of the file. Please note that for the DocumentRoot you should replace it with a real path.
|
1 2 3 4 5 6 7 8 |
<VirtualHost *:443> SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /private/etc/apache2/ssl/server.crt SSLCertificateKeyFile /private/etc/apache2/ssl/server.key ServerName localhost DocumentRoot "/some/website/directory/" </VirtualHost> |
Check the config and restart Apache
|
1 2 |
sudo apachectl configtest sudo apachectl restart |
Now you can open your browser and try out your new HTTPS site
January 10th, 2012 - 01:02
After following many tutorials, pulling hair out and reverting to my backed up config files I was close to giving up! Thank you for posting this, very much appreciated.
January 10th, 2012 - 09:52
Glad I could help mate.
January 21st, 2012 - 11:56
i love your blog, i have it in my rss reader and always like new things coming up from it.
January 21st, 2012 - 20:00
Your welcome
April 6th, 2012 - 11:41
Thanks, worked like a charm! Although I left the SSLCARevocationPath commented, it wouldn’t find that directory and it’s working find without. I’ll use it only for development anyway.
Cheers!
June 7th, 2012 - 10:20
Does this work on Lion or Lion Server? I couldn’t get it to work on plain Lion and I read somewhere it only works on Lion server?
June 7th, 2012 - 11:08
Yes this works on normal Lion. My MBP and iMac both run normal Lion and I have them both running SSL with self signed certs. Where did you get stuck?
June 15th, 2012 - 14:40
Hi,
Thanks for a detailed tutorial. After configuring the apache server on my Mac OS X Lion 10.7.3, I couldn’t get the HTTPS working on my localhost. I following your instructions to the tee. The only different thing I encountered was when I run the following command:
sudo apachectl configtest
The output was as follows:
‘httpd: Could not reliably determine the server’s fully qualified domain name, using aMBP.local for ServerName
Syntax OK’
Can you check, if there is something wrong?
June 15th, 2012 - 15:11
As you can see from the other comments this has worked for others. Is your system a clean install of Loin or is it an upgrade from Snow Leopard. IO cannot guarantee that these instructions will work for upgrades because things were different previous to Lion.
Does the server signature/log file show that SSL is enabled? Check /var/log/apache2/error.log for problems.
July 3rd, 2012 - 18:30
I had the same issue and found that this solved it for me. Just the first part that is. I put in my ip address in place of wwww.example.com:80 inside of httpd.conf and uncommented that line.
http://wiki.apache.org/httpd/CouldNotDetermineServerName
June 24th, 2012 - 21:41
This is a great tutorial, thank you. I did want to mention one thing though, I was getting this warning in my error_log:
RSA server certificate CommonName (CN) `localhost’ does NOT match server name!?
After triple checking all my config files, believe it or not what ended up resolving it was removing the extra line break in your VirtualHost snippet (line 6).
November 14th, 2012 - 11:36
Same issue here. Removing the line break in the VirtualHost snippet (line 6) resolved it.
November 14th, 2012 - 11:54
Sounds odd but I have updated the snippet anyway. Thanks.
July 27th, 2012 - 15:05
Hi Andy.
I did all steps, but my apache doesn’t work… Nothing work more.
My syntax is OK.
I dont know what do…
Please, Could you help-me?
July 30th, 2012 - 10:19
What error message is Apache giving when you try to start it? have you checked the error log?
The error log can be found at /var/log/apache2/error_log
August 31st, 2012 - 06:58
Unfortunately I experienced a very similar issue. After completing the above steps apache no longer worked for either http/https.
Checked in the error_log and am seeing:
(2)No such file or directory: httpd: could not open error log file /var/log/httpd/error_log.
Unable to open logs
September 4th, 2012 - 19:57
Either change your configuration to use a different directory to log to or check that /var/log/httpd directory exists and that the permissions are ok for Apache to write to it.
August 2nd, 2012 - 00:55
Worked like a charm, Thanks a lot
August 8th, 2012 - 05:29
I got this error when I tried to restart apache “Init: Unable to read pass phrase [Hint: key introduced or changed before restart".
But I managed to resolve it by methods provided on this site:http://cs.uccs.edu/~cs526/secureWebAccess/secureWebAccess.htm
Here is the excerpt of the method:
To avoid the problem of entering the pass phrase, we can remove the pass phrase protection on the server private key with the following openssl command.
[root@fc4 conf]# cd /etc/httpd/conf/ssl.key
[root@fc4 ssl.key]# cp server.key server.key.new
[root@fc4 ssl.key]# openssl rsa -in server.key.new -out server.key
Enter pass phrase for server.key.new:
writing RSA key
Basically I need to get into the ssl folder and rename the old server.key and use openssl command to output a new one which removed the pass phrase. It works nicely.
August 8th, 2012 - 09:45
Good point I should have probably put that in the post. I will update it to say not to enter a pass phrase when creating the key
I appreciate the feedback…
August 24th, 2012 - 22:38
Good one Andy, I used your tutorial on Linux machine(Ubuntu) as well as Mac and worked perfectly. Thanks.
September 15th, 2012 - 01:36
Hi! I need some help, I did everything in here but now my localhost won’t work :/ i tried turning on web sharing under system settings because it mysteriously turned off by itself. I believe I may have skipped this step by mistake “Create a backup of /etc/apache2/httpd.conf.” and didn’t create a backup, is there a way to get a copy of that file? Also when I go to 127.0.0.1 that works just fine. Could I get some help with these please?? It’s part of my school project
September 15th, 2012 - 01:41
I can post what i found in the error log here if you don’t mind
httpd: Could not reliably determine the server’s fully qualified domain name, using Gabriels-MacBook-Pro.local for ServerName
[Fri Sep 14 13:01:41 2012] [notice] Digest: generating secret for digest authentication …
[Fri Sep 14 13:01:41 2012] [notice] Digest: done
[Fri Sep 14 13:01:41 2012] [notice] Apache/2.2.21 (Unix) DAV/2 configured — resuming normal operations
[Fri Sep 14 13:01:42 2012] [notice] caught SIGTERM, shutting down
httpd: Could not reliably determine the server’s fully qualified domain name, using Gabriels-MacBook-Pro.local for ServerName
[Fri Sep 14 13:01:47 2012] [notice] Digest: generating secret for digest authentication …
[Fri Sep 14 13:01:47 2012] [notice] Digest: done
[Fri Sep 14 13:01:47 2012] [notice] Apache/2.2.21 (Unix) DAV/2 configured — resuming normal operations
[Fri Sep 14 13:02:06 2012] [error] [client 10.159.13.211] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 13:02:35 2012] [error] [client 127.0.0.1] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 13:05:25 2012] [error] [client 10.159.13.211] client denied by server configuration: /Users/gabe/Sites
[Fri Sep 14 13:05:25 2012] [error] [client 10.159.13.211] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 13:07:20 2012] [error] [client 10.159.13.211] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 17:31:22 2012] [notice] caught SIGTERM, shutting down
No log handling enabled – using stderr logging
Created directory: /var/db/net-snmp
Created directory: /var/db/net-snmp/mib_indexes
[Fri Sep 14 17:36:11 2012] [notice] Apache/2.2.21 (Unix) DAV/2 PHP/5.3.10 with Suhosin-Patch configured — resuming normal operations
[Fri Sep 14 17:47:26 2012] [error] [client ::1] script ‘/Library/WebServer/Documents/phpinfo.php’ not found or unable to stat
[Fri Sep 14 17:47:26 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 17:47:33 2012] [error] [client ::1] script ‘/Library/WebServer/Documents/phpinfo.php’ not found or unable to stat
[Fri Sep 14 17:47:33 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 17:47:59 2012] [error] [client ::1] script ‘/Library/WebServer/Documents/phppinfo.php’ not found or unable to stat
[Fri Sep 14 17:47:59 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 17:48:34 2012] [error] [client ::1] script ‘/Library/WebServer/Documents/phpinfo.php’ not found or unable to stat
[Fri Sep 14 17:48:34 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 17:49:14 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/phpinfo.php not working on mac
[Fri Sep 14 17:49:14 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 17:49:51 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/phpinfo.php\xe2\x80\x9d, referer: http://macosx.com/forums/software-programming-we$
[Fri Sep 14 17:49:51 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 17:50:29 2012] [error] [client ::1] script ‘/Library/WebServer/Documents/phpinfo.php’ not found or unable to stat
[Fri Sep 14 17:50:29 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico, referer: http://localhost/phpinfo.php
[Fri Sep 14 17:51:35 2012] [notice] caught SIGTERM, shutting down
[Fri Sep 14 17:55:59 2012] [warn] mod_bonjour: Cannot stat template index file ‘/System/Library/User Template/English.lproj/Sites/index.html’.
[Fri Sep 14 17:55:59 2012] [notice] Digest: generating secret for digest authentication …
[Fri Sep 14 17:55:59 2012] [notice] Digest: done
[Fri Sep 14 17:55:59 2012] [notice] Apache/2.2.21 (Unix) DAV/2 PHP/5.3.10 with Suhosin-Patch configured — resuming normal operations
[Fri Sep 14 17:56:17 2012] [error] [client 192.168.1.3] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 17:57:56 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 17:58:14 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 20:06:50 2012] [notice] caught SIGTERM, shutting down
September 15th, 2012 - 10:12
Post the intents of your httpd.conf here and I will take a look
September 15th, 2012 - 15:27
There’s a lot of text in the httpd.conf is there a specific part you’d like to see?? Or should I just post the whole thing?
September 16th, 2012 - 10:52
I have sent you an email about it.
September 19th, 2012 - 23:18
on mine the httpd-ssl.conf is between so does that just mean lion vs lion server or any macosx?
September 19th, 2012 - 23:44
I think the bit you pasted in didn’t get through the filters. I think I know what you are talking about, in the conf there are conditional parts that say “if this is OSX server” or “if this is not OSX server”. Assuming you are not on server then you should ignore the bits marked for OSX server
September 27th, 2012 - 04:05
I tried all these changes on OSX 10.8 and it doesnt work at all. I get no errors for the configuration but apache wont start. No error log file generated, nothing. Any ideas?
September 28th, 2012 - 11:49
Thats odd there should always be an error log. Open the Consol.app (in Utilities) and try to start apache while looking at messages in consol.app.
October 17th, 2012 - 00:53
Hi, i followed your tutorial, but when i write https://localhost in the address bar i have
“Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.”
if you want i can send my files
/etc/apache2/extra/httpd-ssl.conf,
/Application/MAMP/conf/apache/httpd.conf,
/Application/MAMP/conf/apache/ssl.conf
my mail vitolipari81@gmail.com
October 17th, 2012 - 10:01
Sorry but this is for the pre-installed apache not MAMP. I suggest you check out the MAMP documentation or hit google to research your problem.
October 30th, 2012 - 19:06
Thanks a lot, worked perfectly first time using Lion. One typo – under the vhosts section, you have:
Include /private/etc/apache2/extra/httpd-vhosts.conf
The “/private” part should not be there.
Great post!
October 30th, 2012 - 21:01
Actually if you look in terminal you will see that /etc is a symlink to /private/etc
November 21st, 2012 - 12:31
Thank you Andy,
Running 10.8 and your solutions works like a charm. Did have the servername and certificate pw issues as mentioned above but solved all of them via the mentioned posts.
great to be up and running again.
December 7th, 2012 - 21:32
I followed the instructions and everything seemed to go okay. I tried to view a page, and after accepting the certificate, all I get is:
“Forbidden
You don’t have permission to access / on this server.”
December 7th, 2012 - 22:36
Never mind: I had the path wrong in httpd-vhost.conf. Working now. Great post!
February 5th, 2013 - 03:20
Well done Andy.. I had ~30 min to set up a secure server environment on a new mac to test a project. Lucky I found this page. Thanks!
March 1st, 2013 - 06:32
Hello Guys, I need your help,
After installation of Apache (httpd-2.0.64) on Linux Redhat apache is up and running and I Setting up the SSL certificate by Generating and installing a test certificate which is done.
the problem is I’m not able to connect to connect using https the page is not comming after cheking the error.log I find the below errrors:
[Fri Mar 01 18:49:54 2013] [warn] RSA server certificate CommonName (CN)Test-Only Certificate' does NOT match server name!?Test-Only Certificate' does NOT match server name!?[Fri Mar 01 18:49:54 2013] [warn] RSA server certificate CommonName (CN)
[Fri Mar 01 18:49:54 2013] [notice] Apache/2.0.64 (Unix) mod_ssl/2.0.64 OpenSSL/0.9.8e-fips-rhel5 configured -- resuming normal operations
[Fri Mar 01 18:53:06 2013] [notice] caught SIGTERM, shutting down
I’am not able to find out the cause because is my first time to configure apache please I need to help on this.
March 30th, 2013 - 16:26
You wrote:
… Include /private/etc/apache2/extra/httpd-vhosts.conf
and below: … Now open /etc/apache2/extra/httpd-vhosts.conf and
but path are different..
April 2nd, 2013 - 10:57
Yes, in the post I am using a mixture of /private/etc/ and /etc/. This is bad editing but the instructions will still work as /etc/ is actually a symbolic link to /private/etc/ on a Mac system. I will change the post so the paths are consistent.
April 5th, 2013 - 19:45
Thanks for the help and congrats for the great job.
Cheers!
April 18th, 2013 - 22:58
I love you
April 18th, 2013 - 23:21
Lol
April 22nd, 2013 - 09:28
Thanks, it saved lot of time. I realize why this link comes on top in google search.
April 23rd, 2013 - 11:49
Thank you!
This is superb 
Works with 10.8 without any problems.
May 11th, 2013 - 15:06
Thanks a lot! This works well, also with dynamic dns name.
May 12th, 2013 - 19:24
Just tried this on OS X Mountain Lion 10.8 and it worked beautifully. Thanks a lot. You save my day and a lot of time & sweat.
Here’s a little suggestion. The certificates should be created without a password, else apache errors out.
May 14th, 2013 - 03:40
well done. took me a while to find this but it worked perfectly!