Update 11-12-2013: According to a commenter this process also works for OSX 10.9 Mavericks.
I have recently upgraded to OSX Lion from Snow Leopard, whilst setting up my development environment I needed to configure the built in Apache server to support SSL. Below are instructions on what needed to be done. Please note that the below is based on a clean install of OSX 10.7.2 and if you did an upgrade or are running a different version of Lion then the instructions below may need to be tweaked to suit your setup.
Generate a host key
First off we’ll make a home for the new SSL files. I used /private/etc/apache2/ssl. We need to change to the new directory and then run a ssh-keygen command to create the server key file. Open up a terminal window and enter the commands below. Please note that you shouldn’t set a pass phrase on the certificate, just leave this blank when it asks for a pass phrase.
|
1 2 3 |
mkdir /private/etc/apache2/ssl cd /private/etc/apache2/ssl sudo ssh-keygen -f server.key |
Generate a certificate request file
This command creates a certificate request file. A certificate request file contains information about your organisation that will be used in the SSL certificate. You will be asked various questions, fill these in as appropriate or leave blank.
|
1 |
sudo openssl req -new -key server.key -out request.csr |
Create the SSL certificate
Create a self signed SSL certificate using the request file.
|
1 |
sudo openssl x509 -req -days 365 -in request.csr -signkey server.key -out server.crt |
Configure Apache
Create a backup of /private/etc/apache2/httpd.conf.
In /private/etc/apache2/httpd.conf, make sure the SSL module is enabled (remove the # from the start of the line)
|
1 |
LoadModule ssl_module libexec/apache2/mod_ssl.so |
In the same file search for the below line and uncomment it (remove the #)
|
1 |
Include /private/etc/apache2/extra/httpd-ssl.conf |
Edit /private/etc/apache2/extra/httpd-ssl.conf, search for the lines that start with SSLCertificateFile, SSLCertificateKeyFile and update them to match the below:
|
1 2 |
SSLCertificateFile "/private/etc/apache2/ssl/server.crt" SSLCertificateKeyFile "/private/etc/apache2/ssl/server.key" |
In the same file comment out (add a # to the beginning of the line) the lines that start with SSLCACertificatePath and SSLCARevocationPath
Configure the vhosts
In /private/etc/apache2/httpd.conf, search for the below line and uncomment it (remove the #)
|
1 |
Include /private/etc/apache2/extra/httpd-vhosts.conf |
Now open /private/etc/apache2/extra/httpd-vhosts.conf and add the line below under the port 80 NameVirtualHost directive
|
1 |
NameVirtualHost *:443 |
Now you can configure a basic SSL vhost by adding the code below to the end of the file. Please note that for the DocumentRoot you should replace it with a real path.
|
1 2 3 4 5 6 7 8 |
<VirtualHost *:443> SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /private/etc/apache2/ssl/server.crt SSLCertificateKeyFile /private/etc/apache2/ssl/server.key ServerName localhost DocumentRoot "/some/website/directory/" </VirtualHost> |
Check the config and restart Apache
|
1 2 |
sudo apachectl configtest sudo apachectl restart |
Now you can open your browser and try out your new HTTPS site
After following many tutorials, pulling hair out and reverting to my backed up config files I was close to giving up! Thank you for posting this, very much appreciated.
Glad I could help mate.
i love your blog, i have it in my rss reader and always like new things coming up from it.
Your welcome
Thanks, worked like a charm! Although I left the SSLCARevocationPath commented, it wouldn’t find that directory and it’s working find without. I’ll use it only for development anyway.
Cheers!
Does this work on Lion or Lion Server? I couldn’t get it to work on plain Lion and I read somewhere it only works on Lion server?
Yes this works on normal Lion. My MBP and iMac both run normal Lion and I have them both running SSL with self signed certs. Where did you get stuck?
Hi,
Thanks for a detailed tutorial. After configuring the apache server on my Mac OS X Lion 10.7.3, I couldn’t get the HTTPS working on my localhost. I following your instructions to the tee. The only different thing I encountered was when I run the following command:
sudo apachectl configtest
The output was as follows:
‘httpd: Could not reliably determine the server’s fully qualified domain name, using aMBP.local for ServerName
Syntax OK’
Can you check, if there is something wrong?
As you can see from the other comments this has worked for others. Is your system a clean install of Loin or is it an upgrade from Snow Leopard. IO cannot guarantee that these instructions will work for upgrades because things were different previous to Lion.
Does the server signature/log file show that SSL is enabled? Check /var/log/apache2/error.log for problems.
I had the same issue and found that this solved it for me. Just the first part that is. I put in my ip address in place of wwww.example.com:80 inside of httpd.conf and uncommented that line.
http://wiki.apache.org/httpd/CouldNotDetermineServerName
This is a great tutorial, thank you. I did want to mention one thing though, I was getting this warning in my error_log:
RSA server certificate CommonName (CN) `localhost’ does NOT match server name!?
After triple checking all my config files, believe it or not what ended up resolving it was removing the extra line break in your VirtualHost snippet (line 6).
Same issue here. Removing the line break in the VirtualHost snippet (line 6) resolved it.
Sounds odd but I have updated the snippet anyway. Thanks.
Hi Andy.
I did all steps, but my apache doesn’t work… Nothing work more.
My syntax is OK.
I dont know what do…
Please, Could you help-me?
What error message is Apache giving when you try to start it? have you checked the error log?
The error log can be found at /var/log/apache2/error_log
Unfortunately I experienced a very similar issue. After completing the above steps apache no longer worked for either http/https.
Checked in the error_log and am seeing:
(2)No such file or directory: httpd: could not open error log file /var/log/httpd/error_log.
Unable to open logs
Either change your configuration to use a different directory to log to or check that /var/log/httpd directory exists and that the permissions are ok for Apache to write to it.
Worked like a charm, Thanks a lot
I got this error when I tried to restart apache “Init: Unable to read pass phrase [Hint: key introduced or changed before restart”.
But I managed to resolve it by methods provided on this site:http://cs.uccs.edu/~cs526/secureWebAccess/secureWebAccess.htm
Here is the excerpt of the method:
To avoid the problem of entering the pass phrase, we can remove the pass phrase protection on the server private key with the following openssl command.
[root@fc4 conf]# cd /etc/httpd/conf/ssl.key
[root@fc4 ssl.key]# cp server.key server.key.new
[root@fc4 ssl.key]# openssl rsa -in server.key.new -out server.key
Enter pass phrase for server.key.new:
writing RSA key
Basically I need to get into the ssl folder and rename the old server.key and use openssl command to output a new one which removed the pass phrase. It works nicely.
Good point I should have probably put that in the post. I will update it to say not to enter a pass phrase when creating the key
I appreciate the feedback…
[…] found this blog post that was very helpful in getting ssl up and running on my local web server: Link This entry was posted in Uncategorized and tagged HTTPS, SSL by tmlweb. Bookmark the […]
Good one Andy, I used your tutorial on Linux machine(Ubuntu) as well as Mac and worked perfectly. Thanks.
Hi! I need some help, I did everything in here but now my localhost won’t work :/ i tried turning on web sharing under system settings because it mysteriously turned off by itself. I believe I may have skipped this step by mistake “Create a backup of /etc/apache2/httpd.conf.” and didn’t create a backup, is there a way to get a copy of that file? Also when I go to 127.0.0.1 that works just fine. Could I get some help with these please?? It’s part of my school project 🙂
I can post what i found in the error log here if you don’t mind
httpd: Could not reliably determine the server’s fully qualified domain name, using Gabriels-MacBook-Pro.local for ServerName
[Fri Sep 14 13:01:41 2012] [notice] Digest: generating secret for digest authentication …
[Fri Sep 14 13:01:41 2012] [notice] Digest: done
[Fri Sep 14 13:01:41 2012] [notice] Apache/2.2.21 (Unix) DAV/2 configured — resuming normal operations
[Fri Sep 14 13:01:42 2012] [notice] caught SIGTERM, shutting down
httpd: Could not reliably determine the server’s fully qualified domain name, using Gabriels-MacBook-Pro.local for ServerName
[Fri Sep 14 13:01:47 2012] [notice] Digest: generating secret for digest authentication …
[Fri Sep 14 13:01:47 2012] [notice] Digest: done
[Fri Sep 14 13:01:47 2012] [notice] Apache/2.2.21 (Unix) DAV/2 configured — resuming normal operations
[Fri Sep 14 13:02:06 2012] [error] [client 10.159.13.211] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 13:02:35 2012] [error] [client 127.0.0.1] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 13:05:25 2012] [error] [client 10.159.13.211] client denied by server configuration: /Users/gabe/Sites
[Fri Sep 14 13:05:25 2012] [error] [client 10.159.13.211] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 13:07:20 2012] [error] [client 10.159.13.211] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 17:31:22 2012] [notice] caught SIGTERM, shutting down
No log handling enabled – using stderr logging
Created directory: /var/db/net-snmp
Created directory: /var/db/net-snmp/mib_indexes
[Fri Sep 14 17:36:11 2012] [notice] Apache/2.2.21 (Unix) DAV/2 PHP/5.3.10 with Suhosin-Patch configured — resuming normal operations
[Fri Sep 14 17:47:26 2012] [error] [client ::1] script ‘/Library/WebServer/Documents/phpinfo.php’ not found or unable to stat
[Fri Sep 14 17:47:26 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 17:47:33 2012] [error] [client ::1] script ‘/Library/WebServer/Documents/phpinfo.php’ not found or unable to stat
[Fri Sep 14 17:47:33 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 17:47:59 2012] [error] [client ::1] script ‘/Library/WebServer/Documents/phppinfo.php’ not found or unable to stat
[Fri Sep 14 17:47:59 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 17:48:34 2012] [error] [client ::1] script ‘/Library/WebServer/Documents/phpinfo.php’ not found or unable to stat
[Fri Sep 14 17:48:34 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 17:49:14 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/phpinfo.php not working on mac
[Fri Sep 14 17:49:14 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 17:49:51 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/phpinfo.php\xe2\x80\x9d, referer: http://macosx.com/forums/software-programming-we$
[Fri Sep 14 17:49:51 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 17:50:29 2012] [error] [client ::1] script ‘/Library/WebServer/Documents/phpinfo.php’ not found or unable to stat
[Fri Sep 14 17:50:29 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico, referer: http://localhost/phpinfo.php
[Fri Sep 14 17:51:35 2012] [notice] caught SIGTERM, shutting down
[Fri Sep 14 17:55:59 2012] [warn] mod_bonjour: Cannot stat template index file ‘/System/Library/User Template/English.lproj/Sites/index.html’.
[Fri Sep 14 17:55:59 2012] [notice] Digest: generating secret for digest authentication …
[Fri Sep 14 17:55:59 2012] [notice] Digest: done
[Fri Sep 14 17:55:59 2012] [notice] Apache/2.2.21 (Unix) DAV/2 PHP/5.3.10 with Suhosin-Patch configured — resuming normal operations
[Fri Sep 14 17:56:17 2012] [error] [client 192.168.1.3] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 17:57:56 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 17:58:14 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
[Fri Sep 14 20:06:50 2012] [notice] caught SIGTERM, shutting down
Post the intents of your httpd.conf here and I will take a look
There’s a lot of text in the httpd.conf is there a specific part you’d like to see?? Or should I just post the whole thing?
I have sent you an email about it.
on mine the httpd-ssl.conf is between so does that just mean lion vs lion server or any macosx?
I think the bit you pasted in didn’t get through the filters. I think I know what you are talking about, in the conf there are conditional parts that say “if this is OSX server” or “if this is not OSX server”. Assuming you are not on server then you should ignore the bits marked for OSX server
I tried all these changes on OSX 10.8 and it doesnt work at all. I get no errors for the configuration but apache wont start. No error log file generated, nothing. Any ideas?
Thats odd there should always be an error log. Open the Consol.app (in Utilities) and try to start apache while looking at messages in consol.app.
Hi, i followed your tutorial, but when i write https://localhost in the address bar i have
“Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.”
if you want i can send my files
/etc/apache2/extra/httpd-ssl.conf,
/Application/MAMP/conf/apache/httpd.conf,
/Application/MAMP/conf/apache/ssl.conf
my mail vitolipari81@gmail.com
Sorry but this is for the pre-installed apache not MAMP. I suggest you check out the MAMP documentation or hit google to research your problem.
Thanks a lot, worked perfectly first time using Lion. One typo – under the vhosts section, you have:
Include /private/etc/apache2/extra/httpd-vhosts.conf
The “/private” part should not be there.
Great post!
Actually if you look in terminal you will see that /etc is a symlink to /private/etc
😉
Thank you Andy,
Running 10.8 and your solutions works like a charm. Did have the servername and certificate pw issues as mentioned above but solved all of them via the mentioned posts.
great to be up and running again.
I followed the instructions and everything seemed to go okay. I tried to view a page, and after accepting the certificate, all I get is:
“Forbidden
You don’t have permission to access / on this server.”
Never mind: I had the path wrong in httpd-vhost.conf. Working now. Great post!
[…] This site has all the instructions you need for that: http://blog.andyhunt.info2011/11/26/apache-ssl-on-max-osx-lion-10-7/ […]
Well done Andy.. I had ~30 min to set up a secure server environment on a new mac to test a project. Lucky I found this page. Thanks!
Hello Guys, I need your help,
After installation of Apache (httpd-2.0.64) on Linux Redhat apache is up and running and I Setting up the SSL certificate by Generating and installing a test certificate which is done.
the problem is I’m not able to connect to connect using https the page is not comming after cheking the error.log I find the below errrors:
[Fri Mar 01 18:49:54 2013] [warn] RSA server certificate CommonName (CN)Test-Only Certificate' does NOT match server name!?Test-Only Certificate' does NOT match server name!?[Fri Mar 01 18:49:54 2013] [warn] RSA server certificate CommonName (CN)
[Fri Mar 01 18:49:54 2013] [notice] Apache/2.0.64 (Unix) mod_ssl/2.0.64 OpenSSL/0.9.8e-fips-rhel5 configured -- resuming normal operations
[Fri Mar 01 18:53:06 2013] [notice] caught SIGTERM, shutting down
I’am not able to find out the cause because is my first time to configure apache please I need to help on this.
You wrote:
… Include /private/etc/apache2/extra/httpd-vhosts.conf
and below: … Now open /etc/apache2/extra/httpd-vhosts.conf and
but path are different..
Yes, in the post I am using a mixture of /private/etc/ and /etc/. This is bad editing but the instructions will still work as /etc/ is actually a symbolic link to /private/etc/ on a Mac system. I will change the post so the paths are consistent.
Thanks for the help and congrats for the great job.
Cheers!
I love you
Lol
[…] Vía Apache SSL on Mac OSX Lion 10.7. […]
Thanks, it saved lot of time. I realize why this link comes on top in google search.
Thank you! 🙂 This is superb 🙂 Works with 10.8 without any problems.
Thanks a lot! This works well, also with dynamic dns name.
Just tried this on OS X Mountain Lion 10.8 and it worked beautifully. Thanks a lot. You save my day and a lot of time & sweat.
Here’s a little suggestion. The certificates should be created without a password, else apache errors out.
well done. took me a while to find this but it worked perfectly!
Thanks!, on my MacBook Pro I had to change my DocumentRoot value in httpd-ssl.conf file to match my own document root configuration, otherwise I got Forbidden error when accessing https://localhost.
Thank you good sir 🙂
Hey, so im running mountain lion 10.8.2 and this is 99% correct, however i was experiencing the following in the browser when trying to access my https domain:
Error 102 (net::ERR_CONNECTION_REFUSED): The server refused the connection.
In my apache logs i was seeing:
[error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
To get things working I had to add in:
“Listen 443” to “Listen 443 http” in the /private/etc/apache2/extra/httpd-ssl.conf file,
thanks to http://imranbhullar.blogspot.co.uk/2012/07/server-should-be-ssl-aware-but-has-no.html for the hint!
Also if youre seeing something like:
Wed Jun 26 15:39:27 2013] [error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?]
[Wed Jun 26 15:39:27 2013] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Wed Jun 26 15:39:27 2013] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Jun 26 15:39:27 2013] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Wed Jun 26 15:39:27 2013] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
This is because youve set a pass phrase on your key and cert, something that isnt covered here 😉
Hope this helps people
I do state in bold that the user should not set a passphrase on the cert generation step
Thanks – short and sweet – and exactly what I was looking for.
Thanks for the tutorial! Sweet!
Thanks for the tutorial. It really helped me. Thanks once again for such great article.
Thanks man, Perfect!!
Thank you. This article is dummy proof. Everything worked as expected.
Look here for more:
[…]Excellent weblog right here! Additionally your site quite a bit up very fast![…]
Thumbs UP. Worked on OS X V10.9
Works – thank you 🙂
Looks like there is a default SSL for port 443? See this error:
********
$ sudo apachectl configtest
[Thu Jan 16 13:18:06 2014] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
Syntax OK
********
My ghosts file only has one 443 set up, no default. I guess it is located elsewhere?
Also, the base SSLCACertificatePath and SSLCARevocationPath’s are not correct when uncommented. This is coming from a completely fresh install on 10.9.
Thanks for the great guide, any pointers on the default overlap issue?
Did you add the below line to your config?
NameVirtualHost *:443
Yes, I added that to my http.conf file, after playing around a little with ports.conf. I have since removed it from ports.conf
Now I’m not getting the error in apachectl config test, but the wrong SSL is being called. See these from my Console.app:
[Thu Jan 16 14:09:39 2014] [error] [client ::1] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use ‘LimitInternalRecursion’ to increase the limit if necessary. Use ‘LogLevel debug’ to get a backtrace., referer: https://sq.local/
[Thu Jan 16 14:20:05 2014] [warn] NameVirtualHost *:443 has no VirtualHosts
(48)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
Unable to open logs
also, the SSL that is getting applied is a default one, with the company name ‘Internet Widgets Party’, which is the suggested name when configuring. Might it be that I did not put the server name in correctly when I did the SSL generation with openSSL?
Do you have anything else running on port 443? The command sudo lsof -i :443 lists stuff using port 443.
I have sent you an email separately.
Nice info, but if anybody doing it on Server flavour of Mac (tested on Mt Lion only) then Server / Certificates allows one to do it in GUI way (create CSR, import certificate issued from CA, and apply it to configuration)
Thanks for a great tutorial! I managed to make it work, but only for https://localhost How do I do if I want it to work on https://skorpion.se ?
Cool! Thanks! Even works on 10.9!
I almost pulled my hair and gave up but then I realized that I missed this line:
“In the same file comment out (add a # to the beginning of the line) the lines that start with SSLCACertificatePath and SSLCARevocationPath”
Now it works in Mavericks!
Only one thing. When I navigate to my host name I get a message about Untrusted connection and that it’s a bad idea to continue. How do I solve this? What did I miss?
Thanks!
You will get the untrusted connection because you created a self signed certificate. The only around this would be to purchase a certificate for your domain from one of the big signers and install that. For a development machine thats not normally required.
Thanks, helped a lot.
Just one comment: If DocumentRoot is not the default then it also needs to be changed in https-ssl.conf, two places IIRC.
Really great post!
Works with OS X Yosemite
Thanks. Amazing tutorial.
Thanks a lot! (I was missing SSLCertificateFile server.crt, so after following steps as described, got it to work!)
[…] Apache SSL on Mac OS Lion 10.7 […]
Great post ! Clear and easy, just what we all want, thanks! 🙂
Thank you!
Thanks Andy! This helped a lot. I have a reverse proxy that allows me to do RESTful api calls back to the same server (but different port) without using CORS, which kills the session cookie. So, adding the localhost dev environment to mimic my SSL config on Linode server is a nice touch. I can leave the https links in my ‘isLocal’ service now and thus the code is identical whether deployed to server or running on my Mac.
Great article…. huge help! Thanks a lot 🙂
Great tutorial. Thanks a lot!
[…] http://blog.andyhunt.info2011/11/26/apache-ssl-on-max-osx-lion-10-7/ […]
[…] started by reading this set of instructions, but had to workaround a few other issues to get https working. Here are the full steps I […]