Apache SSL on Mac OSX Lion 10.7

Update 11-12-2013: According to a commenter this process also works for OSX 10.9 Mavericks.

I have recently upgraded to OSX Lion from Snow Leopard, whilst setting up my development environment I needed to configure the built in Apache server to support SSL. Below are instructions on what needed to be done. Please note that the below is based on a clean install of OSX 10.7.2 and if you did an upgrade or are running a different version of Lion then the instructions below may need to be tweaked to suit your setup.

 

Generate a host key

First off we’ll make a home for the new SSL files. I used /private/etc/apache2/ssl. We need to change to the new directory and then run a ssh-keygen command to create the server key file. Open up a terminal window  and enter the commands below. Please note that you shouldn’t set a pass phrase on the certificate, just leave this blank when it asks for a pass phrase.

 

Generate a certificate request file

This command creates a certificate request file. A certificate request file contains information about your organisation that will be used in the SSL certificate. You will be asked various questions, fill these in as appropriate or leave blank.

 

Create the SSL certificate

Create a self signed SSL certificate using the request file.

 

Configure Apache

Create a backup of /private/etc/apache2/httpd.conf.

In /private/etc/apache2/httpd.conf, make sure the SSL module is enabled (remove the # from the start of the line)

In the same file search for the below line and uncomment it (remove the #)

Edit /private/etc/apache2/extra/httpd-ssl.conf, search for the lines that start with SSLCertificateFile, SSLCertificateKeyFile and update them to match the below:

In the same file comment out (add a # to the beginning of the line) the lines that start with SSLCACertificatePath and SSLCARevocationPath

 

Configure the vhosts

In /private/etc/apache2/httpd.conf, search for the below line and uncomment it (remove the #)

Now open /private/etc/apache2/extra/httpd-vhosts.conf and add the line below under the port 80 NameVirtualHost directive

Now you can configure a basic SSL vhost by adding the code below to the end of the file. Please note that for the DocumentRoot you should replace it with a real path.

 

Check the config and restart Apache

Now you can open your browser and try out your new HTTPS site

87 thoughts on “Apache SSL on Mac OSX Lion 10.7

  • James

    After following many tutorials, pulling hair out and reverting to my backed up config files I was close to giving up! Thank you for posting this, very much appreciated.

  • graup

    Thanks, worked like a charm! Although I left the SSLCARevocationPath commented, it wouldn’t find that directory and it’s working find without. I’ll use it only for development anyway.

    Cheers!

  • Tarun

    Does this work on Lion or Lion Server? I couldn’t get it to work on plain Lion and I read somewhere it only works on Lion server?

    • Andy Hunt

      Yes this works on normal Lion. My MBP and iMac both run normal Lion and I have them both running SSL with self signed certs. Where did you get stuck?

  • Amar

    Hi,
    Thanks for a detailed tutorial. After configuring the apache server on my Mac OS X Lion 10.7.3, I couldn’t get the HTTPS working on my localhost. I following your instructions to the tee. The only different thing I encountered was when I run the following command:
    sudo apachectl configtest
    The output was as follows:
    ‘httpd: Could not reliably determine the server’s fully qualified domain name, using aMBP.local for ServerName
    Syntax OK’

    Can you check, if there is something wrong?

    • Andy Hunt

      As you can see from the other comments this has worked for others. Is your system a clean install of Loin or is it an upgrade from Snow Leopard. IO cannot guarantee that these instructions will work for upgrades because things were different previous to Lion.

      Does the server signature/log file show that SSL is enabled? Check /var/log/apache2/error.log for problems.

  • Josh

    This is a great tutorial, thank you. I did want to mention one thing though, I was getting this warning in my error_log:

    RSA server certificate CommonName (CN) `localhost’ does NOT match server name!?

    After triple checking all my config files, believe it or not what ended up resolving it was removing the extra line break in your VirtualHost snippet (line 6).

  • Adriano

    Hi Andy.
    I did all steps, but my apache doesn’t work… Nothing work more.
    My syntax is OK.
    I dont know what do…

    Please, Could you help-me?

    • Andy Hunt

      What error message is Apache giving when you try to start it? have you checked the error log?

      The error log can be found at /var/log/apache2/error_log

      • james

        Unfortunately I experienced a very similar issue. After completing the above steps apache no longer worked for either http/https.
        Checked in the error_log and am seeing:
        (2)No such file or directory: httpd: could not open error log file /var/log/httpd/error_log.
        Unable to open logs

        • Andy Hunt

          Either change your configuration to use a different directory to log to or check that /var/log/httpd directory exists and that the permissions are ok for Apache to write to it.

  • I got this error when I tried to restart apache “Init: Unable to read pass phrase [Hint: key introduced or changed before restart”.
    But I managed to resolve it by methods provided on this site:http://cs.uccs.edu/~cs526/secureWebAccess/secureWebAccess.htm

    Here is the excerpt of the method:
    To avoid the problem of entering the pass phrase, we can remove the pass phrase protection on the server private key with the following openssl command.

    [root@fc4 conf]# cd /etc/httpd/conf/ssl.key
    [root@fc4 ssl.key]# cp server.key server.key.new
    [root@fc4 ssl.key]# openssl rsa -in server.key.new -out server.key
    Enter pass phrase for server.key.new:
    writing RSA key

    Basically I need to get into the ssl folder and rename the old server.key and use openssl command to output a new one which removed the pass phrase. It works nicely.

    • Andy Hunt

      Good point I should have probably put that in the post. I will update it to say not to enter a pass phrase when creating the key

      I appreciate the feedback…

  • Gabriel Gomez

    Hi! I need some help, I did everything in here but now my localhost won’t work :/ i tried turning on web sharing under system settings because it mysteriously turned off by itself. I believe I may have skipped this step by mistake “Create a backup of /etc/apache2/httpd.conf.” and didn’t create a backup, is there a way to get a copy of that file? Also when I go to 127.0.0.1 that works just fine. Could I get some help with these please?? It’s part of my school project 🙂

    • Gabriel Gomez

      I can post what i found in the error log here if you don’t mind

      httpd: Could not reliably determine the server’s fully qualified domain name, using Gabriels-MacBook-Pro.local for ServerName
      [Fri Sep 14 13:01:41 2012] [notice] Digest: generating secret for digest authentication …
      [Fri Sep 14 13:01:41 2012] [notice] Digest: done
      [Fri Sep 14 13:01:41 2012] [notice] Apache/2.2.21 (Unix) DAV/2 configured — resuming normal operations
      [Fri Sep 14 13:01:42 2012] [notice] caught SIGTERM, shutting down
      httpd: Could not reliably determine the server’s fully qualified domain name, using Gabriels-MacBook-Pro.local for ServerName
      [Fri Sep 14 13:01:47 2012] [notice] Digest: generating secret for digest authentication …
      [Fri Sep 14 13:01:47 2012] [notice] Digest: done
      [Fri Sep 14 13:01:47 2012] [notice] Apache/2.2.21 (Unix) DAV/2 configured — resuming normal operations
      [Fri Sep 14 13:02:06 2012] [error] [client 10.159.13.211] File does not exist: /Library/WebServer/Documents/favicon.ico
      [Fri Sep 14 13:02:35 2012] [error] [client 127.0.0.1] File does not exist: /Library/WebServer/Documents/favicon.ico
      [Fri Sep 14 13:05:25 2012] [error] [client 10.159.13.211] client denied by server configuration: /Users/gabe/Sites
      [Fri Sep 14 13:05:25 2012] [error] [client 10.159.13.211] File does not exist: /Library/WebServer/Documents/favicon.ico
      [Fri Sep 14 13:07:20 2012] [error] [client 10.159.13.211] File does not exist: /Library/WebServer/Documents/favicon.ico
      [Fri Sep 14 17:31:22 2012] [notice] caught SIGTERM, shutting down
      No log handling enabled – using stderr logging
      Created directory: /var/db/net-snmp
      Created directory: /var/db/net-snmp/mib_indexes

      [Fri Sep 14 17:36:11 2012] [notice] Apache/2.2.21 (Unix) DAV/2 PHP/5.3.10 with Suhosin-Patch configured — resuming normal operations
      [Fri Sep 14 17:47:26 2012] [error] [client ::1] script ‘/Library/WebServer/Documents/phpinfo.php’ not found or unable to stat
      [Fri Sep 14 17:47:26 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
      [Fri Sep 14 17:47:33 2012] [error] [client ::1] script ‘/Library/WebServer/Documents/phpinfo.php’ not found or unable to stat
      [Fri Sep 14 17:47:33 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
      [Fri Sep 14 17:47:59 2012] [error] [client ::1] script ‘/Library/WebServer/Documents/phppinfo.php’ not found or unable to stat
      [Fri Sep 14 17:47:59 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
      [Fri Sep 14 17:48:34 2012] [error] [client ::1] script ‘/Library/WebServer/Documents/phpinfo.php’ not found or unable to stat
      [Fri Sep 14 17:48:34 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
      [Fri Sep 14 17:49:14 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/phpinfo.php not working on mac
      [Fri Sep 14 17:49:14 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
      [Fri Sep 14 17:49:51 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/phpinfo.php\xe2\x80\x9d, referer: http://macosx.com/forums/software-programming-we$
      [Fri Sep 14 17:49:51 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
      [Fri Sep 14 17:50:29 2012] [error] [client ::1] script ‘/Library/WebServer/Documents/phpinfo.php’ not found or unable to stat
      [Fri Sep 14 17:50:29 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico, referer: http://localhost/phpinfo.php
      [Fri Sep 14 17:51:35 2012] [notice] caught SIGTERM, shutting down
      [Fri Sep 14 17:55:59 2012] [warn] mod_bonjour: Cannot stat template index file ‘/System/Library/User Template/English.lproj/Sites/index.html’.
      [Fri Sep 14 17:55:59 2012] [notice] Digest: generating secret for digest authentication …
      [Fri Sep 14 17:55:59 2012] [notice] Digest: done
      [Fri Sep 14 17:55:59 2012] [notice] Apache/2.2.21 (Unix) DAV/2 PHP/5.3.10 with Suhosin-Patch configured — resuming normal operations
      [Fri Sep 14 17:56:17 2012] [error] [client 192.168.1.3] File does not exist: /Library/WebServer/Documents/favicon.ico
      [Fri Sep 14 17:57:56 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
      [Fri Sep 14 17:58:14 2012] [error] [client ::1] File does not exist: /Library/WebServer/Documents/favicon.ico
      [Fri Sep 14 20:06:50 2012] [notice] caught SIGTERM, shutting down

    • Andy Hunt

      I think the bit you pasted in didn’t get through the filters. I think I know what you are talking about, in the conf there are conditional parts that say “if this is OSX server” or “if this is not OSX server”. Assuming you are not on server then you should ignore the bits marked for OSX server

  • Andrew Brilliant

    I tried all these changes on OSX 10.8 and it doesnt work at all. I get no errors for the configuration but apache wont start. No error log file generated, nothing. Any ideas?

    • Andy Hunt

      Thats odd there should always be an error log. Open the Consol.app (in Utilities) and try to start apache while looking at messages in consol.app.

  • Vito

    Hi, i followed your tutorial, but when i write https://localhost in the address bar i have

    “Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.”

    if you want i can send my files

    /etc/apache2/extra/httpd-ssl.conf,
    /Application/MAMP/conf/apache/httpd.conf,
    /Application/MAMP/conf/apache/ssl.conf

    my mail vitolipari81@gmail.com

    • Andy Hunt

      Sorry but this is for the pre-installed apache not MAMP. I suggest you check out the MAMP documentation or hit google to research your problem.

  • Greg

    Thanks a lot, worked perfectly first time using Lion. One typo – under the vhosts section, you have:
    Include /private/etc/apache2/extra/httpd-vhosts.conf

    The “/private” part should not be there.
    Great post!

  • janwillem

    Thank you Andy,

    Running 10.8 and your solutions works like a charm. Did have the servername and certificate pw issues as mentioned above but solved all of them via the mentioned posts.

    great to be up and running again.

  • I followed the instructions and everything seemed to go okay. I tried to view a page, and after accepting the certificate, all I get is:

    “Forbidden

    You don’t have permission to access / on this server.”

  • Kelly

    Well done Andy.. I had ~30 min to set up a secure server environment on a new mac to test a project. Lucky I found this page. Thanks!

  • olivierkeuf

    Hello Guys, I need your help,
    After installation of Apache (httpd-2.0.64) on Linux Redhat apache is up and running and I Setting up the SSL certificate by Generating and installing a test certificate which is done.
    the problem is I’m not able to connect to connect using https the page is not comming after cheking the error.log I find the below errrors:

    [Fri Mar 01 18:49:54 2013] [warn] RSA server certificate CommonName (CN) Test-Only Certificate' does NOT match server name!?
    [Fri Mar 01 18:49:54 2013] [warn] RSA server certificate CommonName (CN)
    Test-Only Certificate' does NOT match server name!?
    [Fri Mar 01 18:49:54 2013] [notice] Apache/2.0.64 (Unix) mod_ssl/2.0.64 OpenSSL/0.9.8e-fips-rhel5 configured -- resuming normal operations
    [Fri Mar 01 18:53:06 2013] [notice] caught SIGTERM, shutting down

    I’am not able to find out the cause because is my first time to configure apache please I need to help on this.

    • Andy Hunt

      Yes, in the post I am using a mixture of /private/etc/ and /etc/. This is bad editing but the instructions will still work as /etc/ is actually a symbolic link to /private/etc/ on a Mac system. I will change the post so the paths are consistent.

  • Sri

    Just tried this on OS X Mountain Lion 10.8 and it worked beautifully. Thanks a lot. You save my day and a lot of time & sweat.
    Here’s a little suggestion. The certificates should be created without a password, else apache errors out.

  • Hey, so im running mountain lion 10.8.2 and this is 99% correct, however i was experiencing the following in the browser when trying to access my https domain:

    Error 102 (net::ERR_CONNECTION_REFUSED): The server refused the connection.

    In my apache logs i was seeing:

    [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)

    To get things working I had to add in:

    “Listen 443” to “Listen 443 http” in the /private/etc/apache2/extra/httpd-ssl.conf file,

    thanks to http://imranbhullar.blogspot.co.uk/2012/07/server-should-be-ssl-aware-but-has-no.html for the hint!

    Also if youre seeing something like:

    Wed Jun 26 15:39:27 2013] [error] Init: Unable to read pass phrase [Hint: key introduced or changed before restart?]
    [Wed Jun 26 15:39:27 2013] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
    [Wed Jun 26 15:39:27 2013] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
    [Wed Jun 26 15:39:27 2013] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
    [Wed Jun 26 15:39:27 2013] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib

    This is because youve set a pass phrase on your key and cert, something that isnt covered here 😉

    Hope this helps people

  • Looks like there is a default SSL for port 443? See this error:

    ********
    $ sudo apachectl configtest
    [Thu Jan 16 13:18:06 2014] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
    Syntax OK
    ********

    My ghosts file only has one 443 set up, no default. I guess it is located elsewhere?

    Also, the base SSLCACertificatePath and SSLCARevocationPath’s are not correct when uncommented. This is coming from a completely fresh install on 10.9.

    Thanks for the great guide, any pointers on the default overlap issue?

      • Yes, I added that to my http.conf file, after playing around a little with ports.conf. I have since removed it from ports.conf

        Now I’m not getting the error in apachectl config test, but the wrong SSL is being called. See these from my Console.app:

        [Thu Jan 16 14:09:39 2014] [error] [client ::1] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use ‘LimitInternalRecursion’ to increase the limit if necessary. Use ‘LogLevel debug’ to get a backtrace., referer: https://sq.local/

        [Thu Jan 16 14:20:05 2014] [warn] NameVirtualHost *:443 has no VirtualHosts
        (48)Address already in use: make_sock: could not bind to address 0.0.0.0:443
        no listening sockets available, shutting down
        Unable to open logs

        • also, the SSL that is getting applied is a default one, with the company name ‘Internet Widgets Party’, which is the suggested name when configuring. Might it be that I did not put the server name in correctly when I did the SSL generation with openSSL?

        • Andy Hunt

          Do you have anything else running on port 443? The command sudo lsof -i :443 lists stuff using port 443.

          I have sent you an email separately.

  • sebus

    Nice info, but if anybody doing it on Server flavour of Mac (tested on Mt Lion only) then Server / Certificates allows one to do it in GUI way (create CSR, import certificate issued from CA, and apply it to configuration)

  • Sebastian

    I almost pulled my hair and gave up but then I realized that I missed this line:
    “In the same file comment out (add a # to the beginning of the line) the lines that start with SSLCACertificatePath and SSLCARevocationPath”

    Now it works in Mavericks!

    Only one thing. When I navigate to my host name I get a message about Untrusted connection and that it’s a bad idea to continue. How do I solve this? What did I miss?

    Thanks!

    • Andy Hunt

      You will get the untrusted connection because you created a self signed certificate. The only around this would be to purchase a certificate for your domain from one of the big signers and install that. For a development machine thats not normally required.

  • Fred

    Thanks, helped a lot.

    Just one comment: If DocumentRoot is not the default then it also needs to be changed in https-ssl.conf, two places IIRC.

  • Joel

    Thanks Andy! This helped a lot. I have a reverse proxy that allows me to do RESTful api calls back to the same server (but different port) without using CORS, which kills the session cookie. So, adding the localhost dev environment to mimic my SSL config on Linode server is a nice touch. I can leave the https links in my ‘isLocal’ service now and thus the code is identical whether deployed to server or running on my Mac.

Leave a Reply to Andy Hunt Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: