Local SSL websites on macOS Sierra

README.md

Local SSL websites on macOS Sierra

These instructions will guide you through the process of setting up local, trusted websites on your own computer.

These instructions are intended to be used on macOS Sierra, but they have been known to work in El Capitan, Yosemite, Mavericks, and Mountain Lion.

NOTE: You may substitute the edit command for nano, vim, or whatever the editor of your choice is. Personally, I forward the edit command to Sublime Text:

alias edit="/Applications/Sublime\ Text.app/Contents/SharedSupport/bin/subl"

---

Configuring Apache

Within Terminal, start Apache.

sudo apachectl start

In a web browser, visit http://localhost. You should see a message stating that It works!.

Configuring Apache: Setting up a Virtual Host

Within Terminal, edit the Apache Configuration.

edit /etc/apache2/httpd.conf

Within the editor, replace line 212 to supress messages about the server’s fully qualified domain name.

ServerName localhost

Next, uncomment line 160 and line 499 to enable Virtual Hosts.

LoadModule vhost_alias_module libexec/apache2/mod_vhost_alias.so

Include /private/etc/apache2/extra/httpd-vhosts.conf

Optionally, uncomment line 169 to enable PHP.

LoadModule php5_module libexec/apache2/libphp5.so

Within Terminal, edit the Virtual Hosts configuration.

edit /etc/apache2/extra/httpd-vhosts.conf

Within the editor, replace the entire contents of this file with the following, replacing indieweb with your user name.

<VirtualHost *:80>
    ServerName localhost
    DocumentRoot "/Users/indieweb/Sites/localhost"

    <Directory "/Users/indieweb/Sites/localhost">
        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
        Require all granted
    </Directory>
</VirtualHost>

Within Terminal, restart Apache.

sudo apachectl restart

Configuring Apache: Creating a Site

Within Terminal, create a Sites parent directory and a localhost subdirectory, which will be our first site.

mkdir -p ~/Sites/localhost

Next, create a test HTML document within localhost.

echo "<h1>localhost works</h1>" > ~/Sites/localhost/index.html

Now, in a web browser, visit http://localhost. You should see a message stating that localhost works.

---

Configuring SSL

Within Terminal, create an SSL directory.

sudo mkdir /etc/apache2/ssl

Next, generate a private key and certificate for your site.

sudo openssl genrsa -out /etc/apache2/ssl/localhost.key 2048
sudo openssl req -new -x509 -key /etc/apache2/ssl/localhost.key -out /etc/apache2/ssl/localhost.crt -days 3650 -subj /CN=localhost

Finally, add the certificate to Keychain Access.

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /etc/apache2/ssl/localhost.crt

Configuring SSL: Setting up a Trusted Virtual Host

Within Terminal, edit the Apache Configuration.

edit /etc/apache2/httpd.conf

Within the editor, uncomment lines 89 and 143 to enable modules required by HTTPS.

LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so

LoadModule ssl_module libexec/apache2/mod_ssl.so

Next, uncomment line 516 to enable Trusted Virtual Hosts.

Include /private/etc/apache2/extra/httpd-ssl.conf

Back in Terminal, edit the Virtual Hosts configuration.

edit /etc/apache2/extra/httpd-vhosts.conf

Within the editor, add a 443 VirtualHost Name and localhost Directive at the end of the file, replacing indieweb with your user name.

<VirtualHost *:443>
    ServerName localhost
    DocumentRoot "/Users/indieweb/Sites/localhost"

    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /etc/apache2/ssl/localhost.crt
    SSLCertificateKeyFile /etc/apache2/ssl/localhost.key

    <Directory "/Users/indieweb/Sites/localhost">
        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
        Require all granted
    </Directory>
</VirtualHost>

Back in Terminal, edit the SSL configuration.

edit /etc/apache2/extra/httpd-ssl.conf

Next, comment line 144 and 154 to skip the default Server Certificate and Server Private Key.

#SSLCertificateFile "/private/etc/apache2/server.crt"

#SSLCertificateKeyFile "/private/etc/apache2/server.key"

Next, beneath the commented certificates or keys, add references to your certificate and key.

SSLCertificateFile "/etc/apache2/ssl/localhost.crt"

SSLCertificateKeyFile "/etc/apache2/ssl/localhost.key"

Back in Terminal, restart Apache.

sudo apachectl restart

Now, in a web browser, visit https://localhost. The domain should appear trusted, and you should see a message stating that localhost works!.

Thanks! Got it working!!
thompsgr is right about the typo...

Yes, please correct the typos above. They tripped me up too.

Here is a working Gist of this:
https://gist.github.com/ryanburnett/1e18378347bf373012860dca27d505ac

worked on OSX Sierra, beware of some typos. Thanks !

thanks it's working on Yosemite for me. Didn't work for the first time. There was some problem with httpd-ssl.conf. httpd -t proved invaluable while debugging.

Thankyou, all works perfectly but when i connect to my local address i receive an error, the apache logs says "server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)".
I've repeated every step 2 times.

G.

Great article! got me up and running quickly.
There's a small error in the article. Where it says:

Back in Terminal, edit the SSL configuration.
edit /etc/apache2/extra/httpd-vhosts.conf

It should say httpd-ssl.conf

Thanks.

Whoa... I had no idea anyone had seen this or used this. I’ve never received notifications from this post. I have made the corrections. You all are amazing and awesome and I need to figure out how to monitor gists.

This works very well still - exceptional job @jonathantneal! As others have stated, if things aren't working try running httpd -t. I had enabled a dav package for some reason and once I removed the erroneous package inclusion everything worked swimmingly.

I follow the steps and only for a 'http' request work, but when I configure to request 'https' the server returned:
"Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please."

What is wrong?

thanks

Total noob here.

I run Searx meta search engine on localhost:8888

I installed Searx as per the instructions found here using Docker https://github.com/asciimoo/searx/wiki/Installation

I use Firefox with the addon https Everywhere and I like to block all unencrypted requests. So localhost:8888 won't work in Firefox.

Do you know if its possible to add an SSL cert to this local instance of Searx on localhost:8888 so I can use it in Firefox?

Thanks :)

@mrtargaryen - the easiest way to do this is to create a local reverse proxy to port 8888. Nginx or Apache can do this, though Nginx is a little better documented for this purpose.

Not working for me. OSX Sierra(10.12.1)
I'm already having apache setup which I'm using for other projects.
I'm having some node server (not self-setup but it's invoked by gatsby command to be specific which runs on port 8000).

1. So, for :443, my vhosts file instead looks like

<VirtualHost *:443>
    SSLEngine On
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /etc/apache2/ssl/localhost.crt
    SSLCertificateKeyFile /etc/apache2/ssl/localhost.key

    ServerName dummylocaldomain.com
    ProxyPass / http://localhost:8000/
    ProxyPassReverse / http://localhost:8000/
</VirtualHost>

I just want to forward the request from https://dummylocaldomain.com to localhost:8000 which serves the website( **Note:**I've already mapped dummylocaldomain in my /etc/hosts to 127.0.0.1 if that matters )

I was able to follow all other steps though.. Any help?

Works on Sierra! Thank you.

It works perfectly on OS X 10.13.1, LibreSSL 2.2.7 & Apache/2.4.27. The terminal cmd to add the certificate to OS X Keychain was very useful and pretty fast to work with Safari. :-P

Beautiful! It work as expected! Thanks a lot!

Guy, read this : https://websitebeaver.com/set-up-localhost-on-macos-high-sierra-apache-mysql-and-php-7-with-sslhttps#turn-on-ssl-https

Thanks this works on High Sierra!

HighSierra 10.13.3 confirmed. Thanks!

Thank you very much! (10.13.4)

While Apache and NGINX are great, IMO, configuring them for localhost to serve SSL for local development is a bit overkill.

I would suggest to those that want something easier out-of-the-box - check out ngrok @ https://ngrok.com/

Holy shit... thanks! Worked like a charm. (10.13.6) I'm working on a React Native project and you folks just saved the day.

Thanks works like charm :) thank you

great, work on ubuntu 17.10 as well

worked without issue....many thanks

worked really wel!

Thank you!!

If you get a Connection Refused like @madhukarhere, check your httpd-ssl.conf to make sure the Listen port is 443, not 8443

curl: (7) Failed to connect to localhost port 443: Connection refused

perfect, everything it's ok

Hello! On macOS Monterey (12.3.1) and Apache 2.53 I always receive (on Firefox)
"Secure Connection Failed"
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
Other browsers will not connect as well
No error message in apache logs and no record in access_log

when connect via https. While http works fine
Any idea how to handle it? I googled the entire internet but found nothing that helps