Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Local SSL websites on macOS Sierra

Local SSL websites on macOS Sierra

These instructions will guide you through the process of setting up local, trusted websites on your own computer.

These instructions are intended to be used on macOS Sierra, but they have been known to work in El Capitan, Yosemite, Mavericks, and Mountain Lion.

NOTE: You may substitute the edit command for nano, vim, or whatever the editor of your choice is. Personally, I forward the edit command to Sublime Text:

alias edit="/Applications/Sublime\ Text.app/Contents/SharedSupport/bin/subl"

Configuring Apache

Within Terminal, start Apache.

sudo apachectl start

In a web browser, visit http://localhost. You should see a message stating that It works!.

Configuring Apache: Setting up a Virtual Host

Within Terminal, edit the Apache Configuration.

edit /etc/apache2/httpd.conf

Within the editor, replace line 212 to supress messages about the server’s fully qualified domain name.

ServerName localhost

Next, uncomment line 160 and line 499 to enable Virtual Hosts.

LoadModule vhost_alias_module libexec/apache2/mod_vhost_alias.so
Include /private/etc/apache2/extra/httpd-vhosts.conf

Optionally, uncomment line 169 to enable PHP.

LoadModule php5_module libexec/apache2/libphp5.so

Within Terminal, edit the Virtual Hosts configuration.

edit /etc/apache2/extra/httpd-vhosts.conf

Within the editor, replace the entire contents of this file with the following, replacing indieweb with your user name.

<VirtualHost *:80>
    ServerName localhost
    DocumentRoot "/Users/indieweb/Sites/localhost"

    <Directory "/Users/indieweb/Sites/localhost">
        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
        Require all granted
    </Directory>
</VirtualHost>

Within Terminal, restart Apache.

sudo apachectl restart

Configuring Apache: Creating a Site

Within Terminal, create a Sites parent directory and a localhost subdirectory, which will be our first site.

mkdir -p ~/Sites/localhost

Next, create a test HTML document within localhost.

echo "<h1>localhost works</h1>" > ~/Sites/localhost/index.html

Now, in a web browser, visit http://localhost. You should see a message stating that localhost works.


Configuring SSL

Within Terminal, create an SSL directory.

sudo mkdir /etc/apache2/ssl

Next, generate a private key and certificate for your site.

sudo openssl genrsa -out /etc/apache2/ssl/localhost.key 2048
sudo openssl req -new -x509 -key /etc/apache2/ssl/localhost.key -out /etc/apache2/ssl/localhost.crt -days 3650 -subj /CN=localhost

Finally, add the certificate to Keychain Access.

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /etc/apache2/ssl/localhost.crt

Configuring SSL: Setting up a Trusted Virtual Host

Within Terminal, edit the Apache Configuration.

edit /etc/apache2/httpd.conf

Within the editor, uncomment lines 89 and 143 to enable modules required by HTTPS.

LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so
LoadModule ssl_module libexec/apache2/mod_ssl.so

Next, uncomment line 516 to enable Trusted Virtual Hosts.

Include /private/etc/apache2/extra/httpd-ssl.conf

Back in Terminal, edit the Virtual Hosts configuration.

edit /etc/apache2/extra/httpd-vhosts.conf

Within the editor, add a 443 VirtualHost Name and localhost Directive at the end of the file, replacing indieweb with your user name.

<VirtualHost *:443>
    ServerName localhost
    DocumentRoot "/Users/indieweb/Sites/localhost"

    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /etc/apache2/ssl/localhost.crt
    SSLCertificateKeyFile /etc/apache2/ssl/localhost.key

    <Directory "/Users/indieweb/Sites/localhost">
        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
        Require all granted
    </Directory>
</VirtualHost>

Back in Terminal, edit the SSL configuration.

edit /etc/apache2/extra/httpd-ssl.conf

Next, comment line 144 and 154 to skip the default Server Certificate and Server Private Key.

#SSLCertificateFile "/private/etc/apache2/server.crt"
#SSLCertificateKeyFile "/private/etc/apache2/server.key"

Next, beneath the commented certificates or keys, add references to your certificate and key.

SSLCertificateFile "/etc/apache2/ssl/localhost.crt"
SSLCertificateKeyFile "/etc/apache2/ssl/localhost.key"

Back in Terminal, restart Apache.

sudo apachectl restart

Now, in a web browser, visit https://localhost. The domain should appear trusted, and you should see a message stating that localhost works!.

2ni commented Oct 23, 2014

You got a typo with localhost.conf <-> localhost.cnf
I still get an error net::err_cert_common_name_invalid with chrome :(

Owner

jonathantneal commented Nov 3, 2014

Thanks @2ni, a few areas have been updated and tested successfully.

this broke my server completely.....

W3BGUY commented Nov 18, 2014

Worked like a charm for me (editing the server information,. of course). Thanks, still learning this Mac stuff... :)

Worked perfectly for me, thanks!

This worked absolutely flawlessly for me. I used http://coolestguidesontheplanet.com/get-apache-mysql-php-phpmyadmin-working-osx-10-10-yosemite/ to get PHP, and MySQL up and running, and then http://stackoverflow.com/questions/26483724/how-to-install-mod-perl-2-0-9-in-apache-2-4-on-os-x-yosemite/26544732#26544732 to get perl up and running. Now this got the SSL part of the equation working. Thank you so much!

for me it doesn't work as well !

as soon as I include /extra/httpd-ssl.conf into play, the server isn't reachable anymore.
I see here that nothing has to be changed in the default ssl.conf file, but don't understand what's causing this

any thoughts ?

Thx !

It works! on OS X Yosemite. Thanks!

Update: Figured it out at least for my case - open httpd-ssl.conf, and at about line 68, comment out the line that starts with SSLMutex. It seems to use a module that isn't used in our current configuration. Also, lower down in the file it defines a virtualhost that may or may not conflict with the one defined in httpd-vhosts. Hope that helps someone!

Having the same issue as razvanioan - can't see any reason I should be having a problem, but if I figure it out I'll post the solution!

wildone commented Dec 29, 2014

@ashleyparkes
SSLMutex is not supported since httpd 2.2, so you must be running httpd 2.2+
update like this

SSLMutex "file:/private/var/run/ssl_mutex"

Mutex sysvsem default

@razvanioan
run:
httpd -t

you may have some modules in httpd.conf not enabled...

This worked great (after I found the bit in the comments about Mutex). Thanks for writing this!

Should I just leave httpd-ssl.conf like this?:

#SSLMutex "file:/private/var/run/ssl_mutex"   
Mutex sysvsem default

Any chance you could give me a hint as to how to get a certificate going for a second domain on my localhost? I have vhosts setup for home.dev, test.dev, etc. I assume I won't have to redo every step of this, but I'm a little unsure which parts are domain specific.

Thanks in advance for any help.

scepter commented Jan 3, 2015

It works on Yosemite. Thanks.

it's working, but now using http:// is forbidden?

ok - i was able to fix my issue by adding a config for port 80 in the vhosts file.
So, last step editing "httpd-vhosts.conf"
I repeated the entire <VirtualHost *:80> block as port 80, removing the 4 lines for SSL Engine

biegl commented Mar 15, 2015

works like a charm. thanks!

svox1 commented Mar 26, 2015

Thx!

This is great stuff. @ashleyparkes comment about removing the redundant virtualhost in httpd-ssl.conf did it for me.

The only slight issue is that, if you view the certificate details in Chrome, it reports that it used obsolete cryptography (TLS 1.0). I think that this is stopping something working for me. Does anyone have any idea how to change this to TLS 1.2?

I think I sorted it...!

Added this to any of the config files to stop TLS 1.0 being used
SSLProtocol All -SSLv2 -SSLv3

Hey there, how can we undo these changes? I seem to have broken apache. It doesn't want to start anymore from Manager-OSX (mysql works fine tho).

I have...

  • Removed the /etc/apache2/ssl/ directory
  • Recommented all the lines /etc/apache2/httpd.conf
  • Removed the 443 virtual host setting in /etc/apache2/httpd.conf
  • Removed the ~/Sites directory

I'm not sure what else to do, but apache was originally working for me on my localhost where I have my site located within the htdocs/ directory of XAMPP. Please help!

kenahoo commented May 10, 2015

@jonbonJoeB - try running apachectl configtest to see whether it reports any errors. It might show you what's wrong.

dataf3l commented Jun 18, 2015

Thanks Jonathan!, also if anyone gets a: Apache: “AuthType not set!” 500 Error
and has Apache2.2 as opposed to Apache2.4, remember to comment this line:

     #Require all granted

since it is only required for apache2.4
as per these instructions:
http://stackoverflow.com/questions/21265191/apache-authtype-not-set-500-error

I got this: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

I took shankiesan's suggestion and added

SSLProtocol All -SSLv2 -SSLv3

to httpd-ssl.conf and now it works!

Thanks to everyone for their help!

otayeby commented Jul 28, 2015

When editing the "httpd-vhosts.conf", please make sure you are editing the one in the "/private/etc/apache2/extra/" directory not the "/etc/apache2/extra/". Thank you Jonathan, it works for me.

/etc/apache2/extra is a symlink to /private/... so its fine.

This works well, thank you.

Worked perfectly with Mac OS X 10.10.5. Thanks!

srikant commented Sep 24, 2015

Thanks, Works like a magic.

I'm getting a warning saying I'm using an obsolete cypher suite, what does this mean?

Edit: https://mozilla.github.io/server-side-tls/ssl-config-generator/ , this can be used to generate a more recent SSL settings for your vhost file.

Worked fantastically on el capitan. Many thanks.

Thank you much, it is working well on Yosemite.

This is great – this is the first guide that I've found that gets SSL working properly on Yosemite and El Capitan. Chapeau!

Worked perfectly for me on El Capitan. Many thanks.

just a hint: you can compress multiple mkdir commands:
mkdir -p /ExistingFolder/NewFolder/NewSubfolder

Greetings, Alex

emdecr commented Jan 14, 2016

Worked for me. Thanks!

Wonderful walkthrough - Yosemite, v10.10.5.

Thanks!

This worked great for me just this morning on El Capitan. One note I had is since I'm not using localhost as my site name, I had to change that where it was set in configuration files. The actual names of the files didn't matter though.

@riquezjp's comment about http:// being forbidden was useful
@mgrimard's comment about the updated SSL settings was also useful. apachectl configtest was useful for figuring out what was allowed to be in a <VirtualHost> directive since I am not otherwise very knowledgeable in the realm of Apache setup.

Finally, if you're using Sublime Text, you can get an Apache Conf syntax highlighting package from Package Control that makes the Apache conf file editing a little bit nicer.

Worked perfectly on El Capitan thanks

Thank you! Worked like a charm.

Worked Perfectly! Thank you very much!!!

Perfect thank you.

dvlden commented Feb 20, 2016

Is there a way to make it "GREEN" for dynamic apache virtual hosts too and not localhost only?
So for me it does show up as GREEN for localhost and all its subdirs, but it does not work for my dynamic .dev, .src, .dest ltds.

Is there a way to make that functional as well? The issue is:
• Server's certificate does not match the URL.

leaase commented Apr 5, 2016

Been fighting "ERR_CERT_COMMON_NAME_INVALID" error in a while now, and finally fixed the problems walking through this guide. Thank you!

Thanks for this article - been running a PHP cURL request against an API that required an SSL connection, kept getting an error "Unknown SSL protocol error in connection", turns out my localhost needs a valid certificate. I can't say i fully understand the openssl syntax behind all of this, but at least now I understand the problem!

Thanks it helped me and worked !!!

regards

Thanks a lot for this writeup. Everything worked perfectly on El Capitan.

Thank you so much. Works like a charm!

madhukarhere commented Jul 14, 2016

I am getting below error when i try to open using curl or chrome.

curl https://localhost:443
curl: (7) Failed to connect to localhost port 443: Connection refused

chrome:
This site can’t be reached
localhost refused to connect.

All i changed is the site location.

It works on OSX EI Captain , thx .

works on El Capitan! Although I do get a warning about the certificate

Hi, After following the steps listed above, I got the following X509 certificate error in Chrome, and cannot proceed.
"Certificate Error
There are issues with the site's certificate chain (net::ERR_CERT_INVALID)."

Any suggestions?

aplaceforallmystuff commented Oct 6, 2016

I found the following lines to be incorrect

Back in Terminal, edit the SSL configuration.

edit /etc/apache2/extra/httpd-vhosts.conf
Next, comment line 44 and 54 to skip the default Server Certificate and Server Private Key.

SSLCertificateFile "/private/etc/apache2/server.crt"

SSLCertificateKeyFile "/private/etc/apache2/server.key"

These changes need to be done on /etc/apache2/extra/httpd**-ssl**.conf, not on httpd-vhosts.conf

Otherwise all working on macos Sierra - many thanks.

jcalais commented Oct 7, 2016

You have an error in your directives that would probably seriously mess up people's configuration.

"Back in Terminal, edit the SSL configuration." -> and then "edit /etc/apache2/extra/httpd-vhosts.conf", which is the vhosts file.

Still getting

<title>403 Forbidden</title>

Forbidden

You don't have permission to access / on this server.

Tried to change the SSL and vhost file but dont get the results in macOS Sierra , can help

@jonathantneal Thanks! Awesome! 2 things...

  • You said:

Back in Terminal, edit the SSL configuration...

but typed

edit /private/etc/apache2/extra/httpd-vhosts.conf

I believe you meant:

edit /private/etc/apache2/extra/httpd-ssl.conf
  • I had issues getting https working because my httpd-ssl.conf was being loaded after httpd-vhosts.conf. It worked fine after moving httpd-vhosts.conf to the bottom.

Hope that helps and may improve the guide.

Thanks again!

Shilpi3 commented Nov 1, 2016

I am getting this error in Mac Sierra httpd: Syntax error on line 143 of /private/etc/apache2/httpd.conf: Cannot load libexec/apache3/mod_ssl.so into server: dlopen(/usr/libexec/apache3/mod_ssl.so, 10): image not found

<VirtualHost *:443>
ServerName localhost
DocumentRoot "/Users//Sites/localhost"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/localhost.crt
SSLCertificateKeyFile /etc/apache2/ssl/localhost.key

<Directory "/Users/<my username>/Sites/localhost">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    Require all granted
</Directory>

https://gist.github.com/jonathantneal/774e4b0b3d4d739cbc53#gistcomment-1891444 is right, please update this otherwise great documentation.

tonyoconnell commented Nov 13, 2016

Thanks for the guide ...

I got a permission denied error so I made my httpd-vhosts.conf look like this

<VirtualHost *:80>
  ServerName localhost
  DocumentRoot "/Users/tony/Sites"
   <Directory "Users/tony/Sites">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
  </Directory>
</VirtualHost>

<VirtualHost *:80>
  ServerName localhost
  DocumentRoot "/Users/tony/Sites"
  SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /etc/apache2/ssl/localhost.crt
    SSLCertificateKeyFile /etc/apache2/ssl/localhost.key
  <Directory "Users/tony/Sites">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
  </Directory>
</VirtualHost>

<VirtualHost *:443>
  ServerName localhost
  DocumentRoot "/Users/tony/Sites"
  SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /etc/apache2/ssl/localhost.crt
    SSLCertificateKeyFile /etc/apache2/ssl/localhost.key
  <Directory "Users/tony/Sites">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
  </Directory>
</VirtualHost>

I have a question!
I followed all of these directions, and have also visited several other pages discussing getting the localhost up and running on sierra.
I've gone through similar processes in the previous 2 versions of osx upgrades, and assume this, too wil get figured out. I can't figure it out now, though!
The documentRoot doesn't seem to refresh or something - I've changed all of the document root lingo to point to Users/Me/Sites/, but http:// still delivers the "It works!" in the browser, as opposed to the desired file-system inside my /Sites/ folder. Also, I've even edited the index file TEXT to read "It still works!", but the text that shows up in the browser is still "It works!".
Seems more mysterious than Before.
If anyone has any thoughts/help, it'd be much appreciated!
Still digging...
Thanks!

thompsgr commented Dec 5, 2016

Awesome, thanks! Other configurations I found didn't work for me, but this one did. As mentioned, you have a typo here:

Back in Terminal, edit the SSL configuration.
edit /etc/apache2/extra/httpd-vhosts.conf

Should be:
edit /etc/apache2/extra/httpd-ssl.conf

Thanks! Got it working!!
thompsgr is right about the typo...

Yes, please correct the typos above. They tripped me up too.

ryanburnett commented Mar 17, 2017

Renrhaf commented Mar 22, 2017

worked on OSX Sierra, beware of some typos. Thanks !

thanks it's working on Yosemite for me. Didn't work for the first time. There was some problem with httpd-ssl.conf. httpd -t proved invaluable while debugging.

ganchan commented May 17, 2017

Thankyou, all works perfectly but when i connect to my local address i receive an error, the apache logs says "server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)".
I've repeated every step 2 times.

G.

benyaminshoham commented Jul 5, 2017

Great article! got me up and running quickly.
There's a small error in the article. Where it says:

Back in Terminal, edit the SSL configuration.
edit /etc/apache2/extra/httpd-vhosts.conf

It should say httpd-ssl.conf

Thanks.

Owner

jonathantneal commented Jul 5, 2017

Whoa... I had no idea anyone had seen this or used this. I’ve never received notifications from this post. I have made the corrections. You all are amazing and awesome and I need to figure out how to monitor gists.

nicohvi commented Jul 25, 2017

This works very well still - exceptional job @jonathantneal! As others have stated, if things aren't working try running httpd -t. I had enabled a dav package for some reason and once I removed the erroneous package inclusion everything worked swimmingly.

marquessbr commented Aug 10, 2017

I follow the steps and only for a 'http' request work, but when I configure to request 'https' the server returned:
"Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please."

What is wrong?

thanks

Total noob here.

I run Searx meta search engine on localhost:8888

I installed Searx as per the instructions found here using Docker https://github.com/asciimoo/searx/wiki/Installation

I use Firefox with the addon https Everywhere and I like to block all unencrypted requests. So localhost:8888 won't work in Firefox.

Do you know if its possible to add an SSL cert to this local instance of Searx on localhost:8888 so I can use it in Firefox?

Thanks :)

tsal commented Sep 29, 2017

@mrtargaryen - the easiest way to do this is to create a local reverse proxy to port 8888. Nginx or Apache can do this, though Nginx is a little better documented for this purpose.

aseem2625 commented Oct 3, 2017

Not working for me. OSX Sierra(10.12.1)
I'm already having apache setup which I'm using for other projects.
I'm having some node server (not self-setup but it's invoked by gatsby command to be specific which runs on port 8000).

  1. So, for :443, my vhosts file instead looks like
<VirtualHost *:443>
    SSLEngine On
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /etc/apache2/ssl/localhost.crt
    SSLCertificateKeyFile /etc/apache2/ssl/localhost.key

    ServerName dummylocaldomain.com
    ProxyPass / http://localhost:8000/
    ProxyPassReverse / http://localhost:8000/
</VirtualHost>

I just want to forward the request from https://dummylocaldomain.com to localhost:8000 which serves the website( **Note:**I've already mapped dummylocaldomain in my /etc/hosts to 127.0.0.1 if that matters )

I was able to follow all other steps though.. Any help?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment