Instantly share code, notes, and snippets.

Embed
What would you like to do?
Enable SSL in Apache for 'localhost' (OSX, El Capitan)

Enable SSL in Apache (OSX)

The following will guide you through the process of enabling SSL on a Apache webserver

  • The instructions have been verified with OSX El Capitan (10.11.2) running Apache 2.4.16
  • The instructions assume you already have a basic Apache configuration enabled on OSX, if this is not the case feel free to consult Gist: "Enable Apache HTTP server (OSX)"

Apache SSL Configuration

Create a directory within /etc/apache2/ using Terminal.app: sudo mkdir /etc/apache2/ssl
Next, generate two host keys:

sudo openssl genrsa -out /etc/apache2/server.key 2048
sudo openssl genrsa -out /etc/apache2/ssl/localhost.key 2048
sudo openssl rsa -in /etc/apache2/ssl/localhost.key -out /etc/apache2/ssl/localhost.key.rsa

Create a configuration file using Terminal.app: sudo touch /etc/apache2/ssl/localhost.conf
Edit the newly created configuration file and add the following:

[req]
default_bits = 1024
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
DNS.2 = *.localhost

Generate the required Certificate Requests using Terminal.app:

sudo openssl req -new -key /etc/apache2/server.key -subj "/C=/ST=/L=/O=/CN=/emailAddress=/" -out /etc/apache2/server.csr
sudo openssl req -new -key /etc/apache2/ssl/localhost.key.rsa -subj "/C=/ST=/L=/O=/CN=localhost/" -out /etc/apache2/ssl/localhost.csr -config /etc/apache2/ssl/localhost.conf

Note: Complete the values C= ST= L= O= CN= to reflect your own organizational structure, where:

  • C= eq. Country: The two-letter ISO abbreviation for your country.
  • ST= eq. State or Province: The state or province where your organization is legally located.
  • L= eq. City or Locality: The city where your organization is legally located.
  • O= eq. Organization: he exact legal name of your organization.
  • CN= eq. Common Name: The fully qualified domain name for your web server

Use the Certificate Requests to sign the SSL Certificates using Terminal.app:

sudo openssl x509 -req -days 365 -in /etc/apache2/server.csr -signkey /etc/apache2/server.key -out /etc/apache2/server.crt
sudo openssl x509 -req -extensions v3_req -days 365 -in /etc/apache2/ssl/localhost.csr -signkey /etc/apache2/ssl/localhost.key.rsa -out /etc/apache2/ssl/localhost.crt -extfile /etc/apache2/ssl/localhost.conf

Add the SSL Certificate to Keychain Access.

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /etc/apache2/ssl/localhost.crt

Apache Configuration

Edit the Apache main configuration file /etc/apache2/httpd.conf and enable the required modules to support SSL :

LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so
LoadModule ssl_module libexec/apache2/mod_ssl.so

Enable Secure (SSL/TLS) connections

Include /private/etc/apache2/extra/httpd-ssl.conf

Apache Virtual Host Configuration

Edit the Virtual Hosts file /etc/apache2/extra/httpd-vhosts.conf and add the SSL Directive at the end of the file:

<VirtualHost *:443>
    ServerName localhost
    DocumentRoot "/Library/WebServer/Documents"

    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /etc/apache2/ssl/localhost.crt
    SSLCertificateKeyFile /etc/apache2/ssl/localhost.key

    <Directory "/Library/WebServer/Documents">
        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
        Require all granted
    </Directory>
</VirtualHost>

Finally restart Apache using Terminal.app : sudo apachectl restart
Open Safari and visit https://localhost to verify your configuration.

@alzalabany

This comment has been minimized.

Show comment
Hide comment
@alzalabany

alzalabany Oct 18, 2016

followed exact steps. yet it returns

Forbidden

You don't have permission to access / on this server.

alzalabany commented Oct 18, 2016

followed exact steps. yet it returns

Forbidden

You don't have permission to access / on this server.

@vincentaudebert

This comment has been minimized.

Show comment
Hide comment
@vincentaudebert

vincentaudebert commented Oct 18, 2016

+1 on @alzalabany

@thompsgr

This comment has been minimized.

Show comment
Hide comment
@thompsgr

thompsgr commented Dec 5, 2016

@djarami

This comment has been minimized.

Show comment
Hide comment
@djarami

djarami Dec 21, 2016

It sort of worked for me. Load up the https://localhost on Safari and it will tell you it is a self signed certificate. If you select proceed, it will say it works. Chrome, blocks the self signed cert completely.
I hope this helps

djarami commented Dec 21, 2016

It sort of worked for me. Load up the https://localhost on Safari and it will tell you it is a self signed certificate. If you select proceed, it will say it works. Chrome, blocks the self signed cert completely.
I hope this helps

@raycalleja48

This comment has been minimized.

Show comment
Hide comment
@raycalleja48

raycalleja48 Dec 24, 2016

My problem is that it broke apache altogether. Even http wouldn't work. My solution was to edit the /private/etc/apache2/extra/httpd-ssl.conf file, comment out SSLSessionCache, change the ServerName to localhost:443 and then restart apache. Chrome also worked I just needed to click on the Advanced link and then click proceed.

raycalleja48 commented Dec 24, 2016

My problem is that it broke apache altogether. Even http wouldn't work. My solution was to edit the /private/etc/apache2/extra/httpd-ssl.conf file, comment out SSLSessionCache, change the ServerName to localhost:443 and then restart apache. Chrome also worked I just needed to click on the Advanced link and then click proceed.

@IanKHall

This comment has been minimized.

Show comment
Hide comment
@IanKHall

IanKHall Feb 25, 2017

I got a similar result to djarami. Safari allowed me to add an exception to https://localhost, which then got me to the Apache "It Works!" site. Chrome blocked access completely to the same site. But I am trying to run a application from my local machine that appears at https://localhost:6006 (the port can vary), and on Firefox I get "Server Connection Failed - SSL_ERROR_WEAK_SERVER_CERT_KEY"
After all these set up tasks I was hoping for a better result! Any more ideas greatly appreciated.

IanKHall commented Feb 25, 2017

I got a similar result to djarami. Safari allowed me to add an exception to https://localhost, which then got me to the Apache "It Works!" site. Chrome blocked access completely to the same site. But I am trying to run a application from my local machine that appears at https://localhost:6006 (the port can vary), and on Firefox I get "Server Connection Failed - SSL_ERROR_WEAK_SERVER_CERT_KEY"
After all these set up tasks I was hoping for a better result! Any more ideas greatly appreciated.

@tomnielsen

This comment has been minimized.

Show comment
Hide comment
@tomnielsen

tomnielsen Mar 9, 2017

apachectl configtest was needed to track down which extensions needed to be enabled to make it work.

tomnielsen commented Mar 9, 2017

apachectl configtest was needed to track down which extensions needed to be enabled to make it work.

@ramingar

This comment has been minimized.

Show comment
Hide comment
@ramingar

ramingar Mar 19, 2017

It works flawlessly. Thx!

ramingar commented Mar 19, 2017

It works flawlessly. Thx!

@arjus

This comment has been minimized.

Show comment
Hide comment
@arjus

arjus Apr 25, 2017

It works. If you get Forbiden "You can't access that server" follow this steps:
1- Open the httpd config file:
sudo nano /etc/apache2/httpd.conf
2- Find the User and the Group "Ctrl+w". Comment them out putting a # before and modify like this (where User is your username):
User admin
Group staff
3- Ctrl+X to close and Y to Save.
4- Restart apache
sudo apachectl restart
Now try to reload the page.

If the problem persist find the path of your apache error file and troubleshoot the errors.

arjus commented Apr 25, 2017

It works. If you get Forbiden "You can't access that server" follow this steps:
1- Open the httpd config file:
sudo nano /etc/apache2/httpd.conf
2- Find the User and the Group "Ctrl+w". Comment them out putting a # before and modify like this (where User is your username):
User admin
Group staff
3- Ctrl+X to close and Y to Save.
4- Restart apache
sudo apachectl restart
Now try to reload the page.

If the problem persist find the path of your apache error file and troubleshoot the errors.

@dlivesay

This comment has been minimized.

Show comment
Hide comment
@dlivesay

dlivesay Jun 27, 2017

It works for me, for the most part; I'm still trying to figure out the best way to enable ssl on multiple virtual hosts. One thing I'm not clear on, though, is the purpose of this command line:
sudo openssl rsa -in /etc/apache2/ssl/localhost.key -out /etc/apache2/ssl/localhost.key.rsa
Without any options, openssl rsa just makes a copy of the -in file—in this case with .rsa appended to the name. You could do this with sudo cp, or you could have named it localhost.key.rsa in the first place, if it even matters what the name is.

@arjus: Don't do that! User admin is a privileged user. Never run a server on an open inbound port as a privileged user! Read the docs.

@IanKHall: You can proxy requests to the default virtual host to your service on 6006 by configuring a reverse proxy. See http://httpd.apache.org/docs/2.4/howto/reverse_proxy.html or http://localhost/manual/howto/reverse_proxy.html if you have enabled local access to the manual. You might also want to consider using one of the private ports (49152–65535) instead of a registered port. See RFC1340 if you don't know what this means.

dlivesay commented Jun 27, 2017

It works for me, for the most part; I'm still trying to figure out the best way to enable ssl on multiple virtual hosts. One thing I'm not clear on, though, is the purpose of this command line:
sudo openssl rsa -in /etc/apache2/ssl/localhost.key -out /etc/apache2/ssl/localhost.key.rsa
Without any options, openssl rsa just makes a copy of the -in file—in this case with .rsa appended to the name. You could do this with sudo cp, or you could have named it localhost.key.rsa in the first place, if it even matters what the name is.

@arjus: Don't do that! User admin is a privileged user. Never run a server on an open inbound port as a privileged user! Read the docs.

@IanKHall: You can proxy requests to the default virtual host to your service on 6006 by configuring a reverse proxy. See http://httpd.apache.org/docs/2.4/howto/reverse_proxy.html or http://localhost/manual/howto/reverse_proxy.html if you have enabled local access to the manual. You might also want to consider using one of the private ports (49152–65535) instead of a registered port. See RFC1340 if you don't know what this means.

@rlaurente

This comment has been minimized.

Show comment
Hide comment
@rlaurente

rlaurente Jul 12, 2017

It works!

question: how can we enable multiple virtual hosts?

rlaurente commented Jul 12, 2017

It works!

question: how can we enable multiple virtual hosts?

@maurocarrero

This comment has been minimized.

Show comment
Hide comment
@maurocarrero

maurocarrero Jul 26, 2017

It works nice, thanks.

maurocarrero commented Jul 26, 2017

It works nice, thanks.

@fusion27

This comment has been minimized.

Show comment
Hide comment
@fusion27

fusion27 Aug 10, 2017

Works like a boss @nrollr thank you!

chuck-norris-awesome-sauce-youre-marinating-in-it-

fusion27 commented Aug 10, 2017

Works like a boss @nrollr thank you!

chuck-norris-awesome-sauce-youre-marinating-in-it-

@berenerchamion

This comment has been minimized.

Show comment
Hide comment
@berenerchamion

berenerchamion Oct 31, 2017

Perfect! Works great! I used this with the Apache installed with Homebrew, not the Apache that comes pre-installed on macOS Sierra 10.12.6 and it worked exactly as described.

berenerchamion commented Oct 31, 2017

Perfect! Works great! I used this with the Apache installed with Homebrew, not the Apache that comes pre-installed on macOS Sierra 10.12.6 and it worked exactly as described.

@calepsol

This comment has been minimized.

Show comment
Hide comment
@calepsol

calepsol commented Dec 10, 2017

+1 thx

@nar3nd3r

This comment has been minimized.

Show comment
Hide comment
@nar3nd3r

nar3nd3r Dec 24, 2017

+1 thanks.

nar3nd3r commented Dec 24, 2017

+1 thanks.

@gmegidish

This comment has been minimized.

Show comment
Hide comment
@gmegidish

gmegidish Jan 1, 2018

+1 many-thanks!

gmegidish commented Jan 1, 2018

+1 many-thanks!

@mendezdl

This comment has been minimized.

Show comment
Hide comment
@mendezdl

mendezdl Jan 4, 2018

+1 thanks

mendezdl commented Jan 4, 2018

+1 thanks

@simonbrazell

This comment has been minimized.

Show comment
Hide comment
@simonbrazell

simonbrazell Jan 26, 2018

Worked perfectly, thanks heaps!

simonbrazell commented Jan 26, 2018

Worked perfectly, thanks heaps!

@JyotiDuhan

This comment has been minimized.

Show comment
Hide comment
@JyotiDuhan

JyotiDuhan Jan 29, 2018

I followed the same and localhost works fine but still my react application is not working with https.
I am trying https://localhost:3000 and it says "site can not be reached". Any suggestions??

JyotiDuhan commented Jan 29, 2018

I followed the same and localhost works fine but still my react application is not working with https.
I am trying https://localhost:3000 and it says "site can not be reached". Any suggestions??

@laurentiuc

This comment has been minimized.

Show comment
Hide comment
@laurentiuc

laurentiuc commented Mar 13, 2018

+1 thanks

@The-KarateKid

This comment has been minimized.

Show comment
Hide comment
@The-KarateKid

The-KarateKid Apr 13, 2018

For those using Homebrew Apache, check your /extra/httpd-ssl.conf file for what port it is set to listen to (usually 8443). Update your <VirtualHost *:8443> in httpd-vhosts.conf file to match that. Then, you have to access localhost via https://localhost:8443

The-KarateKid commented Apr 13, 2018

For those using Homebrew Apache, check your /extra/httpd-ssl.conf file for what port it is set to listen to (usually 8443). Update your <VirtualHost *:8443> in httpd-vhosts.conf file to match that. Then, you have to access localhost via https://localhost:8443

@podolinek

This comment has been minimized.

Show comment
Hide comment
@podolinek

podolinek Apr 24, 2018

For me required to add row with "Listen 443" to httpd.conf.

podolinek commented Apr 24, 2018

For me required to add row with "Listen 443" to httpd.conf.

@romanych

This comment has been minimized.

Show comment
Hide comment
@romanych

romanych Apr 27, 2018

Thank you for great work, really worked!

romanych commented Apr 27, 2018

Thank you for great work, really worked!

@gracielaPosadas

This comment has been minimized.

Show comment
Hide comment
@gracielaPosadas

gracielaPosadas Apr 27, 2018

I'm confused about the routes . how does the httpd-vhosts.conf should to be routed for MAMP?

gracielaPosadas commented Apr 27, 2018

I'm confused about the routes . how does the httpd-vhosts.conf should to be routed for MAMP?

@wesleyhlee

This comment has been minimized.

Show comment
Hide comment
@wesleyhlee

wesleyhlee Jul 1, 2018

This guide still works (macOS 10.13, httpd -v Apache 2.4.33)

wesleyhlee commented Jul 1, 2018

This guide still works (macOS 10.13, httpd -v Apache 2.4.33)

@VizualAbstract

This comment has been minimized.

Show comment
Hide comment
@VizualAbstract

VizualAbstract Jul 17, 2018

Verified it works, too. Thanks so much!

I had to do a few additional changes because I changed my directory from /Library/WebServer/Documents to somewhere else.

MacOS 10.13.15 / Apache 2.4.33

I had to update it in /etc/apache2/httpd.conf, /private/etc/apache2/extra/httpd-ssl.conf and /private/etc/apache2/extra/httpd-vhosts.conf, so they all matched.

PS I went through this shortly after configuring dnsmasq.

VizualAbstract commented Jul 17, 2018

Verified it works, too. Thanks so much!

I had to do a few additional changes because I changed my directory from /Library/WebServer/Documents to somewhere else.

MacOS 10.13.15 / Apache 2.4.33

I had to update it in /etc/apache2/httpd.conf, /private/etc/apache2/extra/httpd-ssl.conf and /private/etc/apache2/extra/httpd-vhosts.conf, so they all matched.

PS I went through this shortly after configuring dnsmasq.

@bhanu0987

This comment has been minimized.

Show comment
Hide comment
@bhanu0987

bhanu0987 Jul 27, 2018

Thanks a lot!

bhanu0987 commented Jul 27, 2018

Thanks a lot!

@santhoshnp

This comment has been minimized.

Show comment
Hide comment
@santhoshnp

santhoshnp Oct 10, 2018

You have any video related on this https on local host

santhoshnp commented Oct 10, 2018

You have any video related on this https on local host

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment