This guide will help you create and install a self-signed SSL certificate in Apache on OSX (HIgh Sierra) to aid local SSL/HTTPS development.
Advertisement:
I usually force HTTPS traffic on everything I develop (see code below in PHP). This PHP code will direct all HTTP requests to HTTPS.
|
1 2 3 4 5 6 7 |
if ($_SERVER['SERVER_NAME'] == "www.yourserver.com") { if (! isset($_SERVER['HTTPS']) or $_SERVER['HTTPS'] == 'off' ) { $redirect_url = "https://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; header("Location: $redirect_url"); exit(); } } |
Also, you can deny non-https traffic in NGINX with online servers by editing your/etc/nginx/sites-available/default file
|
1 |
sudo nano /etc/nginx/sites-available/default |
Add this to your Nginx sites available file (above) to force SSL at the web server.
|
1 2 3 |
if ($scheme != "https") { return 301 https://$host$request_uri; } |
You can also deny port 80 connections in your firewall and NGINX if you don’t trust the directive(s) above.
Apache Configuration (sor https)
Edit httpd.conf
|
1 |
sudo nano /private/etc/apache2/httpd.conf |
Uncomment lines with these text strings in httpd.conf
|
1 2 |
"socache_shmcb_module" (<em>or "LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so"</em>) "ssl_module" (<em>or "LoadModule ssl_module libexec/apache2/mod_ssl.so"</em>) |
I had to find my and “httpd.conf” file
|
1 2 |
sudo find / -name "httpd.conf" /private/etc/apache2/httpd.conf |
Find your “httpd-ssl.conf” file
|
1 2 |
sudo find / -name "httpd-ssl.conf" /private/etc/apache2/original/extra/httpd-ssl.conf |
Copy the config file (just in case a future update overwrites it).
|
1 |
sudo cp /private/etc/apache2/original/extra/httpd-ssl.conf /private/etc/apache2/original/extra/httpd-ssl-localhost.conf |
Now go back and edit the “httpd.conf” file
|
1 |
sudo nano /private/etc/apache2/httpd.conf |
Add the following line (to the end of the file, on a new line) so the new SSL config file loads.
|
1 |
Include /private/etc/apache2/original/extra/httpd-ssl-localhost.conf |
You can have a look at the file “httpd-ssl-localhost.conf”. Take note of paths in the VirtualHost node.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 |
<VirtualHost _default_:443> # General setup for the virtual host DocumentRoot "/Library/WebServer/Documents" ServerName www.example.com:443 ServerAdmin you@example.com ErrorLog "/private/var/log/apache2/error_log" TransferLog "/private/var/log/apache2/access_log" # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. Keep in mind that if you have both an RSA and a DSA certificate # you can configure both in parallel (to also allow the use of DS ciphers, etc.) Some ECC cipher suites ( # http://www.ietf.org/rfc/rfc4492.txt) require an ECC certificate which can also be configured in parallel. SSLCertificateFile "/private/etc/apache2/server.crt" #SSLCertificateFile "/private/etc/apache2/server-dsa.crt" #SSLCertificateFile "/private/etc/apache2/server-ecc.crt" # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) # ECC keys, when in use, can also be configured in parallel SSLCertificateKeyFile "/private/etc/apache2/server.key" #SSLCertificateKeyFile "/private/etc/apache2/server-dsa.key" #SSLCertificateKeyFile "/private/etc/apache2/server-ecc.key" # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convenience. #SSLCertificateChainFile "/private/etc/apache2/server-ca.crt" # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath "/private/etc/apache2/ssl.crt" #SSLCACertificateFile "/private/etc/apache2/ssl.crt/ca-bundle.crt" # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded). # The CRL checking mode needs to be configured explicitly # through SSLCARevocationCheck (defaults to "none" otherwise). # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath "/private/etc/apache2/ssl.crl" #SSLCARevocationFile "/private/etc/apache2/ssl.crl/ca-bundle.crl" #SSLCARevocationCheck chain # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth 10 # TLS-SRP mutual authentication: # Enable TLS-SRP and set the path to the OpenSSL SRP verifier # file (containing login information for SRP user accounts). # Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for # detailed instructions on creating this file. Example: # "openssl srp -srpvfile /private/etc/apache2/passwd.srpv -add username" #SSLSRPVerifierFile "/private/etc/apache2/passwd.srpv" # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details. #<Location /> |
Generating a Key and Certificate
Generate a Key (I prefer filenames start with “localhost” so future updates to not overwrite it).
|
1 2 3 |
sudo cd /private/etc/apache2/ sudo openssl genrsa -out localhost.key 2048 sudo openssl req -new -x509 -key ./localhost.key -out ./localhost.crt -days 3650 -subj /CN=localhost |
Check that file files ” localhost.crt” and ” localhost.key” were outputted to “/private/etc/apache2/”
|
1 2 3 4 5 6 7 8 9 10 |
pwd /private/etc/apache2 192-168-1-200:apache2 simon$ ls -al total 208 drwxr-xr-x 13 root wheel 416 18 Dec 00:33 . drwxr-xr-x 128 root wheel 4096 16 Dec 19:41 .. ... -rw-r--r-- 1 root wheel 1318 18 Dec 00:33 localhost.crt -rw-r--r-- 1 root wheel 1708 18 Dec 00:33 localhost.key ... |
Open “/private/etc/apache2/original/extra/httpd-ssl-localhost.conf” and replace the following text.
|
1 |
sudo nnao /private/etc/apache2/original/extra/httpd-ssl-localhost.conf |
Replace the following text:
- “server.crt” with “localhost.crt”
- “server.key” with “localhost.key”
Changes shoud have been made to the following values in “<VirtualHost _default_:443>”
-
SSLCertificateFile “/private/etc/apache2/localhost.crt”
-
SSLCertificateKeyFile “/private/etc/apache2/localhost.key”
Check your apache conf
|
1 |
sudo apachectl configtest |
I had the following error
|
1 2 |
AH00526: Syntax error on line 1 of /private/etc/apache2/original/extra/httpd-ssl-localhost.conf: Invalid command '\xe2\x88\x91#', perhaps misspelled or defined by a module not included in the server configuration |
I removed the invalid first line (I must have inserted something while searching using nano (I must have presses Option+W instead of Control+W to find in Nano)).
I ran the Apache config check again and received the following error.
|
1 2 3 |
sudo apachectl configtest AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using REMOVED ISP Static IP. Set the 'ServerName' directive globally to suppress this message Syntax OK |
I added my domain but with a 2 on the end for later use via local DNS.
|
1 2 3 4 |
<VirtualHost _default_:443> ... ServerName https://www.mydomainname2.com:443 ... |
TIP: This will not by default allow you to load this address locally without, not without DNS changes (to be added soon).
Restart Apache (you may still receive a warning about the ServerName (I Ignored it)).
Restart Apache
|
1 2 |
sudo apachectl -k restart AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using REMOVED ISP Static IP. Set the 'ServerName' directive globally to suppress this message |
Loading Your Site
You can now load the website localhost in your browser (it will show as insecure).
Click “Proceed to localhost (unsafe)”
The reason for no trust is the self-signed cert is not trusted by OSX or browsers.
OSX Certificate Trust (Key Chain Access)
Let’s tell OSX we trust this certificate (by adding it to the keychain)
|
1 2 |
sudo cd /private/etc/apache2/ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /private/etc/apache2/localhost.crt |
Restart Apache
|
1 |
sudo apachectl -k restart |
TIP: Check your certificate date in your browser, and clear your cache if older certificates are loading from cache.
Results
Great, Safari uses the SSL cert (and obeys Keychain’s Trust)
Google Chrome reports the Cert has issues (even though it is trusted locally). I will investigate and update this post soon.
I suspect that Chrome will need to trust this cert fully to allow AJAX and API calls to be made.It’ss weird that Google Chrome has detected it is trusted by all users but does not trust it.
This is my next link to research a solution.
More
Read Useful OSX Terminal Commands or Useful OSX Linux Commands and Securing an Ubuntu VM with a free LetsEncrypt SSL certificate in 1 Minute first.
Hope this helps someone.
Donate and make this blog better
Ask a question or recommend an article
Revision History
v1.31 Small Edits, Added link to investigate Chrome issue (Current Version)
v1.2 Added More Explanations
v1.1 Reworded
v1.0 Initial Version