Code, Security and Server Stuff

Views are my own and not my employer's.

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

"If you're not still learning, you're already dying."
- Ryan Holiday - Ego is the Enemy

Follow me on Twitter: @FearbySoftware

View All Posts.

Apache

Adding HTTPS to Apache on OSX High Sierra

by

This guide will help you create and install a self-signed SSL certificate in Apache on OSX (HIgh Sierra) to aid local SSL/HTTPS development.

Advertisement:



UPDATE: Nov 21st 2018 – This works on OSX Mojave too.

I usually force HTTPS traffic on everything I develop (see code below in PHP).  This PHP code will direct all HTTP requests to HTTPS.

Also, you can deny non-https traffic in NGINX with online servers by editing your/etc/nginx/sites-available/default file

Add this to your Nginx sites available file (above) to force SSL at the web server.

You can also deny port 80 connections in your firewall and NGINX if you don’t trust the directive(s) above.

Apache Configuration (sor https)

Edit httpd.conf

Uncomment lines with these text strings in httpd.conf

"socache_shmcb_module" (or "LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so")
"ssl_module" (or "LoadModule ssl_module libexec/apache2/mod_ssl.so")

I had to find my and “httpd.conf” file

Find your “httpd-ssl.conf” file

Copy the config file (just in case a future update overwrites it).

Now go back and edit the “httpd.conf” file

Add the following line (to the end of the file, on a new line) so the new SSL config file loads.

You can have a look at the file “httpd-ssl-localhost.conf”. Take note of paths in the VirtualHost node.

Generating a Key and Certificate

Generate a Key (I prefer filenames start with “localhost” so future updates to not overwrite it).

Check that file files ” localhost.crt” and ” localhost.key” were outputted to “/private/etc/apache2/”

pwd
/private/etc/apache2
192-168-1-200:apache2 simon$ ls -al
total 208
drwxr-xr-x   13 root  wheel    416 18 Dec 00:33 .
drwxr-xr-x  128 root  wheel   4096 16 Dec 19:41 ..
...
-rw-r--r--    1 root  wheel   1318 18 Dec 00:33 localhost.crt
-rw-r--r--    1 root  wheel   1708 18 Dec 00:33 localhost.key
...

Open “/private/etc/apache2/original/extra/httpd-ssl-localhost.conf” and replace the following text.

Replace the following text:

  • server.crt” with “localhost.crt”
  • server.key” with “localhost.key”

Changes shoud have been made to the following values in “<VirtualHost _default_:443>

  • SSLCertificateFile “/private/etc/apache2/localhost.crt”

  • SSLCertificateKeyFile “/private/etc/apache2/localhost.key”

Check your apache conf

I had the following error

OSX SSL

I removed the invalid first line (I must have inserted something while searching using nano (I must have presses Option+W instead of Control+W to find in Nano)).

I ran the Apache config check again and received the following error.

I added my domain but with a 2 on the end for later use via local DNS.

<VirtualHost _default_:443>
...
ServerName https://www.mydomainname2.com:443
...

TIP: This will not by default allow you to load this address locally without, not without DNS changes (to be added soon).

Restart Apache (you may still receive a warning about the ServerName (I Ignored it)).

Restart Apache

Loading Your Site

You can now load the website localhost in your browser (it will show as insecure).

Insecure localhost

Click “Proceed to localhost (unsafe)

The reason for no trust is the self-signed cert is not trusted by OSX or browsers.

Cert Details

OSX Certificate Trust (Key Chain Access)

Let’s tell OSX we trust this certificate (by adding it to the keychain)

Restart Apache

TIP: Check your certificate date in your browser, and clear your cache if older certificates are loading from cache.

Results

Great, Safari uses the SSL cert (and obeys Keychain’s Trust)

Safari

Google Chrome reports the Cert has issues (even though it is trusted locally). I will investigate and update this post soon.

Chrome

I suspect that Chrome will need to trust this cert fully to allow AJAX and API calls to be made.It’ss weird that Google Chrome has detected it is trusted by all users but does not trust it.

This is my next link to research a solution.

More

Read Useful OSX Terminal Commands or Useful OSX Linux Commands and Securing an Ubuntu VM with a free LetsEncrypt SSL certificate in 1 Minute first.

Hope this helps someone.

Donate and make this blog better

Ask a question or recommend an article

Your Name (required)

Your Email (required)

Your Question

Revision History

v1.4 Nov 208 – Works on Mojave

v1.3 Small Edits, Added link to investigate Chrome issue (Current Version)

v1.2 Added More Explanations

v1.1 Reworded

v1.0 Initial Version