Apache 2.4 https server gives connection refuse error on mac osxWhy I am getting “Problem loading the page” after enabling HTTPS for Apache on Windows 7?Apache 2.4 gives Forbidden Files deny server accessUnbuntu server running Apache with an SSL Cert IssueServerAlias without www not working on SSL virtualhostVirtualHost fails with multiple interfacesslow apache/php-fpm in local server accessing with domain (through nat)RedHat Apache: Connection RefuseWordpress SSL config on Google cloud instanceApache2 uses http instead of https, despite LetsEncryptHTTP to HTTPS redirect not working on Apache 2.4

Could there be something like aerobatic smoke trails in the vacuum of space?

Windows 10 lock screen - display my own random images

Slice a list based on an index and items behind it in python

When did game consoles begin including FPUs?

Holding rent money for my friend which amounts to over $10k?

What is this weird d12 for?

What is the status of the Lannisters after Season 8 Episode 5, "The Bells"?

Why are goodwill impairments on the statement of cash-flows of GE?

Was the dragon prowess intentionally downplayed in S08E04?

How to handle professionally if colleagues has referred his relative and asking to take easy while taking interview

Why were the bells ignored in S8E5?

Proper way to use apply_filters() with class functions?

What do the "optional" resistor and capacitor do in this circuit?

Formal Definition of Dot Product

Why are lawsuits between the President and Congress not automatically sent to the Supreme Court

Developers demotivated due to working on same project for more than 2 years

Given 0s on Assignments with suspected and dismissed cheating?

Capital gains on stocks sold to take initial investment off the table

Could a space colony 1g from the sun work?

How to continually let my readers know what time it is in my story, in an organic way?

Do crew rest seats count towards the maximum allowed number of seats per flight attendant?

Are there microwaves to heat baby food at Brussels airport?

Should generated documentation be stored in a Git repository?

My bread in my bread maker rises and then falls down just after cooking starts



Apache 2.4 https server gives connection refuse error on mac osx


Why I am getting “Problem loading the page” after enabling HTTPS for Apache on Windows 7?Apache 2.4 gives Forbidden Files deny server accessUnbuntu server running Apache with an SSL Cert IssueServerAlias without www not working on SSL virtualhostVirtualHost fails with multiple interfacesslow apache/php-fpm in local server accessing with domain (through nat)RedHat Apache: Connection RefuseWordpress SSL config on Google cloud instanceApache2 uses http instead of https, despite LetsEncryptHTTP to HTTPS redirect not working on Apache 2.4






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








0















I'm a newbie on Apache and I was set up my https server on OS X EI follows this article. But I always get refuse connection error, please help.



This is my httpd-ssl.conf file:



<VirtualHost *:443>
 #General setup for the virtual host
 DocumentRoot "/Users/kudocc/WebServer/private"
 ServerName local.example.com
 ErrorLog "/private/var/log/apache2/local.example.com-error_log"
 CustomLog "/private/var/log/apache2/local.example.com-access_log" common

 #SSL Engine Switch:
 SSLEngine on

 #Server Certificate:
 SSLCertificateFile "/private/etc/apache2/ssl/local.example.com.crt"

 #Server Private Key:
 SSLCertificateKeyFile "/private/etc/apache2/ssl/local.example.com.key"

 #SSL Engine Options:
 <FilesMatch ".(cgi|shtml|phtml|php)$">
 SSLOptions +StdEnvVars
 </FilesMatch>
 <Directory "/Library/WebServer/CGI-Executables">
 SSLOptions +StdEnvVars
 </Directory> 
</VirtualHost>


The command httpd -S shows:



VirtualHost configuration:
*:443 local.example.com (/private/etc/apache2/extra/httpd-ssl.conf:293)
ServerRoot: "/usr"
Main DocumentRoot: "/Users/kudocc/WebServer/private"
Main ErrorLog: "/private/var/log/apache2/error_log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/private/var/run/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
PidFile: "/private/var/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="_www" id=70 not_used
Group: name="_www" id=70 not_used





apache-2.4 https connection-refused







share|improve this question
























  • what's the output of command "httpd -t" ?

    – serverliving.com
    Mar 10 '16 at 9:45











  • It shows Syntax OK. :)

    – KudoCC
    Mar 10 '16 at 9:45











  • you can check error log if there are any start up errors

    – serverliving.com
    Mar 10 '16 at 9:46











  • Thanks, it shows [Thu Mar 10 17:47:39.487005 2016] [ssl:emerg] [pid 2514] AH02572: Failed to configure at least one certificate and key for local.example.com:443 [Thu Mar 10 17:47:39.487232 2016] [ssl:emerg] [pid 2514] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned [Thu Mar 10 17:47:39.487236 2016] [ssl:emerg] [pid 2514] AH02312: Fatal error initialising mod_ssl, exiting. AH00016: Configuration Failed, it seems that my certificate has something wrong.

    – KudoCC
    Mar 10 '16 at 9:49











  • Yes, It's saying your SSL certificate or private key has issues. Make sure you supply the SSL certificate in proper format. how did you generate the SSL cert?. what's complete openssl command?.

    – serverliving.com
    Mar 10 '16 at 9:51

















0















I'm a newbie on Apache and I was set up my https server on OS X EI follows this article. But I always get refuse connection error, please help.



This is my httpd-ssl.conf file:



<VirtualHost *:443>
 #General setup for the virtual host
 DocumentRoot "/Users/kudocc/WebServer/private"
 ServerName local.example.com
 ErrorLog "/private/var/log/apache2/local.example.com-error_log"
 CustomLog "/private/var/log/apache2/local.example.com-access_log" common

 #SSL Engine Switch:
 SSLEngine on

 #Server Certificate:
 SSLCertificateFile "/private/etc/apache2/ssl/local.example.com.crt"

 #Server Private Key:
 SSLCertificateKeyFile "/private/etc/apache2/ssl/local.example.com.key"

 #SSL Engine Options:
 <FilesMatch ".(cgi|shtml|phtml|php)$">
 SSLOptions +StdEnvVars
 </FilesMatch>
 <Directory "/Library/WebServer/CGI-Executables">
 SSLOptions +StdEnvVars
 </Directory> 
</VirtualHost>


The command httpd -S shows:



VirtualHost configuration:
*:443 local.example.com (/private/etc/apache2/extra/httpd-ssl.conf:293)
ServerRoot: "/usr"
Main DocumentRoot: "/Users/kudocc/WebServer/private"
Main ErrorLog: "/private/var/log/apache2/error_log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/private/var/run/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
PidFile: "/private/var/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="_www" id=70 not_used
Group: name="_www" id=70 not_used





apache-2.4 https connection-refused







share|improve this question
























  • what's the output of command "httpd -t" ?

    – serverliving.com
    Mar 10 '16 at 9:45











  • It shows Syntax OK. :)

    – KudoCC
    Mar 10 '16 at 9:45











  • you can check error log if there are any start up errors

    – serverliving.com
    Mar 10 '16 at 9:46











  • Thanks, it shows [Thu Mar 10 17:47:39.487005 2016] [ssl:emerg] [pid 2514] AH02572: Failed to configure at least one certificate and key for local.example.com:443 [Thu Mar 10 17:47:39.487232 2016] [ssl:emerg] [pid 2514] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned [Thu Mar 10 17:47:39.487236 2016] [ssl:emerg] [pid 2514] AH02312: Fatal error initialising mod_ssl, exiting. AH00016: Configuration Failed, it seems that my certificate has something wrong.

    – KudoCC
    Mar 10 '16 at 9:49











  • Yes, It's saying your SSL certificate or private key has issues. Make sure you supply the SSL certificate in proper format. how did you generate the SSL cert?. what's complete openssl command?.

    – serverliving.com
    Mar 10 '16 at 9:51













0












0








0








I'm a newbie on Apache and I was set up my https server on OS X EI follows this article. But I always get refuse connection error, please help.



This is my httpd-ssl.conf file:



<VirtualHost *:443>
 #General setup for the virtual host
 DocumentRoot "/Users/kudocc/WebServer/private"
 ServerName local.example.com
 ErrorLog "/private/var/log/apache2/local.example.com-error_log"
 CustomLog "/private/var/log/apache2/local.example.com-access_log" common

 #SSL Engine Switch:
 SSLEngine on

 #Server Certificate:
 SSLCertificateFile "/private/etc/apache2/ssl/local.example.com.crt"

 #Server Private Key:
 SSLCertificateKeyFile "/private/etc/apache2/ssl/local.example.com.key"

 #SSL Engine Options:
 <FilesMatch ".(cgi|shtml|phtml|php)$">
 SSLOptions +StdEnvVars
 </FilesMatch>
 <Directory "/Library/WebServer/CGI-Executables">
 SSLOptions +StdEnvVars
 </Directory> 
</VirtualHost>


The command httpd -S shows:



VirtualHost configuration:
*:443 local.example.com (/private/etc/apache2/extra/httpd-ssl.conf:293)
ServerRoot: "/usr"
Main DocumentRoot: "/Users/kudocc/WebServer/private"
Main ErrorLog: "/private/var/log/apache2/error_log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/private/var/run/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
PidFile: "/private/var/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="_www" id=70 not_used
Group: name="_www" id=70 not_used





apache-2.4 https connection-refused







share|improve this question
















I'm a newbie on Apache and I was set up my https server on OS X EI follows this article. But I always get refuse connection error, please help.



This is my httpd-ssl.conf file:



<VirtualHost *:443>
 #General setup for the virtual host
 DocumentRoot "/Users/kudocc/WebServer/private"
 ServerName local.example.com
 ErrorLog "/private/var/log/apache2/local.example.com-error_log"
 CustomLog "/private/var/log/apache2/local.example.com-access_log" common

 #SSL Engine Switch:
 SSLEngine on

 #Server Certificate:
 SSLCertificateFile "/private/etc/apache2/ssl/local.example.com.crt"

 #Server Private Key:
 SSLCertificateKeyFile "/private/etc/apache2/ssl/local.example.com.key"

 #SSL Engine Options:
 <FilesMatch ".(cgi|shtml|phtml|php)$">
 SSLOptions +StdEnvVars
 </FilesMatch>
 <Directory "/Library/WebServer/CGI-Executables">
 SSLOptions +StdEnvVars
 </Directory> 
</VirtualHost>


The command httpd -S shows:



VirtualHost configuration:
*:443 local.example.com (/private/etc/apache2/extra/httpd-ssl.conf:293)
ServerRoot: "/usr"
Main DocumentRoot: "/Users/kudocc/WebServer/private"
Main ErrorLog: "/private/var/log/apache2/error_log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/private/var/run/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
PidFile: "/private/var/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="_www" id=70 not_used
Group: name="_www" id=70 not_used





apache-2.4 https connection-refused




apache-2.4 https connection-refused






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 10 '16 at 9:47







KudoCC

















asked Mar 10 '16 at 9:42









KudoCCKudoCC

10113




10113












  • what's the output of command "httpd -t" ?

    – serverliving.com
    Mar 10 '16 at 9:45











  • It shows Syntax OK. :)

    – KudoCC
    Mar 10 '16 at 9:45











  • you can check error log if there are any start up errors

    – serverliving.com
    Mar 10 '16 at 9:46











  • Thanks, it shows [Thu Mar 10 17:47:39.487005 2016] [ssl:emerg] [pid 2514] AH02572: Failed to configure at least one certificate and key for local.example.com:443 [Thu Mar 10 17:47:39.487232 2016] [ssl:emerg] [pid 2514] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned [Thu Mar 10 17:47:39.487236 2016] [ssl:emerg] [pid 2514] AH02312: Fatal error initialising mod_ssl, exiting. AH00016: Configuration Failed, it seems that my certificate has something wrong.

    – KudoCC
    Mar 10 '16 at 9:49











  • Yes, It's saying your SSL certificate or private key has issues. Make sure you supply the SSL certificate in proper format. how did you generate the SSL cert?. what's complete openssl command?.

    – serverliving.com
    Mar 10 '16 at 9:51

















  • what's the output of command "httpd -t" ?

    – serverliving.com
    Mar 10 '16 at 9:45











  • It shows Syntax OK. :)

    – KudoCC
    Mar 10 '16 at 9:45











  • you can check error log if there are any start up errors

    – serverliving.com
    Mar 10 '16 at 9:46











  • Thanks, it shows [Thu Mar 10 17:47:39.487005 2016] [ssl:emerg] [pid 2514] AH02572: Failed to configure at least one certificate and key for local.example.com:443 [Thu Mar 10 17:47:39.487232 2016] [ssl:emerg] [pid 2514] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned [Thu Mar 10 17:47:39.487236 2016] [ssl:emerg] [pid 2514] AH02312: Fatal error initialising mod_ssl, exiting. AH00016: Configuration Failed, it seems that my certificate has something wrong.

    – KudoCC
    Mar 10 '16 at 9:49











  • Yes, It's saying your SSL certificate or private key has issues. Make sure you supply the SSL certificate in proper format. how did you generate the SSL cert?. what's complete openssl command?.

    – serverliving.com
    Mar 10 '16 at 9:51
















what's the output of command "httpd -t" ?

– serverliving.com
Mar 10 '16 at 9:45





what's the output of command "httpd -t" ?

– serverliving.com
Mar 10 '16 at 9:45













It shows Syntax OK. :)

– KudoCC
Mar 10 '16 at 9:45





It shows Syntax OK. :)

– KudoCC
Mar 10 '16 at 9:45













you can check error log if there are any start up errors

– serverliving.com
Mar 10 '16 at 9:46





you can check error log if there are any start up errors

– serverliving.com
Mar 10 '16 at 9:46













Thanks, it shows [Thu Mar 10 17:47:39.487005 2016] [ssl:emerg] [pid 2514] AH02572: Failed to configure at least one certificate and key for local.example.com:443 [Thu Mar 10 17:47:39.487232 2016] [ssl:emerg] [pid 2514] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned [Thu Mar 10 17:47:39.487236 2016] [ssl:emerg] [pid 2514] AH02312: Fatal error initialising mod_ssl, exiting. AH00016: Configuration Failed, it seems that my certificate has something wrong.

– KudoCC
Mar 10 '16 at 9:49





Thanks, it shows [Thu Mar 10 17:47:39.487005 2016] [ssl:emerg] [pid 2514] AH02572: Failed to configure at least one certificate and key for local.example.com:443 [Thu Mar 10 17:47:39.487232 2016] [ssl:emerg] [pid 2514] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned [Thu Mar 10 17:47:39.487236 2016] [ssl:emerg] [pid 2514] AH02312: Fatal error initialising mod_ssl, exiting. AH00016: Configuration Failed, it seems that my certificate has something wrong.

– KudoCC
Mar 10 '16 at 9:49













Yes, It's saying your SSL certificate or private key has issues. Make sure you supply the SSL certificate in proper format. how did you generate the SSL cert?. what's complete openssl command?.

– serverliving.com
Mar 10 '16 at 9:51





Yes, It's saying your SSL certificate or private key has issues. Make sure you supply the SSL certificate in proper format. how did you generate the SSL cert?. what's complete openssl command?.

– serverliving.com
Mar 10 '16 at 9:51










2 Answers
2






active

oldest

votes


















0














I think I mess the config files up. So today I recover these files. Thanks to this.



sudo cp /etc/apache2/original/httpd.conf /etc/apache2/httpd.conf
sudo cp /etc/apache2/original/extra/httpd-ssl.conf /etc/apache2/extra/httpd-ssl.conf
sudo cp /etc/apache2/original/extra/httpd-vhosts.conf /etc/apache2/extra/httpd-vhosts.conf


Then I follow this article to set up my first https server successfully.



My httpd-vhosts.conf is:



<VirtualHost *:443>
 DocumentRoot "/Users/kudocc/Sites"
 ServerName localhost
 SSLEngine on
 SSLCertificateFile "/private/etc/apache2/server.crt"
 SSLCertificateKeyFile "/private/etc/apache2/server.key"
 <Directory "/">
 Options Indexes FollowSymLinks Includes ExecCGI
 DirectoryIndex index.html index.php
 Require all granted
 </Directory>
</VirtualHost>


Besides I also modify the httpd-ssl.conf file.



<VirtualHost _default_:443>

# General setup for the virtual host
DocumentRoot "/Users/kudocc/Sites"
ServerName localhost:443
ServerAdmin you@example.com
ErrorLog "/private/var/log/apache2/error_log"
TransferLog "/private/var/log/apache2/access_log"

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on

# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
SSLCertificateFile "/private/etc/apache2/server.crt"
#SSLCertificateFile "/private/etc/apache2/server-dsa.crt"
#SSLCertificateFile "/private/etc/apache2/server-ecc.crt"

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile "/private/etc/apache2/server.key"
#SSLCertificateKeyFile "/private/etc/apache2/server-dsa.key"
#SSLCertificateKeyFile "/private/etc/apache2/server-ecc.key"

# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convenience.
#SSLCertificateChainFile "/private/etc/apache2/server-ca.crt"

# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath "/private/etc/apache2/ssl.crt"
#SSLCACertificateFile "/private/etc/apache2/ssl.crt/ca-bundle.crt"

# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded).
# The CRL checking mode needs to be configured explicitly
# through SSLCARevocationCheck (defaults to "none" otherwise).
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath "/private/etc/apache2/ssl.crl"
#SSLCARevocationFile "/private/etc/apache2/ssl.crl/ca-bundle.crl"
#SSLCARevocationCheck chain

# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10

# TLS-SRP mutual authentication:
# Enable TLS-SRP and set the path to the OpenSSL SRP verifier
# file (containing login information for SRP user accounts). 
# Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for
# detailed instructions on creating this file. Example:
# "openssl srp -srpvfile /private/etc/apache2/passwd.srpv -add username"
#SSLSRPVerifierFile "/private/etc/apache2/passwd.srpv"

# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %SSL_CIPHER !~ m/^(EXP|NULL)/ 
# and %SSL_CLIENT_S_DN_O eq "Snake Oil, Ltd." 
# and %SSL_CLIENT_S_DN_OU in "Staff", "CA", "Dev" 
# and %TIME_WDAY >= 1 and %TIME_WDAY <= 5 
# and %TIME_HOUR >= 8 and %TIME_HOUR <= 20 ) 
# or %REMOTE_ADDR =~ m/^192.76.162.[0-9]+$/
#</Location>

# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context. 
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch ".(cgi|shtml|phtml|php)$">
 SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/Library/WebServer/CGI-Executables">
 SSLOptions +StdEnvVars
</Directory>

# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is sent or allowed to be received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly. 
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" 
 nokeepalive ssl-unclean-shutdown 
 downgrade-1.0 force-response-1.0

# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog "/private/var/log/apache2/ssl_request_log" 
 "%t %h %SSL_PROTOCOLx %SSL_CIPHERx "%r" %b"

</VirtualHost>


Thanks @serverliving.com, thanks very much.






share|improve this answer
































    -1














    The cause of this issue is that your Apache server is probably not set to listen on Port 443, so when the browser attempts to connect via SSL it is being refused.



    The VirtualHost configuration in both your httpd-vhosts.conf and httpd-ssl.conf both give Apache settings on how to handle requests received via Port 443, but since Apache is not listening for requests on Port 443, it will never receive one to process.



    To fix this, you must configure Apache to listen for requests on Port 443. Simply add 



    Listen 443


    to your httpd.conf or httpd-ssl.conf file. Restart Apache and it should now work.






    share|improve this answer























      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "2"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













      draft saved

      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f762836%2fapache-2-4-https-server-gives-connection-refuse-error-on-mac-osx%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      0














      I think I mess the config files up. So today I recover these files. Thanks to this.



      sudo cp /etc/apache2/original/httpd.conf /etc/apache2/httpd.conf
      sudo cp /etc/apache2/original/extra/httpd-ssl.conf /etc/apache2/extra/httpd-ssl.conf
      sudo cp /etc/apache2/original/extra/httpd-vhosts.conf /etc/apache2/extra/httpd-vhosts.conf


      Then I follow this article to set up my first https server successfully.



      My httpd-vhosts.conf is:



      <VirtualHost *:443>
       DocumentRoot "/Users/kudocc/Sites"
       ServerName localhost
       SSLEngine on
       SSLCertificateFile "/private/etc/apache2/server.crt"
       SSLCertificateKeyFile "/private/etc/apache2/server.key"
       <Directory "/">
       Options Indexes FollowSymLinks Includes ExecCGI
       DirectoryIndex index.html index.php
       Require all granted
       </Directory>
      </VirtualHost>


      Besides I also modify the httpd-ssl.conf file.



      <VirtualHost _default_:443>

      # General setup for the virtual host
      DocumentRoot "/Users/kudocc/Sites"
      ServerName localhost:443
      ServerAdmin you@example.com
      ErrorLog "/private/var/log/apache2/error_log"
      TransferLog "/private/var/log/apache2/access_log"

      # SSL Engine Switch:
      # Enable/Disable SSL for this virtual host.
      SSLEngine on

      # Server Certificate:
      # Point SSLCertificateFile at a PEM encoded certificate. If
      # the certificate is encrypted, then you will be prompted for a
      # pass phrase. Note that a kill -HUP will prompt again. Keep
      # in mind that if you have both an RSA and a DSA certificate you
      # can configure both in parallel (to also allow the use of DSA
      # ciphers, etc.)
      # Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
      # require an ECC certificate which can also be configured in
      # parallel.
      SSLCertificateFile "/private/etc/apache2/server.crt"
      #SSLCertificateFile "/private/etc/apache2/server-dsa.crt"
      #SSLCertificateFile "/private/etc/apache2/server-ecc.crt"

      # Server Private Key:
      # If the key is not combined with the certificate, use this
      # directive to point at the key file. Keep in mind that if
      # you've both a RSA and a DSA private key you can configure
      # both in parallel (to also allow the use of DSA ciphers, etc.)
      # ECC keys, when in use, can also be configured in parallel
      SSLCertificateKeyFile "/private/etc/apache2/server.key"
      #SSLCertificateKeyFile "/private/etc/apache2/server-dsa.key"
      #SSLCertificateKeyFile "/private/etc/apache2/server-ecc.key"

      # Server Certificate Chain:
      # Point SSLCertificateChainFile at a file containing the
      # concatenation of PEM encoded CA certificates which form the
      # certificate chain for the server certificate. Alternatively
      # the referenced file can be the same as SSLCertificateFile
      # when the CA certificates are directly appended to the server
      # certificate for convenience.
      #SSLCertificateChainFile "/private/etc/apache2/server-ca.crt"

      # Certificate Authority (CA):
      # Set the CA certificate verification path where to find CA
      # certificates for client authentication or alternatively one
      # huge file containing all of them (file must be PEM encoded)
      # Note: Inside SSLCACertificatePath you need hash symlinks
      # to point to the certificate files. Use the provided
      # Makefile to update the hash symlinks after changes.
      #SSLCACertificatePath "/private/etc/apache2/ssl.crt"
      #SSLCACertificateFile "/private/etc/apache2/ssl.crt/ca-bundle.crt"

      # Certificate Revocation Lists (CRL):
      # Set the CA revocation path where to find CA CRLs for client
      # authentication or alternatively one huge file containing all
      # of them (file must be PEM encoded).
      # The CRL checking mode needs to be configured explicitly
      # through SSLCARevocationCheck (defaults to "none" otherwise).
      # Note: Inside SSLCARevocationPath you need hash symlinks
      # to point to the certificate files. Use the provided
      # Makefile to update the hash symlinks after changes.
      #SSLCARevocationPath "/private/etc/apache2/ssl.crl"
      #SSLCARevocationFile "/private/etc/apache2/ssl.crl/ca-bundle.crl"
      #SSLCARevocationCheck chain

      # Client Authentication (Type):
      # Client certificate verification type and depth. Types are
      # none, optional, require and optional_no_ca. Depth is a
      # number which specifies how deeply to verify the certificate
      # issuer chain before deciding the certificate is not valid.
      #SSLVerifyClient require
      #SSLVerifyDepth 10

      # TLS-SRP mutual authentication:
      # Enable TLS-SRP and set the path to the OpenSSL SRP verifier
      # file (containing login information for SRP user accounts). 
      # Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for
      # detailed instructions on creating this file. Example:
      # "openssl srp -srpvfile /private/etc/apache2/passwd.srpv -add username"
      #SSLSRPVerifierFile "/private/etc/apache2/passwd.srpv"

      # Access Control:
      # With SSLRequire you can do per-directory access control based
      # on arbitrary complex boolean expressions containing server
      # variable checks and other lookup directives. The syntax is a
      # mixture between C and Perl. See the mod_ssl documentation
      # for more details.
      #<Location />
      #SSLRequire ( %SSL_CIPHER !~ m/^(EXP|NULL)/ 
      # and %SSL_CLIENT_S_DN_O eq "Snake Oil, Ltd." 
      # and %SSL_CLIENT_S_DN_OU in "Staff", "CA", "Dev" 
      # and %TIME_WDAY >= 1 and %TIME_WDAY <= 5 
      # and %TIME_HOUR >= 8 and %TIME_HOUR <= 20 ) 
      # or %REMOTE_ADDR =~ m/^192.76.162.[0-9]+$/
      #</Location>

      # SSL Engine Options:
      # Set various options for the SSL engine.
      # o FakeBasicAuth:
      # Translate the client X.509 into a Basic Authorisation. This means that
      # the standard Auth/DBMAuth methods can be used for access control. The
      # user name is the `one line' version of the client's X.509 certificate.
      # Note that no password is obtained from the user. Every entry in the user
      # file needs this password: `xxj31ZMTZzkVA'.
      # o ExportCertData:
      # This exports two additional environment variables: SSL_CLIENT_CERT and
      # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
      # server (always existing) and the client (only existing when client
      # authentication is used). This can be used to import the certificates
      # into CGI scripts.
      # o StdEnvVars:
      # This exports the standard SSL/TLS related `SSL_*' environment variables.
      # Per default this exportation is switched off for performance reasons,
      # because the extraction step is an expensive operation and is usually
      # useless for serving static content. So one usually enables the
      # exportation for CGI and SSI requests only.
      # o StrictRequire:
      # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
      # under a "Satisfy any" situation, i.e. when it applies access is denied
      # and no other module can change it.
      # o OptRenegotiate:
      # This enables optimized SSL connection renegotiation handling when SSL
      # directives are used in per-directory context. 
      #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
      <FilesMatch ".(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars
      </FilesMatch>
      <Directory "/Library/WebServer/CGI-Executables">
       SSLOptions +StdEnvVars
      </Directory>

      # SSL Protocol Adjustments:
      # The safe and default but still SSL/TLS standard compliant shutdown
      # approach is that mod_ssl sends the close notify alert but doesn't wait for
      # the close notify alert from client. When you need a different shutdown
      # approach you can use one of the following variables:
      # o ssl-unclean-shutdown:
      # This forces an unclean shutdown when the connection is closed, i.e. no
      # SSL close notify alert is sent or allowed to be received. This violates
      # the SSL/TLS standard but is needed for some brain-dead browsers. Use
      # this when you receive I/O errors because of the standard approach where
      # mod_ssl sends the close notify alert.
      # o ssl-accurate-shutdown:
      # This forces an accurate shutdown when the connection is closed, i.e. a
      # SSL close notify alert is send and mod_ssl waits for the close notify
      # alert of the client. This is 100% SSL/TLS standard compliant, but in
      # practice often causes hanging connections with brain-dead browsers. Use
      # this only for browsers where you know that their SSL implementation
      # works correctly. 
      # Notice: Most problems of broken clients are also related to the HTTP
      # keep-alive facility, so you usually additionally want to disable
      # keep-alive for those clients, too. Use variable "nokeepalive" for this.
      # Similarly, one has to force some clients to use HTTP/1.0 to workaround
      # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
      # "force-response-1.0" for this.
      BrowserMatch "MSIE [2-5]" 
       nokeepalive ssl-unclean-shutdown 
       downgrade-1.0 force-response-1.0

      # Per-Server Logging:
      # The home of a custom SSL log file. Use this when you want a
      # compact non-error SSL logfile on a virtual host basis.
      CustomLog "/private/var/log/apache2/ssl_request_log" 
       "%t %h %SSL_PROTOCOLx %SSL_CIPHERx "%r" %b"

      </VirtualHost>


      Thanks @serverliving.com, thanks very much.






      share|improve this answer





























        0














        I think I mess the config files up. So today I recover these files. Thanks to this.



        sudo cp /etc/apache2/original/httpd.conf /etc/apache2/httpd.conf
        sudo cp /etc/apache2/original/extra/httpd-ssl.conf /etc/apache2/extra/httpd-ssl.conf
        sudo cp /etc/apache2/original/extra/httpd-vhosts.conf /etc/apache2/extra/httpd-vhosts.conf


        Then I follow this article to set up my first https server successfully.



        My httpd-vhosts.conf is:



        <VirtualHost *:443>
         DocumentRoot "/Users/kudocc/Sites"
         ServerName localhost
         SSLEngine on
         SSLCertificateFile "/private/etc/apache2/server.crt"
         SSLCertificateKeyFile "/private/etc/apache2/server.key"
         <Directory "/">
         Options Indexes FollowSymLinks Includes ExecCGI
         DirectoryIndex index.html index.php
         Require all granted
         </Directory>
        </VirtualHost>


        Besides I also modify the httpd-ssl.conf file.



        <VirtualHost _default_:443>

        # General setup for the virtual host
        DocumentRoot "/Users/kudocc/Sites"
        ServerName localhost:443
        ServerAdmin you@example.com
        ErrorLog "/private/var/log/apache2/error_log"
        TransferLog "/private/var/log/apache2/access_log"

        # SSL Engine Switch:
        # Enable/Disable SSL for this virtual host.
        SSLEngine on

        # Server Certificate:
        # Point SSLCertificateFile at a PEM encoded certificate. If
        # the certificate is encrypted, then you will be prompted for a
        # pass phrase. Note that a kill -HUP will prompt again. Keep
        # in mind that if you have both an RSA and a DSA certificate you
        # can configure both in parallel (to also allow the use of DSA
        # ciphers, etc.)
        # Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
        # require an ECC certificate which can also be configured in
        # parallel.
        SSLCertificateFile "/private/etc/apache2/server.crt"
        #SSLCertificateFile "/private/etc/apache2/server-dsa.crt"
        #SSLCertificateFile "/private/etc/apache2/server-ecc.crt"

        # Server Private Key:
        # If the key is not combined with the certificate, use this
        # directive to point at the key file. Keep in mind that if
        # you've both a RSA and a DSA private key you can configure
        # both in parallel (to also allow the use of DSA ciphers, etc.)
        # ECC keys, when in use, can also be configured in parallel
        SSLCertificateKeyFile "/private/etc/apache2/server.key"
        #SSLCertificateKeyFile "/private/etc/apache2/server-dsa.key"
        #SSLCertificateKeyFile "/private/etc/apache2/server-ecc.key"

        # Server Certificate Chain:
        # Point SSLCertificateChainFile at a file containing the
        # concatenation of PEM encoded CA certificates which form the
        # certificate chain for the server certificate. Alternatively
        # the referenced file can be the same as SSLCertificateFile
        # when the CA certificates are directly appended to the server
        # certificate for convenience.
        #SSLCertificateChainFile "/private/etc/apache2/server-ca.crt"

        # Certificate Authority (CA):
        # Set the CA certificate verification path where to find CA
        # certificates for client authentication or alternatively one
        # huge file containing all of them (file must be PEM encoded)
        # Note: Inside SSLCACertificatePath you need hash symlinks
        # to point to the certificate files. Use the provided
        # Makefile to update the hash symlinks after changes.
        #SSLCACertificatePath "/private/etc/apache2/ssl.crt"
        #SSLCACertificateFile "/private/etc/apache2/ssl.crt/ca-bundle.crt"

        # Certificate Revocation Lists (CRL):
        # Set the CA revocation path where to find CA CRLs for client
        # authentication or alternatively one huge file containing all
        # of them (file must be PEM encoded).
        # The CRL checking mode needs to be configured explicitly
        # through SSLCARevocationCheck (defaults to "none" otherwise).
        # Note: Inside SSLCARevocationPath you need hash symlinks
        # to point to the certificate files. Use the provided
        # Makefile to update the hash symlinks after changes.
        #SSLCARevocationPath "/private/etc/apache2/ssl.crl"
        #SSLCARevocationFile "/private/etc/apache2/ssl.crl/ca-bundle.crl"
        #SSLCARevocationCheck chain

        # Client Authentication (Type):
        # Client certificate verification type and depth. Types are
        # none, optional, require and optional_no_ca. Depth is a
        # number which specifies how deeply to verify the certificate
        # issuer chain before deciding the certificate is not valid.
        #SSLVerifyClient require
        #SSLVerifyDepth 10

        # TLS-SRP mutual authentication:
        # Enable TLS-SRP and set the path to the OpenSSL SRP verifier
        # file (containing login information for SRP user accounts). 
        # Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for
        # detailed instructions on creating this file. Example:
        # "openssl srp -srpvfile /private/etc/apache2/passwd.srpv -add username"
        #SSLSRPVerifierFile "/private/etc/apache2/passwd.srpv"

        # Access Control:
        # With SSLRequire you can do per-directory access control based
        # on arbitrary complex boolean expressions containing server
        # variable checks and other lookup directives. The syntax is a
        # mixture between C and Perl. See the mod_ssl documentation
        # for more details.
        #<Location />
        #SSLRequire ( %SSL_CIPHER !~ m/^(EXP|NULL)/ 
        # and %SSL_CLIENT_S_DN_O eq "Snake Oil, Ltd." 
        # and %SSL_CLIENT_S_DN_OU in "Staff", "CA", "Dev" 
        # and %TIME_WDAY >= 1 and %TIME_WDAY <= 5 
        # and %TIME_HOUR >= 8 and %TIME_HOUR <= 20 ) 
        # or %REMOTE_ADDR =~ m/^192.76.162.[0-9]+$/
        #</Location>

        # SSL Engine Options:
        # Set various options for the SSL engine.
        # o FakeBasicAuth:
        # Translate the client X.509 into a Basic Authorisation. This means that
        # the standard Auth/DBMAuth methods can be used for access control. The
        # user name is the `one line' version of the client's X.509 certificate.
        # Note that no password is obtained from the user. Every entry in the user
        # file needs this password: `xxj31ZMTZzkVA'.
        # o ExportCertData:
        # This exports two additional environment variables: SSL_CLIENT_CERT and
        # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
        # server (always existing) and the client (only existing when client
        # authentication is used). This can be used to import the certificates
        # into CGI scripts.
        # o StdEnvVars:
        # This exports the standard SSL/TLS related `SSL_*' environment variables.
        # Per default this exportation is switched off for performance reasons,
        # because the extraction step is an expensive operation and is usually
        # useless for serving static content. So one usually enables the
        # exportation for CGI and SSI requests only.
        # o StrictRequire:
        # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
        # under a "Satisfy any" situation, i.e. when it applies access is denied
        # and no other module can change it.
        # o OptRenegotiate:
        # This enables optimized SSL connection renegotiation handling when SSL
        # directives are used in per-directory context. 
        #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
        <FilesMatch ".(cgi|shtml|phtml|php)$">
         SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory "/Library/WebServer/CGI-Executables">
         SSLOptions +StdEnvVars
        </Directory>

        # SSL Protocol Adjustments:
        # The safe and default but still SSL/TLS standard compliant shutdown
        # approach is that mod_ssl sends the close notify alert but doesn't wait for
        # the close notify alert from client. When you need a different shutdown
        # approach you can use one of the following variables:
        # o ssl-unclean-shutdown:
        # This forces an unclean shutdown when the connection is closed, i.e. no
        # SSL close notify alert is sent or allowed to be received. This violates
        # the SSL/TLS standard but is needed for some brain-dead browsers. Use
        # this when you receive I/O errors because of the standard approach where
        # mod_ssl sends the close notify alert.
        # o ssl-accurate-shutdown:
        # This forces an accurate shutdown when the connection is closed, i.e. a
        # SSL close notify alert is send and mod_ssl waits for the close notify
        # alert of the client. This is 100% SSL/TLS standard compliant, but in
        # practice often causes hanging connections with brain-dead browsers. Use
        # this only for browsers where you know that their SSL implementation
        # works correctly. 
        # Notice: Most problems of broken clients are also related to the HTTP
        # keep-alive facility, so you usually additionally want to disable
        # keep-alive for those clients, too. Use variable "nokeepalive" for this.
        # Similarly, one has to force some clients to use HTTP/1.0 to workaround
        # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
        # "force-response-1.0" for this.
        BrowserMatch "MSIE [2-5]" 
         nokeepalive ssl-unclean-shutdown 
         downgrade-1.0 force-response-1.0

        # Per-Server Logging:
        # The home of a custom SSL log file. Use this when you want a
        # compact non-error SSL logfile on a virtual host basis.
        CustomLog "/private/var/log/apache2/ssl_request_log" 
         "%t %h %SSL_PROTOCOLx %SSL_CIPHERx "%r" %b"

        </VirtualHost>


        Thanks @serverliving.com, thanks very much.






        share|improve this answer



























          0












          0








          0







          I think I mess the config files up. So today I recover these files. Thanks to this.



          sudo cp /etc/apache2/original/httpd.conf /etc/apache2/httpd.conf
          sudo cp /etc/apache2/original/extra/httpd-ssl.conf /etc/apache2/extra/httpd-ssl.conf
          sudo cp /etc/apache2/original/extra/httpd-vhosts.conf /etc/apache2/extra/httpd-vhosts.conf


          Then I follow this article to set up my first https server successfully.



          My httpd-vhosts.conf is:



          <VirtualHost *:443>
           DocumentRoot "/Users/kudocc/Sites"
           ServerName localhost
           SSLEngine on
           SSLCertificateFile "/private/etc/apache2/server.crt"
           SSLCertificateKeyFile "/private/etc/apache2/server.key"
           <Directory "/">
           Options Indexes FollowSymLinks Includes ExecCGI
           DirectoryIndex index.html index.php
           Require all granted
           </Directory>
          </VirtualHost>


          Besides I also modify the httpd-ssl.conf file.



          <VirtualHost _default_:443>

          # General setup for the virtual host
          DocumentRoot "/Users/kudocc/Sites"
          ServerName localhost:443
          ServerAdmin you@example.com
          ErrorLog "/private/var/log/apache2/error_log"
          TransferLog "/private/var/log/apache2/access_log"

          # SSL Engine Switch:
          # Enable/Disable SSL for this virtual host.
          SSLEngine on

          # Server Certificate:
          # Point SSLCertificateFile at a PEM encoded certificate. If
          # the certificate is encrypted, then you will be prompted for a
          # pass phrase. Note that a kill -HUP will prompt again. Keep
          # in mind that if you have both an RSA and a DSA certificate you
          # can configure both in parallel (to also allow the use of DSA
          # ciphers, etc.)
          # Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
          # require an ECC certificate which can also be configured in
          # parallel.
          SSLCertificateFile "/private/etc/apache2/server.crt"
          #SSLCertificateFile "/private/etc/apache2/server-dsa.crt"
          #SSLCertificateFile "/private/etc/apache2/server-ecc.crt"

          # Server Private Key:
          # If the key is not combined with the certificate, use this
          # directive to point at the key file. Keep in mind that if
          # you've both a RSA and a DSA private key you can configure
          # both in parallel (to also allow the use of DSA ciphers, etc.)
          # ECC keys, when in use, can also be configured in parallel
          SSLCertificateKeyFile "/private/etc/apache2/server.key"
          #SSLCertificateKeyFile "/private/etc/apache2/server-dsa.key"
          #SSLCertificateKeyFile "/private/etc/apache2/server-ecc.key"

          # Server Certificate Chain:
          # Point SSLCertificateChainFile at a file containing the
          # concatenation of PEM encoded CA certificates which form the
          # certificate chain for the server certificate. Alternatively
          # the referenced file can be the same as SSLCertificateFile
          # when the CA certificates are directly appended to the server
          # certificate for convenience.
          #SSLCertificateChainFile "/private/etc/apache2/server-ca.crt"

          # Certificate Authority (CA):
          # Set the CA certificate verification path where to find CA
          # certificates for client authentication or alternatively one
          # huge file containing all of them (file must be PEM encoded)
          # Note: Inside SSLCACertificatePath you need hash symlinks
          # to point to the certificate files. Use the provided
          # Makefile to update the hash symlinks after changes.
          #SSLCACertificatePath "/private/etc/apache2/ssl.crt"
          #SSLCACertificateFile "/private/etc/apache2/ssl.crt/ca-bundle.crt"

          # Certificate Revocation Lists (CRL):
          # Set the CA revocation path where to find CA CRLs for client
          # authentication or alternatively one huge file containing all
          # of them (file must be PEM encoded).
          # The CRL checking mode needs to be configured explicitly
          # through SSLCARevocationCheck (defaults to "none" otherwise).
          # Note: Inside SSLCARevocationPath you need hash symlinks
          # to point to the certificate files. Use the provided
          # Makefile to update the hash symlinks after changes.
          #SSLCARevocationPath "/private/etc/apache2/ssl.crl"
          #SSLCARevocationFile "/private/etc/apache2/ssl.crl/ca-bundle.crl"
          #SSLCARevocationCheck chain

          # Client Authentication (Type):
          # Client certificate verification type and depth. Types are
          # none, optional, require and optional_no_ca. Depth is a
          # number which specifies how deeply to verify the certificate
          # issuer chain before deciding the certificate is not valid.
          #SSLVerifyClient require
          #SSLVerifyDepth 10

          # TLS-SRP mutual authentication:
          # Enable TLS-SRP and set the path to the OpenSSL SRP verifier
          # file (containing login information for SRP user accounts). 
          # Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for
          # detailed instructions on creating this file. Example:
          # "openssl srp -srpvfile /private/etc/apache2/passwd.srpv -add username"
          #SSLSRPVerifierFile "/private/etc/apache2/passwd.srpv"

          # Access Control:
          # With SSLRequire you can do per-directory access control based
          # on arbitrary complex boolean expressions containing server
          # variable checks and other lookup directives. The syntax is a
          # mixture between C and Perl. See the mod_ssl documentation
          # for more details.
          #<Location />
          #SSLRequire ( %SSL_CIPHER !~ m/^(EXP|NULL)/ 
          # and %SSL_CLIENT_S_DN_O eq "Snake Oil, Ltd." 
          # and %SSL_CLIENT_S_DN_OU in "Staff", "CA", "Dev" 
          # and %TIME_WDAY >= 1 and %TIME_WDAY <= 5 
          # and %TIME_HOUR >= 8 and %TIME_HOUR <= 20 ) 
          # or %REMOTE_ADDR =~ m/^192.76.162.[0-9]+$/
          #</Location>

          # SSL Engine Options:
          # Set various options for the SSL engine.
          # o FakeBasicAuth:
          # Translate the client X.509 into a Basic Authorisation. This means that
          # the standard Auth/DBMAuth methods can be used for access control. The
          # user name is the `one line' version of the client's X.509 certificate.
          # Note that no password is obtained from the user. Every entry in the user
          # file needs this password: `xxj31ZMTZzkVA'.
          # o ExportCertData:
          # This exports two additional environment variables: SSL_CLIENT_CERT and
          # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
          # server (always existing) and the client (only existing when client
          # authentication is used). This can be used to import the certificates
          # into CGI scripts.
          # o StdEnvVars:
          # This exports the standard SSL/TLS related `SSL_*' environment variables.
          # Per default this exportation is switched off for performance reasons,
          # because the extraction step is an expensive operation and is usually
          # useless for serving static content. So one usually enables the
          # exportation for CGI and SSI requests only.
          # o StrictRequire:
          # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
          # under a "Satisfy any" situation, i.e. when it applies access is denied
          # and no other module can change it.
          # o OptRenegotiate:
          # This enables optimized SSL connection renegotiation handling when SSL
          # directives are used in per-directory context. 
          #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
          <FilesMatch ".(cgi|shtml|phtml|php)$">
           SSLOptions +StdEnvVars
          </FilesMatch>
          <Directory "/Library/WebServer/CGI-Executables">
           SSLOptions +StdEnvVars
          </Directory>

          # SSL Protocol Adjustments:
          # The safe and default but still SSL/TLS standard compliant shutdown
          # approach is that mod_ssl sends the close notify alert but doesn't wait for
          # the close notify alert from client. When you need a different shutdown
          # approach you can use one of the following variables:
          # o ssl-unclean-shutdown:
          # This forces an unclean shutdown when the connection is closed, i.e. no
          # SSL close notify alert is sent or allowed to be received. This violates
          # the SSL/TLS standard but is needed for some brain-dead browsers. Use
          # this when you receive I/O errors because of the standard approach where
          # mod_ssl sends the close notify alert.
          # o ssl-accurate-shutdown:
          # This forces an accurate shutdown when the connection is closed, i.e. a
          # SSL close notify alert is send and mod_ssl waits for the close notify
          # alert of the client. This is 100% SSL/TLS standard compliant, but in
          # practice often causes hanging connections with brain-dead browsers. Use
          # this only for browsers where you know that their SSL implementation
          # works correctly. 
          # Notice: Most problems of broken clients are also related to the HTTP
          # keep-alive facility, so you usually additionally want to disable
          # keep-alive for those clients, too. Use variable "nokeepalive" for this.
          # Similarly, one has to force some clients to use HTTP/1.0 to workaround
          # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
          # "force-response-1.0" for this.
          BrowserMatch "MSIE [2-5]" 
           nokeepalive ssl-unclean-shutdown 
           downgrade-1.0 force-response-1.0

          # Per-Server Logging:
          # The home of a custom SSL log file. Use this when you want a
          # compact non-error SSL logfile on a virtual host basis.
          CustomLog "/private/var/log/apache2/ssl_request_log" 
           "%t %h %SSL_PROTOCOLx %SSL_CIPHERx "%r" %b"

          </VirtualHost>


          Thanks @serverliving.com, thanks very much.






          share|improve this answer















          I think I mess the config files up. So today I recover these files. Thanks to this.



          sudo cp /etc/apache2/original/httpd.conf /etc/apache2/httpd.conf
          sudo cp /etc/apache2/original/extra/httpd-ssl.conf /etc/apache2/extra/httpd-ssl.conf
          sudo cp /etc/apache2/original/extra/httpd-vhosts.conf /etc/apache2/extra/httpd-vhosts.conf


          Then I follow this article to set up my first https server successfully.



          My httpd-vhosts.conf is:



          <VirtualHost *:443>
           DocumentRoot "/Users/kudocc/Sites"
           ServerName localhost
           SSLEngine on
           SSLCertificateFile "/private/etc/apache2/server.crt"
           SSLCertificateKeyFile "/private/etc/apache2/server.key"
           <Directory "/">
           Options Indexes FollowSymLinks Includes ExecCGI
           DirectoryIndex index.html index.php
           Require all granted
           </Directory>
          </VirtualHost>


          Besides I also modify the httpd-ssl.conf file.



          <VirtualHost _default_:443>

          # General setup for the virtual host
          DocumentRoot "/Users/kudocc/Sites"
          ServerName localhost:443
          ServerAdmin you@example.com
          ErrorLog "/private/var/log/apache2/error_log"
          TransferLog "/private/var/log/apache2/access_log"

          # SSL Engine Switch:
          # Enable/Disable SSL for this virtual host.
          SSLEngine on

          # Server Certificate:
          # Point SSLCertificateFile at a PEM encoded certificate. If
          # the certificate is encrypted, then you will be prompted for a
          # pass phrase. Note that a kill -HUP will prompt again. Keep
          # in mind that if you have both an RSA and a DSA certificate you
          # can configure both in parallel (to also allow the use of DSA
          # ciphers, etc.)
          # Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
          # require an ECC certificate which can also be configured in
          # parallel.
          SSLCertificateFile "/private/etc/apache2/server.crt"
          #SSLCertificateFile "/private/etc/apache2/server-dsa.crt"
          #SSLCertificateFile "/private/etc/apache2/server-ecc.crt"

          # Server Private Key:
          # If the key is not combined with the certificate, use this
          # directive to point at the key file. Keep in mind that if
          # you've both a RSA and a DSA private key you can configure
          # both in parallel (to also allow the use of DSA ciphers, etc.)
          # ECC keys, when in use, can also be configured in parallel
          SSLCertificateKeyFile "/private/etc/apache2/server.key"
          #SSLCertificateKeyFile "/private/etc/apache2/server-dsa.key"
          #SSLCertificateKeyFile "/private/etc/apache2/server-ecc.key"

          # Server Certificate Chain:
          # Point SSLCertificateChainFile at a file containing the
          # concatenation of PEM encoded CA certificates which form the
          # certificate chain for the server certificate. Alternatively
          # the referenced file can be the same as SSLCertificateFile
          # when the CA certificates are directly appended to the server
          # certificate for convenience.
          #SSLCertificateChainFile "/private/etc/apache2/server-ca.crt"

          # Certificate Authority (CA):
          # Set the CA certificate verification path where to find CA
          # certificates for client authentication or alternatively one
          # huge file containing all of them (file must be PEM encoded)
          # Note: Inside SSLCACertificatePath you need hash symlinks
          # to point to the certificate files. Use the provided
          # Makefile to update the hash symlinks after changes.
          #SSLCACertificatePath "/private/etc/apache2/ssl.crt"
          #SSLCACertificateFile "/private/etc/apache2/ssl.crt/ca-bundle.crt"

          # Certificate Revocation Lists (CRL):
          # Set the CA revocation path where to find CA CRLs for client
          # authentication or alternatively one huge file containing all
          # of them (file must be PEM encoded).
          # The CRL checking mode needs to be configured explicitly
          # through SSLCARevocationCheck (defaults to "none" otherwise).
          # Note: Inside SSLCARevocationPath you need hash symlinks
          # to point to the certificate files. Use the provided
          # Makefile to update the hash symlinks after changes.
          #SSLCARevocationPath "/private/etc/apache2/ssl.crl"
          #SSLCARevocationFile "/private/etc/apache2/ssl.crl/ca-bundle.crl"
          #SSLCARevocationCheck chain

          # Client Authentication (Type):
          # Client certificate verification type and depth. Types are
          # none, optional, require and optional_no_ca. Depth is a
          # number which specifies how deeply to verify the certificate
          # issuer chain before deciding the certificate is not valid.
          #SSLVerifyClient require
          #SSLVerifyDepth 10

          # TLS-SRP mutual authentication:
          # Enable TLS-SRP and set the path to the OpenSSL SRP verifier
          # file (containing login information for SRP user accounts). 
          # Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for
          # detailed instructions on creating this file. Example:
          # "openssl srp -srpvfile /private/etc/apache2/passwd.srpv -add username"
          #SSLSRPVerifierFile "/private/etc/apache2/passwd.srpv"

          # Access Control:
          # With SSLRequire you can do per-directory access control based
          # on arbitrary complex boolean expressions containing server
          # variable checks and other lookup directives. The syntax is a
          # mixture between C and Perl. See the mod_ssl documentation
          # for more details.
          #<Location />
          #SSLRequire ( %SSL_CIPHER !~ m/^(EXP|NULL)/ 
          # and %SSL_CLIENT_S_DN_O eq "Snake Oil, Ltd." 
          # and %SSL_CLIENT_S_DN_OU in "Staff", "CA", "Dev" 
          # and %TIME_WDAY >= 1 and %TIME_WDAY <= 5 
          # and %TIME_HOUR >= 8 and %TIME_HOUR <= 20 ) 
          # or %REMOTE_ADDR =~ m/^192.76.162.[0-9]+$/
          #</Location>

          # SSL Engine Options:
          # Set various options for the SSL engine.
          # o FakeBasicAuth:
          # Translate the client X.509 into a Basic Authorisation. This means that
          # the standard Auth/DBMAuth methods can be used for access control. The
          # user name is the `one line' version of the client's X.509 certificate.
          # Note that no password is obtained from the user. Every entry in the user
          # file needs this password: `xxj31ZMTZzkVA'.
          # o ExportCertData:
          # This exports two additional environment variables: SSL_CLIENT_CERT and
          # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
          # server (always existing) and the client (only existing when client
          # authentication is used). This can be used to import the certificates
          # into CGI scripts.
          # o StdEnvVars:
          # This exports the standard SSL/TLS related `SSL_*' environment variables.
          # Per default this exportation is switched off for performance reasons,
          # because the extraction step is an expensive operation and is usually
          # useless for serving static content. So one usually enables the
          # exportation for CGI and SSI requests only.
          # o StrictRequire:
          # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
          # under a "Satisfy any" situation, i.e. when it applies access is denied
          # and no other module can change it.
          # o OptRenegotiate:
          # This enables optimized SSL connection renegotiation handling when SSL
          # directives are used in per-directory context. 
          #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
          <FilesMatch ".(cgi|shtml|phtml|php)$">
           SSLOptions +StdEnvVars
          </FilesMatch>
          <Directory "/Library/WebServer/CGI-Executables">
           SSLOptions +StdEnvVars
          </Directory>

          # SSL Protocol Adjustments:
          # The safe and default but still SSL/TLS standard compliant shutdown
          # approach is that mod_ssl sends the close notify alert but doesn't wait for
          # the close notify alert from client. When you need a different shutdown
          # approach you can use one of the following variables:
          # o ssl-unclean-shutdown:
          # This forces an unclean shutdown when the connection is closed, i.e. no
          # SSL close notify alert is sent or allowed to be received. This violates
          # the SSL/TLS standard but is needed for some brain-dead browsers. Use
          # this when you receive I/O errors because of the standard approach where
          # mod_ssl sends the close notify alert.
          # o ssl-accurate-shutdown:
          # This forces an accurate shutdown when the connection is closed, i.e. a
          # SSL close notify alert is send and mod_ssl waits for the close notify
          # alert of the client. This is 100% SSL/TLS standard compliant, but in
          # practice often causes hanging connections with brain-dead browsers. Use
          # this only for browsers where you know that their SSL implementation
          # works correctly. 
          # Notice: Most problems of broken clients are also related to the HTTP
          # keep-alive facility, so you usually additionally want to disable
          # keep-alive for those clients, too. Use variable "nokeepalive" for this.
          # Similarly, one has to force some clients to use HTTP/1.0 to workaround
          # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
          # "force-response-1.0" for this.
          BrowserMatch "MSIE [2-5]" 
           nokeepalive ssl-unclean-shutdown 
           downgrade-1.0 force-response-1.0

          # Per-Server Logging:
          # The home of a custom SSL log file. Use this when you want a
          # compact non-error SSL logfile on a virtual host basis.
          CustomLog "/private/var/log/apache2/ssl_request_log" 
           "%t %h %SSL_PROTOCOLx %SSL_CIPHERx "%r" %b"

          </VirtualHost>


          Thanks @serverliving.com, thanks very much.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Apr 13 '17 at 12:45









          Community

          1




          1










          answered Mar 11 '16 at 2:26









          KudoCCKudoCC

          10113




          10113























              -1














              The cause of this issue is that your Apache server is probably not set to listen on Port 443, so when the browser attempts to connect via SSL it is being refused.



              The VirtualHost configuration in both your httpd-vhosts.conf and httpd-ssl.conf both give Apache settings on how to handle requests received via Port 443, but since Apache is not listening for requests on Port 443, it will never receive one to process.



              To fix this, you must configure Apache to listen for requests on Port 443. Simply add 



              Listen 443


              to your httpd.conf or httpd-ssl.conf file. Restart Apache and it should now work.






              share|improve this answer



























                -1














                The cause of this issue is that your Apache server is probably not set to listen on Port 443, so when the browser attempts to connect via SSL it is being refused.



                The VirtualHost configuration in both your httpd-vhosts.conf and httpd-ssl.conf both give Apache settings on how to handle requests received via Port 443, but since Apache is not listening for requests on Port 443, it will never receive one to process.



                To fix this, you must configure Apache to listen for requests on Port 443. Simply add 



                Listen 443


                to your httpd.conf or httpd-ssl.conf file. Restart Apache and it should now work.






                share|improve this answer

























                  -1












                  -1








                  -1







                  The cause of this issue is that your Apache server is probably not set to listen on Port 443, so when the browser attempts to connect via SSL it is being refused.



                  The VirtualHost configuration in both your httpd-vhosts.conf and httpd-ssl.conf both give Apache settings on how to handle requests received via Port 443, but since Apache is not listening for requests on Port 443, it will never receive one to process.



                  To fix this, you must configure Apache to listen for requests on Port 443. Simply add 



                  Listen 443


                  to your httpd.conf or httpd-ssl.conf file. Restart Apache and it should now work.






                  share|improve this answer













                  The cause of this issue is that your Apache server is probably not set to listen on Port 443, so when the browser attempts to connect via SSL it is being refused.



                  The VirtualHost configuration in both your httpd-vhosts.conf and httpd-ssl.conf both give Apache settings on how to handle requests received via Port 443, but since Apache is not listening for requests on Port 443, it will never receive one to process.



                  To fix this, you must configure Apache to listen for requests on Port 443. Simply add 



                  Listen 443


                  to your httpd.conf or httpd-ssl.conf file. Restart Apache and it should now work.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Jul 19 '17 at 17:10









                  TheKarateKidTheKarateKid

                  1011




                  1011



























                      draft saved

                      draft discarded
















































                      Thanks for contributing an answer to Server Fault!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f762836%2fapache-2-4-https-server-gives-connection-refuse-error-on-mac-osx%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      -

                      Popular posts from this blog

                      How to write a 12-bar blues melodyI-IV-V blues progressionHow to play the bridges in a standard blues progressionHow does Gdim7 fit in C# minor?question on a certain chord progressionMusicology of Melody12 bar blues, spread rhythm: alternative to 6th chord to avoid finger stretchChord progressions/ Root key/ MelodiesHow to put chords (POP-EDM) under a given lead vocal melody (starting from a good knowledge in music theory)Are there “rules” for improvising with the minor pentatonic scale over 12-bar shuffle?Confusion about blues scale and chords

                      Image
                      Why is a set not a partition of itself? Would an 8% reduction in drag outweigh the weight addition from this custom CFD-tested winglet? Labeling matrices/rectangles and drawing Sigma inside rectangle Unexpected Netflix account registered to my Gmail address - any way it could be a hack attempt? 51% attack - apparently very easy? refering to CZ's "rollback btc chain" - How to make sure such corruptible scenario can never happen so easily? Missouri raptors have wild hairdos Can someone explain homicide-related death rates? Why is tomato paste so cheap? What are the implications of the new alleged key recovery attack preprint on SIMON? Effects of ~10atm pressure on engine design Is taking modulus on both sides of an equation valid? Jumping frame contents with beamer and pgfplots Are there any established rules for splitting books into parts, chapters, sections etc? Anatomically Correct Carnivorous Tree Why do I get two different answers when solvi...
                      Read more

                      What if the end-user didn't have the required library?What is setup.py?What is a clean, pythonic way to have multiple constructors in Python?What does Ruby have that Python doesn't, and vice versa?What is the reason for having '//' in Python?How do I create a namespace package in Python?How to package shared objects that python modules depend on?setuptools vs. distutils: why is distutils still a thing?Navigation in Windows 10 vs code not going to virtualenv library when the same library is installed at user levelPython create package for local usePackaging a project that uses multiple python versionsWhy is permission denied on pip install except for when “--user” is included at end of command?

                      Image
                      Can a tourist shoot a gun in the USA? Will a coyote attack my dog on a leash while I'm on a hiking trail? Labeling matrices/rectangles and drawing Sigma inside rectangle How can I answer high-school writing prompts without sounding weird and fake? Is there ever any indication in the MCU as to how Spider-Man got his powers? Jumping frame contents with beamer and pgfplots Would an 8% reduction in drag outweigh the weight addition from this custom CFD-tested winglet? Is it possible to create different colors in rocket exhaust? German characters on US-International keyboard layout Does gravity affect the time evolution of a QM wave function? 51% attack - apparently very easy? refering to CZ's "rollback btc chain" - How to make sure such corruptible scenario can never happen so easily? Why are solar panels kept tilted? Is Germany still exporting arms to countries involved in Yemen? Unexpected Netflix account registered to my Gmail address - any wa...
                      Read more

                      Why did Thanos need his ship to help him in the battle scene?Which actor plays Thanos in the Avengers mid-credits scene?Are there economic implications portrayed in comics where the buildings and cities are ruined almost daily?Old X-Men comic where team travels to alien world with a ring-like sun that needs recharging?Why does Ego need help sleeping?Is there an objective answer to who “the strongest Avenger” is?How did Banner get unstuck?Why did Thanos get hit?How did Thanos (or anyone) know the Infinity Stones would give him this power?Did Thanos leave Eitri alive for his after-sales service?In Avengers 1, why does Thanos need Loki?

                      Image
                      German characters on US-International keyboard layout Why is tomato paste so cheap? what does a native speaker say when he wanted to leave his work? Can a tourist shoot a gun in the USA? Extracting sublists that contain similar elements Why does the headset man not get on the tractor? What kind of SATA connector is this? Help in identifying a mystery wall socket Unexpected Netflix account registered to my Gmail address - any way it could be a hack attempt? Anatomically Correct Carnivorous Tree declared variable inside void setup is forgotten in void loop What is the largest number of identical satellites launched together? Automatically anti-predictably assemble an alliterative aria What information do scammers need to withdraw money from an account? Rounding a number extracted by jq to limit the decimal points Tikz draw contour without some edges, and fill What should a student do when they are the victim of a FERPA violation? How exactly does artific...
                      Read more