Running Homebrew Apache with Let's Encrypt SSL on macOS Tahoe

This HOWTO documents the steps to run Apache (httpd) installed via Homebrew on macOS, serving content over HTTPS with Let’s Encrypt SSL certificates. The configuration avoids permission problems and port conflicts by using a neutral certificate directory and high-numbered ports.

Prerequisites

• macOS with Homebrew installed.
• Apache (httpd) installed with Homebrew:

brew install httpd

• A valid Let’s Encrypt certificate for your host (obtained via certbot).

TL:DR – This is unnecessarily complex to debug really mostly due to Apple's decisions over the years about security and local web servers combined with the need to verify your connection to the computer over the Internet but once you crack it, you'll have a nice local web development environment on macOS that 'just works'.

Editing the Apache configuration

Edit the Apache configuration httpd.conf file, it is in opt/homebrew/etc/httpd

HTTP is set to listen on port 8080 in the Homebrew HTTPD package. Best to leave this alone. Lower ports need root and it is better practice not to run this local web server as root.

Listen 8080

Document Root is set to /opt/homebrew/var/www in the Homebrew HTTPD package. This is a fine place to leave it but you can change it if you wish. I left it, I like defaults where possible.

DocumentRoot "/opt/homebrew/var/www"

Enable SSL modules in Apache

vi /opt/homebrew/etc/httpd.conf

You can choose to use any text editor.

Uncomment these lines by removing the # character at the start of the line:

LoadModule socache_shmcb_module lib/httpd/modules/mod_socache_shmcb.so
LoadModule ssl_module lib/httpd/modules/mod_ssl.so
Include /opt/homebrew/etc/httpd/extra/httpd-ssl.conf

Edit SSL configuration in Apache

Edit the Apache SSL configuration httpd-ssl.conf file, it is in opt/homebrew/etc/httpd/extra

HTTPS is set to listen on port 8443 in the Homebrew HTTPD package. Best to leave this alone. Lower ports need root and it is better practice not to run this local web server as root.

Listen 8443

Edit the SSL Virtual Host Context in this configuration file.

#   General setup for the virtual host
DocumentRoot "/opt/homebrew/var/www"
ServerName yourdomainname.co.uk:8443
ServerAdmin This email address is being protected from spambots. You need JavaScript enabled to view it.
ErrorLog "/opt/homebrew/var/log/httpd/yourdomainname-error_log"
TransferLog "/opt/homebrew/var/log/httpd/yourdomainname-access_log"

This is not setting up virtual hosts, (multiple host names for your web server) all we are doing, by uncommenting the Include in httpd.conf is enabling the SSL virtual host in the httpd-ssl.conf file.

Listen 8443

Add your Let's Encrypt certificates

Server Certificate

#Lets Encrypt
SSLCertificateFile "/opt/certs/macbook-max/fullchain.pem"

Server Private Key

#Lets Encrypt
SSLCertificateKeyFile "/opt/certs/macbook-max/privkey.pem"

Notes:

• Use ports 8080 and 8443 instead of 80 and 443 to avoid needing to run as root, which is better practice.

Place Certificates in a Neutral Location

Homebrew services run as your user. They cannot read the folder /etc/letsencrypt directly. Instead, copy or symlink your certificates:

sudo mkdir -p /opt/certs/macbook
sudo cp /etc/letsencrypt/live/macbook.yourcompanyname.co.uk/fullchain.pem /opt/certs/macbook/
sudo cp /etc/letsencrypt/live/macbook.yourcompanyname.co.uk/privkey.pem /opt/certs/macbook/
sudo chown -R $(whoami):staff /opt/certs/macbook
chmod 600 /opt/certs/macbook/*

Start Apache via Homebrew Services

brew services start httpd
brew services list

Verify Operation

Test HTTP:

curl -vk http://macbook.local:8080

Expected:

HTTP/1.1 200 OK
< Date: Sat, 20 Sep 2025 07:58:51 GMT
< Server: Apache/2.4.65 (Unix) OpenSSL/3.5.2 PHP/8.4.12
< X-Powered-By: PHP/8.4.12

Test HTTPS:

curl -vk https://yourdomainname.com:8443

Expected:

* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 / [blank] / UNDEF
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=yourdomainname.com
*  issuer: C=US; O=Let's Encrypt; CN=E8
*  SSL certificate verify ok.
...
< HTTP/1.1 200 OK

You should see a successful TLS handshake and the same page over SSL.

Auto-Renewal of Certificates

Let’s Encrypt certificates expire every 90 days. You should allow certbot to renew them automatically and then refresh your copy in /opt/certs.

Check renewal:

sudo certbot renew --dry-run

Once working, create a small script to sync the new certs into /opt/certs:

#!/bin/bash
CERT_SRC="/etc/letsencrypt/live/macbook.yourcompanyname.co.uk"
CERT_DST="/opt/certs/macbook"

cp "$CERT_SRC/fullchain.pem" "$CERT_DST/"
cp "$CERT_SRC/privkey.pem" "$CERT_DST/"
chown $(whoami):staff "$CERT_DST"/*
chmod 600 "$CERT_DST"/*
brew services restart httpd

Save as /usr/local/bin/refresh-certs.sh, make it executable:

chmod +x /usr/local/bin/refresh-certs.sh

Add it to cron or a launchd job to run daily. Certbot handles renewal; your script ensures Apache always sees the latest files.

Common Issues

• Getting a valid certificate: Let’s Encrypt requires ports 80 and 443 to be reachable from the public internet when issuing certificates. On a home or office network, this usually means forwarding those ports on your router to your Mac temporarily. Once the certificate is issued, you can continue to run Apache on 8080 and 8443.
• File permissions: Make sure the Homebrew service user (your macOS account) can read the certificate files. Using /opt/certs avoids permission errors.
• Port conflicts: If something else is bound to 8080 or 8443, change the ports consistently in your httpd.conf, httpd-ssl.conf, and check your macOS firewall.

Conclusion

With the Apache server configuration file providing SSL support enabled, certificates relocated, and certificate information adjusted, Apache can serve secure content via Homebrew services without running as root. This is a practical setup for local development on macOS, with minimal changes to the configuration files and auto-renewal to keep certificates valid.

See Running Homebrew PHP on Apache on macOS Tahoe and Running Homebrew MySQL/MariaDB on macOS Tahoe.

Homebrew Logo: Vítor Galvão (creator); MikeMcQuaid, Synoli (committers), BSD, via Wikimedia Commons