mkcert icon indicating copy to clipboard operation
mkcert copied to clipboard

Support openssl pem file for mac os homebrew

Open DanielSiepmann opened this issue 6 years ago • 7 comments

We discovered that mkcert did not work as expected with PHP on Mac OS when installed via Homebrew. The reason seems to be that PHP via homebrew is compiled against homebrews curl version, which in turn is using homebrews openssl, which provides his own root storage at /usr/local/etc/openssl/cert.pem.

This file is not updated by mkcert -install. Therefore requests via PHP curl will not work with mkcert certificates.

Our propose would be to detect this file and print either a warning that this is not updated, but needs to be adjusted by the user, or to update this file. In any case a warning might be useful, as I expect the file to be managed by homebrew and the package. Therefore updates might remove the added mkcert root certificate. Maybe there is a concept like hooks inside of homebrew, allowing mkcert to re add his root certificate on every update.

Used versions: PHP Version 7.0.33 brew info openssl openssl: stable 1.0.2s (bottled) [keg-only] brew info curl curl: stable 7.66.0 (bottled), HEAD [keg-only] brew info mkcert mkcert: stable 1.4.0 (bottled)

Workaround right now:

cat "$(mkcert -CAROOT)/rootCA.pem" >> /usr/local/etc/openssl/cert.pem

DanielSiepmann avatar Sep 18 '19 08:09 DanielSiepmann

Yes, we should add it to /usr/local/etc/[email protected]/certs and run /usr/local/opt/[email protected]/bin/c_rehash (with and without @1.1). Leaving for v1.4.2.

FiloSottile avatar Nov 09 '19 22:11 FiloSottile

Yes, we should add it to /usr/local/etc/[email protected]/certs and run /usr/local/opt/[email protected]/bin/c_rehash (with and without @1.1). Leaving for v1.4.2.

asyalove avatar Feb 20 '20 12:02 asyalove

I encountered similar when using curl from the macos terminal app; and so, as described in item 4 on this page under Certificate Verification, I simply added the CURL_CA_BUNDLE environment variable and pointed it to...

"/Users/username/Library/Application Support/mkcert/rootCA.pem"

...and that seems to work.

Shotster avatar Jun 23 '20 18:06 Shotster

To summarize, this should work -

mkdir -p /usr/local/etc/[email protected]/certs
cat "$(mkcert -CAROOT)/rootCA.pem" >> /usr/local/etc/[email protected]/certs/mkcert_ca.pem
/usr/local/opt/[email protected]/bin/c_rehash

I tested with php 7.4 + [email protected] from homebrew.

chetan avatar Nov 12 '20 19:11 chetan

Really glad I found this! I was getting this error from wget ... https://127.0.0.1:8000:

ERROR: cannot verify 127.0.0.1's certificate, issued by ‘CN=mkcert ...’:
  Unable to locally verify the issuer's authority.
To connect to 127.0.0.1 insecurely, use `--no-check-certificate'.

The commands in @chetan's comment seem like the best solution, but adding this option to wget also worked:

--ca-certificate="$(mkcert -CAROOT)/rootCA.pem"

bhrutledge avatar Dec 06 '20 22:12 bhrutledge

Anyone made this working with homebrew installing openssl into /opt/homebrew?

I ran

cat "$(mkcert -CAROOT)/rootCA.pem" >> /opt/homebrew/etc/[email protected]/certs/mkcert_ca.pem
/opt/homebrew/Cellar/[email protected]/1.1.1n/bin/c_rehash

my php uses that openssl

Openssl default config => /opt/homebrew/etc/[email protected]/openssl.cnf
openssl.cafile => /opt/homebrew/etc/[email protected]/cert.pem => /opt/homebrew/etc/[email protected]/cert.pem
openssl.capath => /opt/homebrew/etc/[email protected]/certs => /opt/homebrew/etc/[email protected]/certs

but still getting SSL certificate problem: unable to get local issuer certificate for xxxx

simPod avatar Mar 31 '22 13:03 simPod

when, im running cat "$(mkcert -CAROOT)/rootCA.pem" i got error message cat: /rootCA.pem: No such file or directory

anyone can help me? thankyou

aacassandra avatar Feb 12 '23 05:02 aacassandra