FiloSottile
Support openssl pem file for mac os homebrew
We discovered that mkcert did not work as expected with PHP on Mac OS when installed via Homebrew. The reason seems to be that PHP via homebrew is compiled against homebrews curl version, which in turn is using homebrews openssl, which provides his own root storage at /usr/local/etc/openssl/cert.pem.
This file is not updated by mkcert -install. Therefore requests via PHP curl will not work with mkcert certificates.
Our propose would be to detect this file and print either a warning that this is not updated, but needs to be adjusted by the user, or to update this file. In any case a warning might be useful, as I expect the file to be managed by homebrew and the package. Therefore updates might remove the added mkcert root certificate. Maybe there is a concept like hooks inside of homebrew, allowing mkcert to re add his root certificate on every update.
Used versions: PHP Version 7.0.33 brew info openssl openssl: stable 1.0.2s (bottled) [keg-only] brew info curl curl: stable 7.66.0 (bottled), HEAD [keg-only] brew info mkcert mkcert: stable 1.4.0 (bottled)
Workaround right now:
cat "$(mkcert -CAROOT)/rootCA.pem" >> /usr/local/etc/openssl/cert.pem
Yes, we should add it to /usr/local/etc/[email protected]/certs and run /usr/local/opt/[email protected]/bin/c_rehash (with and without @1.1). Leaving for v1.4.2.
Yes, we should add it to
/usr/local/etc/[email protected]/certsand run/usr/local/opt/[email protected]/bin/c_rehash(with and without@1.1). Leaving for v1.4.2.
I encountered similar when using curl from the macos terminal app; and so, as described in item 4 on this page under Certificate Verification, I simply added the CURL_CA_BUNDLE environment variable and pointed it to...
"/Users/username/Library/Application Support/mkcert/rootCA.pem"
...and that seems to work.
To summarize, this should work -
mkdir -p /usr/local/etc/[email protected]/certs
cat "$(mkcert -CAROOT)/rootCA.pem" >> /usr/local/etc/[email protected]/certs/mkcert_ca.pem
/usr/local/opt/[email protected]/bin/c_rehash
I tested with php 7.4 + [email protected] from homebrew.
Really glad I found this! I was getting this error from wget ... https://127.0.0.1:8000:
ERROR: cannot verify 127.0.0.1's certificate, issued by ‘CN=mkcert ...’:
Unable to locally verify the issuer's authority.
To connect to 127.0.0.1 insecurely, use `--no-check-certificate'.
The commands in @chetan's comment seem like the best solution, but adding this option to wget also worked:
--ca-certificate="$(mkcert -CAROOT)/rootCA.pem"
Anyone made this working with homebrew installing openssl into /opt/homebrew?
I ran
cat "$(mkcert -CAROOT)/rootCA.pem" >> /opt/homebrew/etc/[email protected]/certs/mkcert_ca.pem
/opt/homebrew/Cellar/[email protected]/1.1.1n/bin/c_rehash
my php uses that openssl
Openssl default config => /opt/homebrew/etc/[email protected]/openssl.cnf
openssl.cafile => /opt/homebrew/etc/[email protected]/cert.pem => /opt/homebrew/etc/[email protected]/cert.pem
openssl.capath => /opt/homebrew/etc/[email protected]/certs => /opt/homebrew/etc/[email protected]/certs
but still getting SSL certificate problem: unable to get local issuer certificate for xxxx
when, im running cat "$(mkcert -CAROOT)/rootCA.pem" i got error message cat: /rootCA.pem: No such file or directory
anyone can help me? thankyou
