herd-community icon indicating copy to clipboard operation
herd-community copied to clipboard
verified publisher icon beyondcode

[Bug]: Modifications to config/php/cacert.pem file reset every time Herd updates

Open tompenzer opened this issue 3 months ago • 5 comments

Platform

macOS

Operating system version

macOS Sequoia 15.6

System architecture

ARM64 (M1, M2, etc)

Herd Version

1.22.3

PHP Version

8.4.12

Bug description

Modifications to config/php/cacert.pem file reset every time Herd updates. User modifications should persist across updates.

Steps to reproduce

  1. Add a custom cert to ~/Library/Application Support/Herd/config/php/cacert.pem file. So far, so good; cert works as expected.
  2. Herd updates itself automatically, or you manually update Herd.
  3. There is no step 3, your modifications to the cacert.pem have now unhelpfully been wiped. GOTO 1.

Instead, since the underlying curl.cainfo and openssl.cafile parameters in php.ini only support a single cert file reference, I propose that Herd allow users to specify one or more custom .pem file paths which will be concatenated with Herd's default .pem entries upon each update.

Upon changes to the paths provided, or to the checksum values of the files at those paths, detected upon Herd launch, the concatenated cacert.pem file is also regenerated.

Relevant log output

tompenzer avatar Sep 26 '25 00:09 tompenzer

Alternatively, maybe Herd could provide a directory in ~/Library/Application Support/Herd/config/php/, i.e. certificates, and any .pem files added to it are concatenated with Herd's default certs upon update. To be extra nice, Herd tracks the filenames and checksum values in that directory upon launching, and re-generates the cacert.pem file upon any changes.

tompenzer avatar Sep 26 '25 00:09 tompenzer

That's a great suggestion @tompenzer

We have to manually re-generate the cacert.pem file to add any isolated certificates in there (so that cross local site communication via https works). Providing a custom certificates directory is a great idea - I'll implement this for the next update 🎉

mpociot avatar Oct 09 '25 07:10 mpociot

My hero! That's fantastic news, thank you kindly.

tompenzer avatar Oct 09 '25 16:10 tompenzer

One thing I'll note is that as I was browsing around the ~/Library/Application Support/Herd/config directory, I noticed that there's a ~/Library/Application Support/Herd/config/valet/Certificates folder, and all of the corporate certs I need to add to my config/php/cacert.pem file each time were somehow added to that directory, and I don't believe I did that or knew about that directory. This implies that automatically concatenating the .pem files located in config/valet/Certificates to config/php/cacert.pem might be helpful to corporate users.

tompenzer avatar Oct 10 '25 00:10 tompenzer

So glad this issue has been raised! It's a major painpoint with local dev behind firewalls. Thanks @tompenzer and @mpociot

ethanbeyer avatar Oct 10 '25 18:10 ethanbeyer