herd-community icon indicating copy to clipboard operation
herd-community copied to clipboard
verified publisher icon beyondcode

[Bug]: Failing to secure sites

Open TektoCode opened this issue 3 months ago • 8 comments

Platform

macOS

Operating system version

26.0 Tahoe

System architecture

ARM64 (M1, M2, etc)

Herd Version

1.22.3 (Build: 55)

PHP Version

8.4 (latest)

Bug description

Hello @mpociot,

First of all, great work from you and your team on Herd! It has the promise to be a game changer for us here and we're looking forward to its future development 😊

As a new user of Herd currently provisioning around 23 laptops for our developers, and due to our company’s MDM policy, we cannot grant them root privileges. I understand that Herd requires installation and operation as an admin user, and over the weekend, we’ve managed to address most issues with workarounds, except for securing sites.

Searching through this repo, I came across a comment of yours where you shared the following command that Herd runs to create the certificate for a newly secured site. While it worked well, it does not generate the .key file, among other steps.

openssl x509 -req -sha256 -days 368 -CA "/Users/YourUser/Library/Application Support/Herd/config/valet/CA/LaravelValetCASelfSigned.pem" -CAkey "/Users/YourUser/Library/Application Support/Herd/config/valet/CA/LaravelValetCASelfSigned.key" -CAserial "/Users/YourUser/Library/Application Support/Herd/config/valet/CA/LaravelValetCASelfSigned.srl" -in "/Users/YourUser/Library/Application Support/Herd/config/valet/Certificates/yoursite.test.csr" -out "/Users/YourUser/Library/Application Support/Herd/config/valet/Certificates/yoursite.test.crt" -extensions v3_req -extfile "/Users/YourUser/Library/Application Support/Herd/config/valet/Certificates/yoursite.test.conf"

I suspect that this command is just one part of the overall process for securing a site when we click on the GUI or run the secure command. As a temporary workaround for the permissions issue, could you please provide the complete series of commands or steps that Herd executes when securing a site? This would allow us to run them manually on our own while we seek a definitive solution.

I believe this information would be beneficial not only for us, but for many other facing similar challenges, as reflected in the recurring discussions on this topic in this repo. If this would be fine for you to share, perhaps you could include that information in a pinned issue on the repo, and as part of the Troubleshooting section in the official documentation, then everyone would know how to go about saving time and effort for everyone 🙂

Thank you very much in advance!

Steps to reproduce

  1. Work with Herd as a non-admin Mac user.
  2. Click on the "lock" icon in the GUI or run the herd secure yoursite command in CLI.
  3. Herd either fails silently on GUI or asks continuously for admin password in CLI.

As a result, the certificates aren't created and the sites are broken.

Relevant log output

TektoCode avatar Sep 28 '25 23:09 TektoCode

It just occurred to me that a possible solution could be prompting the user for admin User and Password via the native MacOS dialog pop-up, just like when installing Herd for the first time and when adding the system helper. This way, Herd could do all its certificate background tasks as admin. Currently, the GUI simply fails silently.

TektoCode avatar Sep 28 '25 23:09 TektoCode

While I don't know about the details at the moment, the root privileges should only be required for the first certificate because this also creates the root certificate for local use and this one is valid for like 20 years. After that, all new certificates are based off this root cert and don't need admin permissions anymore.

Not sure if this help in your case but I just wanted to point this out if that's a quick solution.

sschlein avatar Sep 29 '25 14:09 sschlein

Hi @sschlein, thanks for your reply!

Unfortunately Herd does not seems to work the way you described. When creating new sites and try to secure them via CLI, Herd always prompts for an admin password (which won't work on MDM'ed machines), while doing it via the GUI it fails silently (this is the reason why I suggested the workaround in my last comment).

In the meantime, I'm kindly asking for the full commands Herd runs in the background to secure sites so that we can run them ourselves while a final solution is delivered. cc/ @mpociot

Thanks once more in advance.

TektoCode avatar Oct 03 '25 12:10 TektoCode

Hi @TektoCode

I just double checked this in the code and the Herd app runs herd secure in the directory of a site.

sschlein avatar Oct 06 '25 11:10 sschlein

Hi @sschlein,

thanks for the insight. The full context is that as an enterprise, we're required to have MDM in place with no engineer having admin privileges. Therefore, the promise of "install and code" from Herd breaks under this scenario given your current approach to user privileges. You require admin user to install and to generate the CA. Because of this, our engineers won't be able to work with Herd seamlessly, and that unfortunately would mean that we can not adopt Herd as our official development environment (we are over 350 engineers).

Looking ahead pragmatically, we would be okay to use Herd if we find a work around to the SSL certificate generation issue (securing a site) even if we have to run a few extra commands ourselves (we could alias them), as long as we're not prompted for an admin password.

For this, I'd be happy to support with ideas or finding work arounds, or even troubleshoot for you. The objective is to bring Herd closer to that promise in all development contexts (good for us, good for other users, good for you, good for everyone 🙂).

I know how to generate certificates, keys and signing them with a CA, but many of our junior engineers (and many of your prospect users from the Laravel community) don't. So what I'm kindly asking is for you to share the set of tasks that the herd secure command runs in the background so that we can run them manually instead, avoiding the "admin password prompt" issue.

--

A few ideas from the top of my head, without knowing your internals:

  1. During the first installation, Herd asks for an admin user and password. You can use that routine to generate the CA and first certificate, so that future per-site SSL don't require such credentials.
  2. When clicking the Lock button to secure a site in the Herd app, you can display the native MacOS user:password prompt once more (only on the first site?).
  3. Install Herd with an already provisioned long-lived CA out of the box.

Thanks for the reply, and happy to help!

TektoCode avatar Oct 06 '25 22:10 TektoCode

Thank you for the ideas for future improvements!

MDM scenarios are always difficult for apps, especially when you have so many moving parts with web servers, background services, etc. While I have no ETA for the improvements, I wonder if this is the only issue that you encounter and everything else works?

350 devs is quite big a team. What's your current setup?

sschlein avatar Oct 07 '25 06:10 sschlein

@sschlein, it’s hard to say if that’s the only issue. I installed it just a couple of weeks ago and haven’t been using it heavily yet. This is the most serious problem so far as it broke all my Herd app installations as soon as I tried to secure sites. For most (non-admin) users, the only fixes would be either reinstalling the app completely or manually deleting the nginx site config files from the Application Support directory (so it doesn't try to load failed .crt and .key files). BTW, both options leave the sites unsecured.

Alternatively, certificates can be created manually, as I’ve been suggesting. However, the CA isn’t created if the current user isn’t an admin, causing the issue reported in this thread. This means my suggested manual certificate approach only works if an admin creates the CA first. And since an Admin will need to install Herd in the first place, we could take the opportunity to generate the CA during installation (one of my ideas above).

Side note: Could it be that the password Herd is asking for when running herd secure is not that of an admin user but the one of the CA signature? (is any of the CA files signed or protected by a key password that users need to provide to generate SSL certificates?)

We could of course take over the entire CA + SSL certs creation ourselves without using anything Herd/Laravel related and that would work just fine technically speaking (securing a site simply needs an SSL cert, it doesn't need to be from Laravel or Herd strictly). But I'm not sure at this point if by doing that we'll have blindspots that Herd normally would cover if the official command would be run (aka, does herd secure does anything else than only generating CA and certificates? I know it also creates nginx configs and aliases in sites/ directory, thus my concern of missing something out).

This is getting a bit verbose, I hope is clear enough but I'm also happy to clarify if needed, and of course to support :)

Kind regards!

Edit: The setup are blank and brand new MacOS 26.0.1. You can easily replicate this by creating a non-admin user account on your laptop and try to secure sites. You would see the entire issue if you don't have Herd installed at all before doing that.

TektoCode avatar Oct 07 '25 08:10 TektoCode

same problem https://github.com/beyondcode/herd-community/issues/1542

adgower avatar Oct 07 '25 20:10 adgower