valet
valet copied to clipboard
laravel
Need to renew expired self-signed Laravel root certificate
Description
TL;DR: my certificates for the individual *.test domains are fine, but suddenly I have a "Laravel Valet CA Self Signed CN" with an expiry of 1 July 2021, so no sites will load.
I've been reading https://github.com/laravel/valet/issues/1487 …
Opening Keychain Access confirms the certificate is expired, as does running:
security verify-cert -c ~/.config/valet/CA/LaravelValetCASelfSigned.pem
(Cert Verify Result: CSSMERR_TP_CERT_EXPIRED)
I have upgraded Valet from 4.7.1 to 4.8.0.
I followed this bit of the instructions:
sudo security delete-certificate -c "Laravel Valet CA Self Signed CN" /Library/Keychains/System.keychain -- This will remove the cert from your System Keychain.
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/.config/valet/CA/LaravelValetCASelfSigned.pem -- This will add it back
All that does is (correctly) remove the old cert, but then it puts it back again. How can I actually renew it?
I tried valet renew (as well as unsecure and secure) but this didn't help.
Thanks!
Steps To Reproduce
Diagnosis
sw_vers
ProductName: macOS ProductVersion: 14.6.1 BuildVersion: 23G93
valet --version
Laravel Valet 4.8.0
cat ~/.config/valet/config.json
{
"tld": "test",
"paths": [
"/Users/wt/.config/valet/Sites",
"/Users/wt/Sites/mprss",
"/Users/wt/Sites/credobase/htdocs",
"/Users/wt/Sites/markpack"
],
"loopback": "127.0.0.1"
}
cat ~/.composer/composer.json
{
"require": {
"laravel/installer": "^5.6",
"laravel/valet": "^4.0",
"drupal/coder": "^8.3",
"dealerdirect/phpcodesniffer-composer-installer": "^0.7.1",
"statamic/cli": "^2.6"
},
"require-dev": {
"squizlabs/php_codesniffer": "^3.5"
},
"config": {
"allow-plugins": {
"dealerdirect/phpcodesniffer-composer-installer": true
}
}
}
composer global diagnose
Changed current directory to /Users/wt/.composer Checking composer.json: WARNING No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license. Checking platform settings: OK Checking git settings: OK git version 2.46.0 Checking http connectivity to packagist: OK Checking https connectivity to packagist: OK Checking github.com oauth access: OK does not expire Checking disk free space: OK Checking pubkeys: Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0 87719BA6 8F3BB723 4E5D42D0 84A14642 Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B 0C708369 153E328C AD90147D AFE50952 OK Checking Composer version: You are not running the latest stable version, run `composer self-update` to update (2.7.7 => 2.7.9) Checking Composer and its dependencies for vulnerabilities: OK Composer version: 2.7.7 PHP version: 8.2.23 PHP binary path: /opt/homebrew/Cellar/[email protected]/8.2.23/bin/php OpenSSL version: OpenSSL 3.3.1 4 Jun 2024 curl version: 8.9.1 libz 1.2.12 ssl OpenSSL/3.3.2 (SecureTransport) zip: extension present, unzip present, 7-Zip not available
composer global outdated
Changed current directory to /Users/wt/.composer Legend: ! patch or minor release available - update recommended ~ major release available - update possibleDirect dependencies required in composer.json: dealerdirect/phpcodesniffer-composer-installer 0.7.2 ~ 1.0.0 statamic/cli 2.6.0 ~ 3.2.0
Transitive dependencies not required in composer.json: laravel/prompts 0.1.25 ~ 0.2.0 symfony/console 6.4.12 ~ 7.1.5 symfony/process 6.4.12 ~ 7.1.5
ls -al /etc/sudoers.d/
total 16 drwxr-xr-x 4 root wheel 128 Aug 13 08:47 . drwxr-xr-x 134 root wheel 4288 Sep 24 11:38 .. -rw-r--r-- 1 root wheel 83 Aug 8 2023 brew -rw-r--r-- 1 root wheel 86 Aug 8 2023 valet
brew config
HOMEBREW_VERSION: 4.3.24 ORIGIN: https://github.com/Homebrew/brew HEAD: 916044581862c32fc2365e8e9ff0b1507a98925e Last commit: 2 days ago Core tap JSON: 24 Sep 12:28 UTC Core cask tap JSON: 24 Sep 12:28 UTC HOMEBREW_PREFIX: /opt/homebrew HOMEBREW_CASK_OPTS: [] HOMEBREW_EDITOR: vim HOMEBREW_MAKE_JOBS: 8 Homebrew Ruby: 3.3.4 => /opt/homebrew/Library/Homebrew/vendor/portable-ruby/3.3.4_1/bin/ruby CPU: octa-core 64-bit arm_firestorm_icestorm Clang: 15.0.0 build 1500 Git: 2.46.0 => /opt/homebrew/bin/git Curl: 8.7.1 => /usr/bin/curl macOS: 14.6.1-arm64 CLT: 15.3.0.0.1.1708646388 Xcode: N/A Rosetta 2: false
brew services list
Warning: running through sudo, using user/* instead of gui/* domain! Hide this warning by setting HOMEBREW_SERVICES_NO_DOMAIN_WARNING. Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`). Name Status User File dnsmasq none root memcached started wt ~/Library/LaunchAgents/homebrew.mxcl.memcached.plist nginx none root php none root [email protected] none root [email protected] none [email protected] none [email protected] error 19968 root ~/Library/LaunchAgents/[email protected] redis started wt ~/Library/LaunchAgents/homebrew.mxcl.redis.plist unbound none
brew list --formula --versions | grep -E "(php|nginx|dnsmasq|mariadb|mysql|mailhog|openssl)(@\d\..*)?\s"
dnsmasq 2.89 2.90 nginx 1.27.0 1.27.1 php 8.3.11 8.3.9 [email protected] 7.4.33_6 [email protected] 8.0.30_1 [email protected] 8.1.27 8.1.29 [email protected] 8.2.20 8.2.18 8.2.14 8.2.22 8.2.23 8.2.15
brew outdated
bash ca-certificates curl ffmpeg ghostscript git glib imagemagick imath jpeg-turbo jpeg-xl libarchive libomp libpng libraw libtiff libzip mpv node shaderc tcl-tk unibilium vapoursynth
brew tap
cutzenfriend/cmdg homebrew/services saulpw/vd shivammathur/php
php -v
PHP 8.2.23 (cli) (built: Aug 27 2024 15:32:20) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.2.23, Copyright (c) Zend Technologies
with Zend OPcache v8.2.23, Copyright (c), by Zend Technologies
which -a php
/opt/homebrew/bin/php /usr/local/bin/php
php --ini
Configuration File (php.ini) Path: /opt/homebrew/etc/php/8.2 Loaded Configuration File: /opt/homebrew/etc/php/8.2/php.ini Scan for additional .ini files in: /opt/homebrew/etc/php/8.2/conf.d Additional .ini files parsed: /opt/homebrew/etc/php/8.2/conf.d/error_log.ini, /opt/homebrew/etc/php/8.2/conf.d/ext-opcache.ini, /opt/homebrew/etc/php/8.2/conf.d/php-memory-limits.ini
nginx -v
nginx version: nginx/1.27.1
curl --version
curl 8.7.1 (x86_64-apple-darwin23.0) libcurl/8.7.1 (SecureTransport) LibreSSL/3.3.6 zlib/1.2.12 nghttp2/1.61.0 Release-Date: 2024-03-27 Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM SPNEGO SSL threadsafe UnixSockets
php --ri curl
curlcURL support => enabled cURL Information => 8.9.1 Age => 11 Features AsynchDNS => Yes CharConv => No Debug => No GSS-Negotiate => No IDN => Yes IPv6 => Yes krb4 => No Largefile => Yes libz => Yes NTLM => Yes NTLMWB => No SPNEGO => Yes SSL => Yes SSPI => No TLS-SRP => Yes HTTP2 => Yes GSSAPI => Yes KERBEROS5 => Yes UNIX_SOCKETS => Yes PSL => No HTTPS_PROXY => Yes MULTI_SSL => Yes BROTLI => Yes ALTSVC => Yes HTTP3 => No UNICODE => No ZSTD => Yes HSTS => Yes GSASL => No Protocols => dict, file, ftp, ftps, gopher, gophers, http, https, imap, imaps, ldap, ldaps, mqtt, pop3, pop3s, rtmp, rtmpe, rtmps, rtmpt, rtmpte, rtmpts, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp Host => aarch64-apple-darwin23.4.0 SSL Version => OpenSSL/3.3.2 (SecureTransport) ZLib Version => 1.2.12 libSSH Version => libssh2/1.11.0
Directive => Local Value => Master Value curl.cainfo => /Users/wt/php/cacert.pem => /Users/wt/php/cacert.pem
/opt/homebrew/bin/ngrok version
sudo: /opt/homebrew/bin/ngrok: command not found
ls -al ~/.ngrok2
total 8 drwx------ 3 wt staff 96 Aug 7 2019 . drwxr-xr-x+ 301 wt staff 9632 Sep 21 15:11 .. -rw------- 1 wt staff 85 Aug 7 2019 ngrok.yml
brew info nginx
==> nginx: stable 1.27.1 (bottled), HEAD HTTP(S) server and reverse proxy, and IMAP/POP3 proxy server https://nginx.org/ Installed /opt/homebrew/Cellar/nginx/1.27.0 (24 files, 2.4MB) Built from source /opt/homebrew/Cellar/nginx/1.27.1 (27 files, 2.4MB) * Poured from bottle using the formulae.brew.sh API on 2024-08-30 at 21:37:46 From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/n/nginx.rb License: BSD-2-Clause ==> Dependencies Required: openssl@3, pcre2 ==> Options --HEAD Install HEAD version ==> Caveats Docroot is: /opt/homebrew/var/wwwThe default port has been set in /opt/homebrew/etc/nginx/nginx.conf to 8080 so that nginx can run without sudo.
nginx will load all files in /opt/homebrew/etc/nginx/servers/.
To start nginx now and restart at login: brew services start nginx Or, if you don't want/need a background service you can just run: /opt/homebrew/opt/nginx/bin/nginx -g daemon\ off; ==> Analytics install: 13,404 (30 days), 40,420 (90 days), 159,103 (365 days) install-on-request: 13,390 (30 days), 40,346 (90 days), 158,639 (365 days) build-error: 3 (30 days)
brew info php
==> php: stable 8.3.11 (bottled), HEAD
General-purpose scripting language
https://www.php.net/
Installed
/opt/homebrew/Cellar/php/8.3.9 (521 files, 88.7MB)
Built from source
/opt/homebrew/Cellar/php/8.3.11 (524 files, 88.8MB)
Poured from bottle using the formulae.brew.sh API on 2024-08-30 at 21:37:41
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/p/php.rb
License: PHP-3.01
==> Dependencies
Build: httpd, pkg-config
Required: apr, apr-util, argon2, aspell, autoconf, curl, freetds, gd, gettext, gmp, icu4c, krb5, libpq, libsodium, libzip, oniguruma, openldap, openssl@3, pcre2, sqlite, tidy-html5, unixodbc
==> Options
--HEAD
Install HEAD version
==> Caveats
To enable PHP in Apache add the following to httpd.conf and restart Apache:
LoadModule php_module /opt/homebrew/opt/php/lib/httpd/modules/libphp.so
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
Finally, check DirectoryIndex includes index.php
DirectoryIndex index.php index.html
The php.ini and php-fpm.ini file can be found in:
/opt/homebrew/etc/php/8.3/
To start php now and restart at login:
brew services start php
Or, if you don't want/need a background service you can just run:
/opt/homebrew/opt/php/sbin/php-fpm --nodaemonize
==> Analytics
install: 52,970 (30 days), 154,197 (90 days), 685,009 (365 days)
install-on-request: 49,298 (30 days), 143,142 (90 days), 639,180 (365 days)
build-error: 16 (30 days)
brew info openssl
==> openssl@3: stable 3.3.2 (bottled) Cryptography and SSL/TLS Toolkit https://openssl-library.org Installed /opt/homebrew/Cellar/openssl@3/3.3.2 (6,984 files, 32.5MB) * Poured from bottle using the formulae.brew.sh API on 2024-09-09 at 11:30:35 From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/o/[email protected] License: Apache-2.0 ==> Dependencies Required: ca-certificates ==> Caveats A CA file has been bootstrapped using certificates from the system keychain. To add additional certificates, place .pem files in /opt/homebrew/etc/openssl@3/certsand run /opt/homebrew/opt/openssl@3/bin/c_rehash ==> Analytics install: 467,567 (30 days), 1,248,059 (90 days), 5,025,438 (365 days) install-on-request: 67,695 (30 days), 148,578 (90 days), 654,772 (365 days) build-error: 4,322 (30 days)
openssl version -a
OpenSSL 3.3.2 3 Sep 2024 (Library: OpenSSL 3.3.2 3 Sep 2024) built on: Tue Sep 3 12:46:38 2024 UTC platform: darwin64-arm64-cc options: bn(64,64) compiler: clang -fPIC -arch arm64 -O3 -Wall -DL_ENDIAN -DOPENSSL_PIC -D_REENTRANT -DOPENSSL_BUILDING_OPENSSL -DNDEBUG OPENSSLDIR: "/opt/homebrew/etc/openssl@3" ENGINESDIR: "/opt/homebrew/Cellar/openssl@3/3.3.2/lib/engines-3" MODULESDIR: "/opt/homebrew/Cellar/openssl@3/3.3.2/lib/ossl-modules" Seeding source: os-specific CPUINFO: OPENSSL_armcap=0x987d
openssl ciphers
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA
sudo nginx -t
nginx: the configuration file /opt/homebrew/etc/nginx/nginx.conf syntax is ok nginx: configuration file /opt/homebrew/etc/nginx/nginx.conf test is successful
which -a php-fpm
/opt/homebrew/sbin/php-fpm /usr/local/sbin/php-fpm
/opt/homebrew/opt/php/sbin/php-fpm -v
PHP 8.3.11 (fpm-fcgi) (built: Aug 27 2024 19:16:34)
Copyright (c) The PHP Group
Zend Engine v4.3.11, Copyright (c) Zend Technologies
with Zend OPcache v8.3.11, Copyright (c), by Zend Technologies
sudo /opt/homebrew/opt/php/sbin/php-fpm -y /opt/homebrew/etc/php/8.2/php-fpm.conf --test
[24-Sep-2024 13:28:35] NOTICE: configuration file /opt/homebrew/etc/php/8.2/php-fpm.conf test is successful
ls -al ~/Library/LaunchAgents | grep homebrew
-rw-r--r-- 1 wt staff 526 Jul 6 2023 homebrew.mxcl.mariadb.plist -rw-r--r--@ 1 wt staff 726 Dec 15 2023 homebrew.mxcl.memcached.plist -rw-r--r-- 1 wt staff 725 Dec 10 2019 homebrew.mxcl.openvpn.plist -rw-r--r--@ 1 wt staff 789 Sep 24 12:53 [email protected] -rw-r--r--@ 1 wt staff 865 Mar 15 2024 homebrew.mxcl.redis.plist
ls -al /Library/LaunchAgents | grep homebrew
ls -al /Library/LaunchDaemons | grep homebrew
-rw-r--r--@ 1 root admin 797 Sep 24 12:51 homebrew.mxcl.dnsmasq.plist -rw-r--r--@ 1 root admin 685 Sep 24 13:17 homebrew.mxcl.nginx.plist -rw-r--r--@ 1 root admin 781 Sep 24 12:52 homebrew.mxcl.php.plist -rw-r--r--@ 1 root admin 789 Sep 24 12:52 [email protected] -rw-r--r--@ 1 root admin 789 Sep 24 12:52 [email protected]
ls -al /Library/LaunchDaemons | grep "com.laravel.valet."
ls -aln /etc/resolv.conf
lrwxr-xr-x 1 0 0 22 Aug 4 11:31 /etc/resolv.conf -> ../var/run/resolv.conf
cat /etc/resolv.conf
# # macOS Notice # # This file is not consulted for DNS hostname resolution, address # resolution, or the DNS query routing mechanism used by most # processes on this system. # # To view the DNS configuration used by this system, use: # scutil --dns # # SEE ALSO # dns-sd(1), scutil(8) # # This file is automatically generated. # search lan nameserver 217.169.20.20 nameserver 217.169.20.21
ifconfig lo0
lo0: flags=8049mtu 16384 options=1203 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 nd6 options=201
sh -c 'echo "------\n/opt/homebrew/etc/nginx/valet/valet.conf\n---\n"; cat /opt/homebrew/etc/nginx/valet/valet.conf | grep -n "# valet loopback"; echo "\n------\n"'
------ /opt/homebrew/etc/nginx/valet/valet.conf ---3: #listen VALET_LOOPBACK:80; # valet loopback
------
sh -c 'for file in ~/.config/valet/dnsmasq.d/*; do echo "------\n~/.config/valet/dnsmasq.d/$(basename $file)\n---\n"; cat $file; echo "\n------\n"; done'
------ ~/.config/valet/dnsmasq.d/tld-test.conf ---address=/.test/127.0.0.1 listen-address=127.0.0.1
------
sh -c 'for file in ~/.config/valet/nginx/*; do echo "------\n~/.config/valet/nginx/$(basename $file)\n---\n"; cat $file | grep -n "# valet loopback"; echo "\n------\n"; done'
------ ~/.config/valet/nginx/acc.test ---3: #listen 127.0.0.1:80; # valet loopback 10: #listen VALET_LOOPBACK:443 ssl; # valet loopback 54: #listen 127.0.0.1:60; # valet loopback
~/.config/valet/nginx/adthing.test
5: #listen VALET_LOOPBACK:80; # valet loopback
~/.config/valet/nginx/care.test
4: #listen 127.0.0.1:80; # valet loopback 11: #listen VALET_LOOPBACK:443 ssl; # valet loopback 55: #listen 127.0.0.1:60; # valet loopback
~/.config/valet/nginx/credobase.test
5: #listen VALET_LOOPBACK:80; # valet loopback
~/.config/valet/nginx/credocare-portal.test
5: #listen VALET_LOOPBACK:80; # valet loopback
~/.config/valet/nginx/credocare-public.test
3: #listen 127.0.0.1:80; # valet loopback 10: #listen VALET_LOOPBACK:443 ssl; # valet loopback 54: #listen 127.0.0.1:60; # valet loopback
~/.config/valet/nginx/fastcgi_params
~/.config/valet/nginx/goodwood-fos.test
3: #listen 127.0.0.1:80; # valet loopback 10: #listen VALET_LOOPBACK:443 ssl; # valet loopback 54: #listen 127.0.0.1:60; # valet loopback
~/.config/valet/nginx/goodwood-fosportal.test
3: #listen 127.0.0.1:80; # valet loopback 10: #listen VALET_LOOPBACK:443 ssl; # valet loopback 54: #listen 127.0.0.1:60; # valet loopback
~/.config/valet/nginx/goodwood-mmportal.test
3: #listen 127.0.0.1:80; # valet loopback 10: #listen VALET_LOOPBACK:443 ssl; # valet loopback 54: #listen 127.0.0.1:60; # valet loopback
~/.config/valet/nginx/goodwood-rc.test
3: #listen 127.0.0.1:80; # valet loopback 10: #listen VALET_LOOPBACK:443 ssl; # valet loopback 54: #listen 127.0.0.1:60; # valet loopback
~/.config/valet/nginx/goodwood-revival.test
3: #listen 127.0.0.1:80; # valet loopback 10: #listen VALET_LOOPBACK:443 ssl; # valet loopback 54: #listen 127.0.0.1:60; # valet loopback
~/.config/valet/nginx/goodwood-revportal.test
3: #listen 127.0.0.1:80; # valet loopback 10: #listen VALET_LOOPBACK:443 ssl; # valet loopback 54: #listen 127.0.0.1:60; # valet loopback
~/.config/valet/nginx/kimai.test
3: #listen 127.0.0.1:80; # valet loopback 10: #listen VALET_LOOPBACK:443 ssl; # valet loopback 54: #listen 127.0.0.1:60; # valet loopback
~/.config/valet/nginx/startnew.test
3: #listen 127.0.0.1:80; # valet loopback 10: #listen VALET_LOOPBACK:443 ssl; # valet loopback 54: #listen 127.0.0.1:60; # valet loopback
------
