[Feature Request]: Self-signed CA suggestion

[blhylton]

Feature Description

A simple way to find the CA certificate for installing/trusting would be helpful. The path could be listed under "General" or "About" inside Settings, with a button that opens Finder in that directory.

Barring that, updating the documentation under "Securing" would probably suffice.

Is this feature valuable for other users as well and why?

TL;DR: Sometimes, you need to install a CA cert manually, and a way to quickly find where it is could help people.

When I tried to secure a site with Herd, I didn't get the typical "This site is dangerous; are you sure?" dialog. Instead getting: "Secure Connection Failed ... Error code: SEC_ERROR_BAD_SIGNATURE" which Firefox would not allow me to continue past. Installing the root certificate into Firefox fixed the issue, but I had to dive into the Application Support folder to determine where it was. My concern is that there are or will be others with similar/the same issue who wouldn't know where to find the certificate to install it manually.

Of note, this is not an issue with Chrome (and presumably Safari), but some people may still want to install the CA and need help finding it.

[meditto]

a self-signed certificate is required if you're making a Shopify app

[blhylton]

a self-signed certificate is required if you're making a Shopify app

There is already a self-signed certificate available within Herd when you secure the sites. The issue is that the CA isn't trusted by browsers (specifically Firefox) or there may be another reason you need the CA. This was just a suggestion to make the location of that obvious within the app or docs should you want to trust it on your local system.

[blhylton]

I typed up these instructions for my internal team. Feel free to use them if it makes any of this easier:

Keychain

(This covers most browsers, including Chrome, Safari, and the Laravel HTTP facade)

1. Open Keychain Access
2. Go to the System item on the left and then the Certificates tab at the top.
3. Navigate to ~/Library/Application Support/Herd/config/valet/CA in Finder. (open -a Finder ~/Library/Application\ Support/Herd/config/valet/CA if you want a copy-paste CLI shortcut, or use the Show php.ini option in the Herd menu and traverse up one folder to find the valet folder.)
4. Drag LaravelValetCASelfSigned.pem into Keychain Access.
5. Double-click the newly created entry in Keychain Access
6. Expand the "Trust" section
7. Change the top select menu to "Always Trust" and close the info page (it will prompt you for your system password to trust the certificate).

Firefox

1. Open Settings > Privacy & Security > View Certificates
2. Go over to the Authorities tab and click "Import..."
3. Navigate to ~/Library/Application Support/Herd/config/valet/CA in the open dialog.
4. Select the LaravelValetCASelfSigned.pem and Open
5. Trust the CA to identify websites in the pop-up (you can also trust it for emails, but that shouldn't have any bearing).
6. Click OK a few times to get back to settings and save everything

If they were secured, Firefox would only open the sites for me once I did this.

Updated 11/8/23 based on below comments and other feedback received outside of this thread

[kauffinger]

This also applies to anyone who runs multiple services with herd and wants to do inter-service communication (like an auth service) via https.
For me, I got curl CA errors before adding the CA manually.

Another way to easily find the file is to use the Show php.ini option in the Herd menu and go up one folder, where you will find the valet folder.

Thanks for reporting/finding!

EDIT:
I tried to reproduce the error I had before by deleting the certificate so I can add the error message to make the issue more easily found via search engines, but I was not able to. Even after deleting the certificate it still worked. Not sure if I have to do some kind of reloading to get back to the previous state, but I'll leave this up anyway as it definitely did not work before I followed your steps.

[blhylton]

@kauffinger Thanks for the input. I updated my instructions to include your note about finding the folder and made a few changes from comments outside of this thread.

Additionally, it looks like this manifests as Illuminate\Http\Client\ConnectionException and likely a cURL error that references OpenSSL. The exact error message may depend on what you're trying to do, so hopefully, this will help others find this in the future.

[adrum]

Implementing this in Herd would solve this scenario. This modifies the Trust behavior to only trust the CA at the system level if needed, and stops trusting the individual cert when securing sites since it's redundant if the CA is trusted.

After this change, Valet will look to see if the CA is already in the Keychain, and will ask you save it if it isn't. It ensures the local system always trusts the CA.

More details here: laravel/valet#1463