Valet commands hang and don't continue with v3 upgrade

[driesvints]

• Valet Version: 3.0.1
• PHP Version: 8.1.2

Description:

When I try to run valet install, the commands hangs and stops at "Installing nginx directory...". When I run valet secure on a site, the command also hangs and stops.

This started to happen with the v3 upgrade. I have no idea what's going on...

Steps To Reproduce:

Run either valet secure or valet install.

Diagnosis

sw_vers

ProductName:   macOS
ProductVersion: 12.3
BuildVersion:   21E230

valet --version

Laravel Valet 3.0.1

cat ~/.config/valet/config.json

{
    "tld": "test",
    "loopback": "127.0.0.1",
    "paths": [
        "/Users/driesvints/.config/valet/Sites"
    ]
}

cat ~/.composer/composer.json

{
    "require": {
        "laravel/installer": "^4.2",
        "laravel/valet": "^3.0",
        "beyondcode/expose": "^2.0",
        "tightenco/takeout": "^1.8",
        "spatie/global-ray": "^1.0",
        "spatie/visit": "^1.0"
    }
}

composer global diagnose

Changed current directory to /Users/driesvints/.composer
Checking composer.json: WARNING
No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license.
Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com oauth access: OK
Checking disk free space: OK
Checking pubkeys: 
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking composer version: You are not running the latest stable version, run `composer self-update` to update (2.2.6 => 2.3.0)
Composer version: 2.2.6
PHP version: 8.1.2
PHP binary path: /opt/homebrew/Cellar/php/8.1.2/bin/php
OpenSSL version: OpenSSL 1.1.1m  14 Dec 2021
cURL version: 7.81.0 libz 1.2.11 ssl (SecureTransport) OpenSSL/1.1.1m
zip: extension present, unzip present, 7-Zip not available

composer global outdated

Changed current directory to /Users/driesvints/.composer
Legend:
! patch or minor release available - update recommended
~ major release available - update possible
guzzlehttp/psr7   1.8.5   ~ 2.2.1  PSR-7 message implementation that also provides common utility methods
tightenco/collect v8.83.5 ~ v9.4.1 Collect - Illuminate Collections as a separate package.
tightenco/takeout v1.8.13 ~ v2.0.4 Manage your dev dependencies with simple one-off Docker containers.

ls -al /etc/sudoers.d/

total 16
drwxr-xr-x   4 root  wheel   128 Mar 15 17:58 .
drwxr-xr-x  81 root  wheel  2592 Mar 22 11:37 ..
-rw-r--r--   1 root  wheel    83 Nov 23 17:34 brew
-rw-r--r--   1 root  wheel    86 Nov 23 17:34 valet

brew config

HOMEBREW_VERSION: 3.4.4
ORIGIN: https://github.com/Homebrew/brew
HEAD: 5f5af43244eaece1f09d695603e1a261676713a0
Last commit: 3 days ago
Core tap ORIGIN: https://github.com/Homebrew/homebrew-core
Core tap HEAD: 26e0e3bca236578de6dbcaa8c2a8e528f32c9ee9
Core tap last commit: 18 minutes ago
Core tap branch: master
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_CORE_GIT_REMOTE: https://github.com/Homebrew/homebrew-core
HOMEBREW_MAKE_JOBS: 10
Homebrew Ruby: 2.6.8 => /System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/bin/ruby
CPU: 10-core 64-bit arm_firestorm_icestorm
Clang: 13.1.6 build 1316
Git: 2.35.1 => /opt/homebrew/bin/git
Curl: 7.79.1 => /usr/bin/curl
macOS: 12.3-arm64
CLT: 13.3.0.0.1.1645755326
Xcode: N/A
Rosetta 2: false

brew services list

Name        Status User       File
dnsmasq     none            root       
meilisearch none                       
memcached   none                       
mysql       started         driesvints ~/Library/LaunchAgents/homebrew.mxcl.mysql.plist
nginx       none                       
php         none                       
php@7.4     none                       
php@8.0     none                       
redis       started         driesvints ~/Library/LaunchAgents/homebrew.mxcl.redis.plist
stripe-mock none                       
unbound     none

brew list --formula --versions | grep -E "(php|nginx|dnsmasq|mariadb|mysql|mailhog|openssl)(@\d\..*)?\s"

dnsmasq 2.86
mysql 8.0.28
nginx 1.21.4 1.21.6
openssl@1.1 1.1.1m
php 8.0.13 8.1.2
php@7.4 7.4.28 7.4.27 7.4.26_1
php@8.0 8.0.15 8.0.13 8.0.14

brew outdated

aom
awscli
ca-certificates
composer
curl
flac
frei0r
glib
gnutls
gobject-introspection
harfbuzz
httpie
icu4c
imagemagick
krb5
libarchive
libbluray
libgcrypt
libnghttp2
libomp
libtool
libuv
little-cms2
meilisearch
memcached
mysql
nginx
node
openssl@1.1
php
php@7.4
php@8.0
python@3.9
sqlite
stripe/stripe-cli/stripe
stripe/stripe-mock/stripe-mock
tesseract
yarn
elgato-stream-deck
phpmon

brew tap

homebrew/bundle
homebrew/cask
homebrew/cask-drivers
homebrew/cask-fonts
homebrew/cask-versions
homebrew/core
homebrew/services
nicoverbruggen/cask
stripe/stripe-cli
stripe/stripe-mock

php -v

PHP 8.1.2 (cli) (built: Jan 21 2022 04:34:05) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.2, Copyright (c) Zend Technologies
    with Zend OPcache v8.1.2, Copyright (c), by Zend Technologies

which -a php

/opt/homebrew/bin/php
/opt/homebrew/bin/php

php --ini

Configuration File (php.ini) Path: /opt/homebrew/etc/php/8.1
Loaded Configuration File:         /opt/homebrew/etc/php/8.1/php.ini
Scan for additional .ini files in: /opt/homebrew/etc/php/8.1/conf.d
Additional .ini files parsed:      /opt/homebrew/etc/php/8.1/conf.d/error_log.ini,
/opt/homebrew/etc/php/8.1/conf.d/ext-opcache.ini,
/opt/homebrew/etc/php/8.1/conf.d/php-memory-limits.ini

nginx -v

nginx version: nginx/1.21.6

curl --version

curl 7.79.1 (x86_64-apple-darwin21.0) libcurl/7.79.1 (SecureTransport) LibreSSL/3.3.5 zlib/1.2.11 nghttp2/1.45.1
Release-Date: 2021-09-22
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets

php --ri curl

curl

cURL support => enabled
cURL Information => 7.81.0
Age => 9
Features
AsynchDNS => Yes
CharConv => No
Debug => No
GSS-Negotiate => No
IDN => Yes
IPv6 => Yes
krb4 => No
Largefile => Yes
libz => Yes
NTLM => Yes
NTLMWB => Yes
SPNEGO => Yes
SSL => Yes
SSPI => No
TLS-SRP => Yes
HTTP2 => Yes
GSSAPI => Yes
KERBEROS5 => Yes
UNIX_SOCKETS => Yes
PSL => No
HTTPS_PROXY => Yes
MULTI_SSL => Yes
BROTLI => Yes
Protocols => dict, file, ftp, ftps, gopher, gophers, http, https, imap, imaps, ldap, ldaps, mqtt, pop3, pop3s, rtmp, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp
Host => arm-apple-darwin21.1.0
SSL Version => (SecureTransport) OpenSSL/1.1.1m
ZLib Version => 1.2.11
libSSH Version => libssh2/1.10.0

Directive => Local Value => Master Value
curl.cainfo => no value => no value

~/.composer/vendor/laravel/valet/bin/ngrok version

ngrok version 2.3.40

~/.composer/vendor/laravel/valet/bin/ngrok-arm version

ngrok version 2.3.40

ls -al ~/.ngrok2

ls: /Users/driesvints/.ngrok2: No such file or directory

brew info nginx

nginx: stable 1.21.6 (bottled), HEAD
HTTP(S) server and reverse proxy, and IMAP/POP3 proxy server
https://nginx.org/
/opt/homebrew/Cellar/nginx/1.21.4 (23 files, 2.2MB)
  Built from source
/opt/homebrew/Cellar/nginx/1.21.6 (26 files, 2.2MB) *
  Poured from bottle on 2022-02-18 at 11:43:28
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/nginx.rb
License: BSD-2-Clause
==> Dependencies
Required: openssl@1.1, pcre2
==> Options
--HEAD
    Install HEAD version
==> Caveats
Docroot is: /opt/homebrew/var/www

The default port has been set in /opt/homebrew/etc/nginx/nginx.conf to 8080 so that
nginx can run without sudo.

nginx will load all files in /opt/homebrew/etc/nginx/servers/.

To restart nginx after an upgrade:
  brew services restart nginx
Or, if you don't want/need a background service you can just run:
  /opt/homebrew/opt/nginx/bin/nginx -g daemon off;
==> Analytics
install: 45,714 (30 days), 125,815 (90 days), 491,350 (365 days)
install-on-request: 45,626 (30 days), 125,593 (90 days), 490,322 (365 days)
build-error: 15 (30 days)

brew info php

php: stable 8.1.4 (bottled), HEAD
General-purpose scripting language
https://www.php.net/
/opt/homebrew/Cellar/php/8.0.13 (497 files, 77.7MB)
  Built from source
/opt/homebrew/Cellar/php/8.1.2 (513 files, 81.6MB) *
  Poured from bottle on 2022-02-18 at 11:54:21
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/php.rb
License: PHP-3.01
==> Dependencies
Build: httpd, pkg-config
Required: apr, apr-util, argon2, aspell, autoconf, curl, freetds, gd, gettext, gmp, icu4c, krb5, libpq, libsodium, libzip, oniguruma, openldap, openssl@1.1, pcre2, sqlite, tidy-html5, unixodbc
==> Options
--HEAD
    Install HEAD version
==> Caveats
To enable PHP in Apache add the following to httpd.conf and restart Apache:
    LoadModule php_module /opt/homebrew/opt/php/lib/httpd/modules/libphp.so

    
        SetHandler application/x-httpd-php
    

Finally, check DirectoryIndex includes index.php
    DirectoryIndex index.php index.html

The php.ini and php-fpm.ini file can be found in:
    /opt/homebrew/etc/php/8.1/

To restart php after an upgrade:
  brew services restart php
Or, if you don't want/need a background service you can just run:
  /opt/homebrew/opt/php/sbin/php-fpm --nodaemonize
==> Analytics
install: 146,458 (30 days), 369,348 (90 days), 959,038 (365 days)
install-on-request: 123,342 (30 days), 305,131 (90 days), 841,057 (365 days)
build-error: 61 (30 days)

brew info openssl

openssl@3: stable 3.0.2 (bottled) [keg-only]
Cryptography and SSL/TLS Toolkit
https://openssl.org/
Not installed
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/openssl@3.rb
License: Apache-2.0
==> Dependencies
Required: ca-certificates
==> Caveats
A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
  /opt/homebrew/etc/openssl@3/certs

and run
  /opt/homebrew/opt/openssl@3/bin/c_rehash

openssl@3 is keg-only, which means it was not symlinked into /opt/homebrew,
because macOS provides LibreSSL.

==> Analytics
install: 148,117 (30 days), 352,995 (90 days), 652,950 (365 days)
install-on-request: 116,595 (30 days), 273,335 (90 days), 511,473 (365 days)
build-error: 5,483 (30 days)

openssl version -a

LibreSSL 2.8.3
built on: date not available
platform: information not available
options:  bn(64,64) rc4(ptr,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: information not available
OPENSSLDIR: "/private/etc/ssl"

openssl ciphers

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:GOST2012256-GOST89-GOST89:DHE-RSA-CAMELLIA256-SHA256:DHE-RSA-CAMELLIA256-SHA:GOST2001-GOST89-GOST89:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA256:CAMELLIA128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA

sudo nginx -t

nginx: the configuration file /opt/homebrew/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /opt/homebrew/etc/nginx/nginx.conf test is successful

which -a php-fpm

/opt/homebrew/sbin/php-fpm
/opt/homebrew/sbin/php-fpm

/opt/homebrew/opt/php/sbin/php-fpm -v

PHP 8.1.2 (fpm-fcgi) (built: Jan 21 2022 04:34:06)
Copyright (c) The PHP Group
Zend Engine v4.1.2, Copyright (c) Zend Technologies
    with Zend OPcache v8.1.2, Copyright (c), by Zend Technologies

sudo /opt/homebrew/opt/php/sbin/php-fpm -y /opt/homebrew/etc/php/8.1/php-fpm.conf --test

[30-Mar-2022 12:28:10] NOTICE: configuration file /opt/homebrew/etc/php/8.1/php-fpm.conf test is successful

ls -al ~/Library/LaunchAgents | grep homebrew

-rw-r--r--   1 driesvints  staff   537 Nov 23 11:36 homebrew.mxcl.mysql.plist
-rw-r--r--   1 driesvints  staff   685 Dec  3 17:32 homebrew.mxcl.redis.plist

ls -al /Library/LaunchAgents | grep homebrew

ls -al /Library/LaunchDaemons | grep homebrew

-rw-r--r--   1 root  admin   602 Mar 30 12:20 homebrew.mxcl.dnsmasq.plist

ls -al /Library/LaunchDaemons | grep "com.laravel.valet."

ls -aln /etc/resolv.conf

lrwxr-xr-x  1 0  0  22 Feb 26 08:05 /etc/resolv.conf -> ../var/run/resolv.conf

cat /etc/resolv.conf

#
# macOS Notice
#
# This file is not consulted for DNS hostname resolution, address
# resolution, or the DNS query routing mechanism used by most
# processes on this system.
#
# To view the DNS configuration used by this system, use:
#   scutil --dns
#
# SEE ALSO
#   dns-sd(1), scutil(8)
#
# This file is automatically generated.
#
nameserver 192.168.1.1

ifconfig lo0

lo0: flags=8049 mtu 16384
    options=1203
    inet 127.0.0.1 netmask 0xff000000 
    inet6 ::1 prefixlen 128 
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
    nd6 options=201

sh -c 'echo "------\n/opt/homebrew/etc/nginx/valet/valet.conf\n---\n"; cat /opt/homebrew/etc/nginx/valet/valet.conf | grep -n "# valet loopback"; echo "\n------\n"'

------
/opt/homebrew/etc/nginx/valet/valet.conf
---

3:    #listen VALET_LOOPBACK:80; # valet loopback

------

sh -c 'for file in ~/.config/valet/dnsmasq.d/*; do echo "------\n~/.config/valet/dnsmasq.d/$(basename $file)\n---\n"; cat $file; echo "\n------\n"; done'

------
~/.config/valet/dnsmasq.d/tld-test.conf
---

address=/.test/127.0.0.1
listen-address=127.0.0.1

------

sh -c 'for file in ~/.config/valet/nginx/*; do echo "------\n~/.config/valet/nginx/$(basename $file)\n---\n"; cat $file | grep -n "# valet loopback"; echo "\n------\n"; done'

------
~/.config/valet/nginx/*
---

cat: /Users/driesvints/.config/valet/nginx/*: No such file or directory

------

[driesvints]

@NasirNobin do you have any thoughts here?

[NasirNobin]

@driesvints can you check (maybe the second monitor if you have) and see if there's any password prompt? (Can't think of another reason for this behavior at the moment)

[driesvints]

There's no password prompt.

[driesvints]

I tried downgrading to Valet v2 but the same issues persist. I didn't had these issues before upgrading to Valet v3 🤔

[squatto]

I'm having the exact same issue. I get the security password prompt a few times, and then it hangs on the "Installing nginx directory..." step. Here is the call stack:

If I stop the process and run it again, it hangs at the same place. The same thing happens if I reboot and run the command.

[squatto]

I added a bunch of info() calls throughout the install process to see what is happening, and this is where it is failing:

• \Valet\Site::resecureForNewConfiguration() loops through the secured sites
  • \Valet\Site::unsecure() is called and completes
  • \Valet\Site::secure() is called
  • \Valet\Site::unsecure() is called (again) and completes
  • \Valet\Site::createCa() is called
    • \Valet\Site::createCertificate() is called
    • Everything in the method completes except for \Valet\Site::trustCertificate(), which is where the process hangs forever

The command that is hanging is:

sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain "/Users/scott/.config/valet/Certificates/domain.test.crt"

I ran the same command manually and it still hangs (see the screenshot above), so it isn't necessarily being caused by Valet. I'm not sure if it has something to do with how it's being called by Valet, however.

[squatto]

To help track what is happening, here is the pertinent output that I added to the install process:

Valet\Nginx::installNginxDirectory() - START
    Installing nginx directory...
    Valet\Nginx::rewriteSecureNginxFiles() - START
        Valet\Site::resecureForNewConfiguration() - START
            Valet\Site::resecureForNewConfiguration() - START URL: domain.test
                Valet\Site::unsecure() - START URL: domain.test
                    Valet\CommandLine::runCommand() - START CMD: sudo security delete-certificate -c "domain.test" /Library/Keychains/System.keychain
                    Valet\CommandLine::runCommand() - END CMD: sudo security delete-certificate -c "domain.test" /Library/Keychains/System.keychain
                    Valet\CommandLine::runCommand() - START CMD: sudo security delete-certificate -c "*.domain.test" /Library/Keychains/System.keychain
                    Valet\CommandLine::runCommand() - END CMD: sudo security delete-certificate -c "*.domain.test" /Library/Keychains/System.keychain
                    Valet\CommandLine::runCommand() - START CMD: sudo security find-certificate -e "domain.test@laravel.valet" -a -Z | grep SHA-1 | sudo awk '{system("security delete-certificate -Z '$NF' /Library/Keychains/System.keychain")}'
                    Valet\CommandLine::runCommand() - END CMD: sudo security find-certificate -e "domain.test@laravel.valet" -a -Z | grep SHA-1 | sudo awk '{system("security delete-certificate -Z '$NF' /Library/Keychains/System.keychain")}'
                Valet\Site::unsecure() - END URL: domain.test
                Valet\Site::secure() - START URL: domain.test
                    Valet\Site::unsecure() - START URL: domain.test
                        Valet\CommandLine::runCommand() - START CMD: sudo security delete-certificate -c "domain.test" /Library/Keychains/System.keychain
                        Valet\CommandLine::runCommand() - END CMD: sudo security delete-certificate -c "domain.test" /Library/Keychains/System.keychain
                        Valet\CommandLine::runCommand() - START CMD: sudo security delete-certificate -c "*.domain.test" /Library/Keychains/System.keychain
                        Valet\CommandLine::runCommand() - END CMD: sudo security delete-certificate -c "*.domain.test" /Library/Keychains/System.keychain
                        Valet\CommandLine::runCommand() - START CMD: sudo security find-certificate -e "domain.test@laravel.valet" -a -Z | grep SHA-1 | sudo awk '{system("security delete-certificate -Z '$NF' /Library/Keychains/System.keychain")}'
                        Valet\CommandLine::runCommand() - END CMD: sudo security find-certificate -e "domain.test@laravel.valet" -a -Z | grep SHA-1 | sudo awk '{system("security delete-certificate -Z '$NF' /Library/Keychains/System.keychain")}'
                    Valet\Site::unsecure() - END URL: domain.test
                    Valet\Site::createCa() - START
                        Valet\Site::createCertificate() - START URL: domain.test
                            Valet\CommandLine::runCommand() - START CMD: sudo -u "scott" openssl genrsa -out "/Users/scott/.config/valet/Certificates/domain.test.key" 2048
                            Valet\CommandLine::runCommand() - END CMD: sudo -u "scott" openssl genrsa -out "/Users/scott/.config/valet/Certificates/domain.test.key" 2048
                            Valet\CommandLine::runCommand() - START CMD: sudo -u "scott" openssl req -new -key "/Users/scott/.config/valet/Certificates/domain.test.key" -out "/Users/scott/.config/valet/Certificates/domain.test.csr" -subj "/C=/ST=/O=/localityName=/commonName=domain.test/organizationalUnitName=/emailAddress=domain.test@laravel.valet/" -config "/Users/scott/.config/valet/Certificates/domain.test.conf"
                            Valet\CommandLine::runCommand() - END CMD: sudo -u "scott" openssl req -new -key "/Users/scott/.config/valet/Certificates/domain.test.key" -out "/Users/scott/.config/valet/Certificates/domain.test.csr" -subj "/C=/ST=/O=/localityName=/commonName=domain.test/organizationalUnitName=/emailAddress=domain.test@laravel.valet/" -config "/Users/scott/.config/valet/Certificates/domain.test.conf"
                            Valet\CommandLine::runCommand() - START CMD: sudo -u "scott" openssl x509 -req -sha256 -days 396 -CA "/Users/scott/.config/valet/CA/LaravelValetCASelfSigned.pem" -CAkey "/Users/scott/.config/valet/CA/LaravelValetCASelfSigned.key" -CAserial "/Users/scott/.config/valet/CA/LaravelValetCASelfSigned.srl" -in "/Users/scott/.config/valet/Certificates/domain.test.csr" -out "/Users/scott/.config/valet/Certificates/domain.test.crt" -extensions v3_req -extfile "/Users/scott/.config/valet/Certificates/domain.test.conf"
                            Valet\CommandLine::runCommand() - END CMD: sudo -u "scott" openssl x509 -req -sha256 -days 396 -CA "/Users/scott/.config/valet/CA/LaravelValetCASelfSigned.pem" -CAkey "/Users/scott/.config/valet/CA/LaravelValetCASelfSigned.key" -CAserial "/Users/scott/.config/valet/CA/LaravelValetCASelfSigned.srl" -in "/Users/scott/.config/valet/Certificates/domain.test.csr" -out "/Users/scott/.config/valet/Certificates/domain.test.crt" -extensions v3_req -extfile "/Users/scott/.config/valet/Certificates/domain.test.conf"
                            Valet\CommandLine::runCommand() - START CMD: sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain "/Users/scott/.config/valet/Certificates/domain.test.crt"

[squatto]

To get back to where I can actually use my local environment, I had to:

1. Unsecure all sites: valet unsecure --all
2. Delete every Nginx conf file in ~/.config/valet/Nginx
3. Delete every certificate conf file in ~/.config/valet/Certificates
4. Restart Valet services: valet restart

Your local sites will not be secured, so you'll need to remember to use http:// instead of https://. I can't secure any new sites because they always hang at the \Valet\Site::trustCertificate() step. I can at least work now though! 😂

[nicoverbruggen]

There's definitely something wonky going on here, and it might be a macOS issue, given that the problem seems to lie with the auth prompt for /usr/bin/security. You're definitely supposed to get an auth prompt for each certificate that is supposed to be trusted.

What version of macOS are you guys on by the way? (Might be a recent issue, hence why you maybe didn't encounter this before...)

[driesvints]

Monterey 12.3

[NasirNobin]

I couldn't reproduce this on my MBP 2020 M1 & 2021 M1 Pro models both running 12.3.

@driesvints what's the model/year of your MacBook?

[nicoverbruggen]

I just tried running valet install on my system and it also worked here, also on Monterey 12.3. (M1 Mac mini here.)

I did get multiple Touch ID prompts, one for every domain. I also spotted a .DS_Store certificate being generated after looking in Keychain Access, but I'm assuming that's unrelated to this issue.

[driesvints]

MacBook Pro M1 Max from 2021.

[squatto]

I'm running Monterey 12.3 on a MacBook Pro (16-inch, 2019).

After a reboot (I'm assuming because it clears auth) I get Touch ID prompts for the first few certs, and then it hangs. If I kill the install process and run it again, it hangs on the first one.

[NasirNobin]

Can anyone try this and confirm if this solves anything?

security authorizationdb read com.apple.trust-settings.admin > ~/.config/valet/apple-trust-settings > /dev/null 2>& 1
sudo security authorizationdb write com.apple.trust-settings.admin allow > /dev/null 2>& 1

valet install

sudo security authorizationdb write com.apple.trust-settings.admin < ~/.config/valet/apple-trust-settings > /dev/null 2>& 1

For me, it does get rid of the prompt. Then again enables the prompt. Snippet taken from https://github.com/laravel/valet/discussions/1135

[NasirNobin]

also, anyone having this issue please share the output of this command, it might help us track down the underlying issue.

security authorizationdb read com.apple.trust-settings.admin

@driesvints @squatto

[AidanLaycock]

@NasirNobin - Your steps above worked for me. I had it where it was stuck asking for a password constantly before running them.

If it will help, when I run your command I get the following (Please note this is after getting V3 installed):

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>class</key>
        <string>rule</string>
        <key>comment</key>
        <string>For modifying Trust Settings in the Admin domain. Requires entitlement or admin authentication.</string>
        <key>created</key>
        <real>607242072.973809</real>
        <key>k-of-n</key>
        <integer>1</integer>
        <key>modified</key>
        <real>670364736.28937805</real>
        <key>rule</key>
        <array>
                <string>entitled</string>
                <string>authenticate-admin</string>
        </array>
        <key>version</key>
        <integer>1</integer>
</dict>
</plist>
YES (0)

[squatto]

@NasirNobin here is my output:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>class</key>
    <string>rule</string>
    <key>comment</key>
    <string>For modifying Trust Settings in the Admin domain. Requires entitlement or admin authentication.</string>
    <key>created</key>
    <real>609969267.73147702</real>
    <key>k-of-n</key>
    <integer>1</integer>
    <key>modified</key>
    <real>657799143.00014901</real>
    <key>rule</key>
    <array>
        <string>entitled</string>
        <string>authenticate-admin</string>
    </array>
    <key>version</key>
    <integer>1</integer>
</dict>
</plist>
YES (0)

[squatto]

@NasirNobin running those commands doesn't fix the issue for me. It still gets stuck on the security command. I tried it with both valet install and valet secure <site> with the same result.

[ErikBernskiold]

Had the same thing. For what it's worth adding my experience:

Tried the commands in https://github.com/laravel/valet/issues/1224#issuecomment-1083565247. Still got stuck on valet install. Did a restart. Install worked.

[driesvints]

Can anyone try this and confirm if this solves anything?

Unfortunately, it still hangs on the "Installing nginx directory..." step.

also, anyone having this issue please share the output of this command, it might help us track down the underlying issue.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>class</key>
        <string>rule</string>
        <key>comment</key>
        <string>For modifying Trust Settings in the Admin domain. Requires entitlement or admin authentication.</string>
        <key>created</key>
        <real>658955694.10467303</real>
        <key>k-of-n</key>
        <integer>1</integer>
        <key>modified</key>
        <real>658955694.10467303</real>
        <key>rule</key>
        <array>
                <string>entitled</string>
                <string>authenticate-admin</string>
        </array>
        <key>version</key>
        <integer>1</integer>
</dict>
</plist>
YES (0)

[nicoverbruggen]

Did a restart. Install worked.

Can anyone who has this issue try rebooting their Mac and try again?

[ErikBernskiold]

Just to be clear, what I did was first run the set of commands up until valet install. Then did a restart. Ran install. And finished off with the final command for good measure.

My thinking was something with auth tied to the user that would clear/flush on restart (probably logout too?).

Or that was just a big coincidence... :)

[driesvints]

It finally worked for me after a restart. It's odd because I tried that before and it didn't work before. Anyway, thanks all to help debug this one! :)

[ErikBernskiold]

@driesvints Just curious, did you authenticate using fingerprint when it got stuck? Just did this upgrade on another machine and opted for typing the password, and except for all the prompts in #1226, that worked. While mine with the fingerprint got stuck.

[driesvints]

I indeed used fingerprint.

[JackWH]

@ErikBernskiold Like Dries, I had the same issue — and eventually figured out the only way past it was by not using TouchID, as I described in #1226. Keychain Access would also become completely unresponsive.

[mfullbrook]

I had the same symptoms and I was using Touch ID. For me, the resolution was to open up System Preferences and open the "Apple ID" panel. There was a warning about Apple ID needing to sign-in. Once I cleared this warning Valet started working again.