NET::ERR_CERT_AUTHORITY_INVALID

[rabol]

Description

I have just installed the latest version of Valet

I then did a Valet install and now I get this error on all .test sites

NET::ERR_CERT_AUTHORITY_INVALID

Steps To Reproduce

install v 4.7.0 do a valet install

It will then renew all certificates

Diagnosis

sw_vers

ProductName:       macOS
ProductVersion:     14.5
BuildVersion:       23F79

valet --version

Laravel Valet 4.7.0

cat ~/.config/valet/config.json

{
    "tld": "test",
    "loopback": "127.0.0.1",
    "paths": [
        "/Users/rabol/code/web"
    ],
    "share-tool": "expose"
}

cat ~/.composer/composer.json

{
    "require": {
        "laravel/valet": "^4.0",
        "laravel/installer": "^5.0" 
    }
}

composer global diagnose

Changed current directory to /Users/rabol/.composer
Checking composer.json: WARNING
No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license.
Checking platform settings: OK
Checking git settings: OK git version 2.39.3
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com oauth access: OK
Checking disk free space: OK
Checking pubkeys: 
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking composer version: You are not running the latest stable version, run `composer self-update` to update (2.5.8 => 2.7.7)
Composer version: 2.5.8
PHP version: 8.3.8
PHP binary path: /opt/homebrew/Cellar/php/8.3.8/bin/php
OpenSSL version: OpenSSL 3.3.1 4 Jun 2024
cURL version: 8.8.0 libz 1.2.12 ssl (SecureTransport) OpenSSL/3.3.1
zip: extension present, unzip present, 7-Zip not available

composer global outdated

Changed current directory to /Users/rabol/.composer

Direct dependencies required in composer.json:
Everything up to date

Transitive dependencies not required in composer.json:
Everything up to date

ls -al /etc/sudoers.d/

total 16
drwxr-xr-x   4 root  wheel   128 May 15 07:41 .
drwxr-xr-x  80 root  wheel  2560 Jun 20 11:03 ..
-rw-r--r--   1 root  wheel    83 May 15 07:41 brew
-rw-r--r--   1 root  wheel    86 May 15 07:41 valet

brew config

HOMEBREW_VERSION: 4.3.6
ORIGIN: https://github.com/Homebrew/brew
HEAD: e8430b25a1d1321f32e5093d62b57b5cb7cfb3c3
Last commit: 4 days ago
Core tap JSON: 20 Jun 09:10 UTC
Core cask tap JSON: 20 Jun 09:10 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_EDITOR: nano
HOMEBREW_MAKE_JOBS: 10
Homebrew Ruby: 3.3.3 => /opt/homebrew/Library/Homebrew/vendor/portable-ruby/3.3.3/bin/ruby
CPU: 10-core 64-bit arm_firestorm_icestorm
Clang: 15.0.0 build 1500
Git: 2.39.3 => /Applications/Xcode.app/Contents/Developer/usr/bin/git
Curl: 8.6.0 => /usr/bin/curl
macOS: 14.5-arm64
CLT: 15.3.0.0.1.1708646388
Xcode: 15.4
Rosetta 2: false

brew services list

Name       Status User  File
dnsmasq    error  512      root  ~/Library/LaunchAgents/homebrew.mxcl.dnsmasq.plist
mailpit    started         rabol ~/Library/LaunchAgents/homebrew.mxcl.mailpit.plist
nginx      error  256      root  ~/Library/LaunchAgents/homebrew.mxcl.nginx.plist
php        started         root  ~/Library/LaunchAgents/homebrew.mxcl.php.plist
redis      started         rabol ~/Library/LaunchAgents/homebrew.mxcl.redis.plist
supervisor started         rabol ~/Library/LaunchAgents/homebrew.mxcl.supervisor.plist

brew list --formula --versions | grep -E "(php|nginx|dnsmasq|mariadb|mysql|mailhog|openssl)(@\d\..*)?\s"

dnsmasq 2.90
nginx 1.27.0
openssl@1.1 1.1.1w
php 8.3.8

brew outdated

c-ares
cmake
httpie
mailpit

brew tap

homebrew/services
ngrok/ngrok
shivammathur/extensions
shivammathur/php

php -v

PHP 8.3.8 (cli) (built: Jun  4 2024 14:53:17) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.3.8, Copyright (c) Zend Technologies
    with Zend OPcache v8.3.8, Copyright (c), by Zend Technologies
    with Xdebug v3.3.1, Copyright (c) 2002-2023, by Derick Rethans

which -a php

/opt/homebrew/bin/php

php --ini

Configuration File (php.ini) Path: /opt/homebrew/etc/php/8.3
Loaded Configuration File:         /opt/homebrew/etc/php/8.3/php.ini
Scan for additional .ini files in: /opt/homebrew/etc/php/8.3/conf.d
Additional .ini files parsed:      /opt/homebrew/etc/php/8.3/conf.d/error_log.ini,
/opt/homebrew/etc/php/8.3/conf.d/ext-imagick.ini,
/opt/homebrew/etc/php/8.3/conf.d/ext-opcache.ini,
/opt/homebrew/etc/php/8.3/conf.d/php-memory-limits.ini,
/opt/homebrew/etc/php/8.3/conf.d/xdebug.ini

nginx -v

nginx version: nginx/1.27.0

curl --version

curl 8.6.0 (x86_64-apple-darwin23.0) libcurl/8.6.0 (SecureTransport) LibreSSL/3.3.6 zlib/1.2.12 nghttp2/1.61.0
Release-Date: 2024-01-31
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL threadsafe UnixSockets

php --ri curl

curl

cURL support => enabled
cURL Information => 8.8.0
Age => 11
Features
AsynchDNS => Yes
CharConv => No
Debug => No
GSS-Negotiate => No
IDN => Yes
IPv6 => Yes
krb4 => No
Largefile => Yes
libz => Yes
NTLM => Yes
NTLMWB => No
SPNEGO => Yes
SSL => Yes
SSPI => No
TLS-SRP => Yes
HTTP2 => Yes
GSSAPI => Yes
KERBEROS5 => Yes
UNIX_SOCKETS => Yes
PSL => No
HTTPS_PROXY => Yes
MULTI_SSL => Yes
BROTLI => Yes
ALTSVC => Yes
HTTP3 => No
UNICODE => No
ZSTD => Yes
HSTS => Yes
GSASL => No
Protocols => dict, file, ftp, ftps, gopher, gophers, http, https, imap, imaps, ldap, ldaps, mqtt, pop3, pop3s, rtmp, rtmpe, rtmps, rtmpt, rtmpte, rtmpts, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp
Host => aarch64-apple-darwin23.4.0
SSL Version => (SecureTransport) OpenSSL/3.3.1
ZLib Version => 1.2.12
libSSH Version => libssh2/1.11.0

Directive => Local Value => Master Value
curl.cainfo => no value => no value

/opt/homebrew/bin/ngrok version

sudo: /opt/homebrew/bin/ngrok: command not found

ls -al ~/.ngrok2

ls: /Users/rabol/.ngrok2: No such file or directory

brew info nginx

==> nginx: stable 1.27.0 (bottled), HEAD
HTTP(S) server and reverse proxy, and IMAP/POP3 proxy server
https://nginx.org/
Installed
/opt/homebrew/Cellar/nginx/1.27.0 (27 files, 2.5MB) *
  Poured from bottle using the formulae.brew.sh API on 2024-06-01 at 07:43:10
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/n/nginx.rb
License: BSD-2-Clause
==> Dependencies
Required: openssl@3, pcre2
==> Options
--HEAD
    Install HEAD version
==> Caveats
Docroot is: /opt/homebrew/var/www

The default port has been set in /opt/homebrew/etc/nginx/nginx.conf to 8080 so that
nginx can run without sudo.

nginx will load all files in /opt/homebrew/etc/nginx/servers/.

To restart nginx after an upgrade:
  brew services restart nginx
Or, if you don't want/need a background service you can just run:
  /opt/homebrew/opt/nginx/bin/nginx -g daemon\ off\;
==> Analytics
install: 17,094 (30 days), 45,275 (90 days), 167,484 (365 days)
install-on-request: 17,011 (30 days), 45,095 (90 days), 167,006 (365 days)
build-error: 4 (30 days)

brew info php

==> php: stable 8.3.8 (bottled), HEAD
General-purpose scripting language
https://www.php.net/
Installed
/opt/homebrew/Cellar/php/8.3.8 (524 files, 88.8MB) *
  Poured from bottle using the formulae.brew.sh API on 2024-06-16 at 11:39:52
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/p/php.rb
License: PHP-3.01
==> Dependencies
Build: httpd, pkg-config
Required: apr, apr-util, argon2, aspell, autoconf, curl, freetds, gd, gettext, gmp, icu4c, krb5, libpq, libsodium, libzip, oniguruma, openldap, openssl@3, pcre2, sqlite, tidy-html5, unixodbc
==> Options
--HEAD
    Install HEAD version
==> Caveats
To enable PHP in Apache add the following to httpd.conf and restart Apache:
    LoadModule php_module /opt/homebrew/opt/php/lib/httpd/modules/libphp.so

    
        SetHandler application/x-httpd-php
    

Finally, check DirectoryIndex includes index.php
    DirectoryIndex index.php index.html

The php.ini and php-fpm.ini file can be found in:
    /opt/homebrew/etc/php/8.3/

To restart php after an upgrade:
  brew services restart php
Or, if you don't want/need a background service you can just run:
  /opt/homebrew/opt/php/sbin/php-fpm --nodaemonize
==> Analytics
install: 51,671 (30 days), 157,282 (90 days), 684,816 (365 days)
install-on-request: 47,690 (30 days), 146,377 (90 days), 639,316 (365 days)
build-error: 38 (30 days)

brew info openssl

==> openssl@3: stable 3.3.1 (bottled)
Cryptography and SSL/TLS Toolkit
https://openssl.org/
Installed
/opt/homebrew/Cellar/openssl@3/3.3.1 (6,982 files, 32.5MB) *
  Poured from bottle using the formulae.brew.sh API on 2024-06-16 at 11:39:22
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/o/openssl@3.rb
License: Apache-2.0
==> Dependencies
Required: ca-certificates
==> Caveats
A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
  /opt/homebrew/etc/openssl@3/certs

and run
  /opt/homebrew/opt/openssl@3/bin/c_rehash
==> Analytics
install: 500,829 (30 days), 1,239,466 (90 days), 4,870,189 (365 days)
install-on-request: 66,032 (30 days), 161,099 (90 days), 623,296 (365 days)
build-error: 3,014 (30 days)

openssl version -a

OpenSSL 3.3.1 4 Jun 2024 (Library: OpenSSL 3.3.1 4 Jun 2024)
built on: Tue Jun  4 12:53:04 2024 UTC
platform: darwin64-arm64-cc
options:  bn(64,64)
compiler: clang -fPIC -arch arm64 -O3 -Wall -DL_ENDIAN -DOPENSSL_PIC -D_REENTRANT -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
OPENSSLDIR: "/opt/homebrew/etc/openssl@3"
ENGINESDIR: "/opt/homebrew/Cellar/openssl@3/3.3.1/lib/engines-3"
MODULESDIR: "/opt/homebrew/Cellar/openssl@3/3.3.1/lib/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_armcap=0x987d

openssl ciphers

TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA

sudo nginx -t

nginx: the configuration file /opt/homebrew/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /opt/homebrew/etc/nginx/nginx.conf test is successful

which -a php-fpm

/opt/homebrew/sbin/php-fpm

/opt/homebrew/opt/php/sbin/php-fpm -v

PHP 8.3.8 (fpm-fcgi) (built: Jun  4 2024 14:53:17)
Copyright (c) The PHP Group
Zend Engine v4.3.8, Copyright (c) Zend Technologies
    with Zend OPcache v8.3.8, Copyright (c), by Zend Technologies
    with Xdebug v3.3.1, Copyright (c) 2002-2023, by Derick Rethans

sudo /opt/homebrew/opt/php/sbin/php-fpm -y /opt/homebrew/etc/php/8.3/php-fpm.conf --test

[20-Jun-2024 11:10:58] NOTICE: configuration file /opt/homebrew/etc/php/8.3/php-fpm.conf test is successful

ls -al ~/Library/LaunchAgents | grep homebrew

-rw-r--r--    1 rabol  staff   797 Jun 16 09:57 homebrew.mxcl.dnsmasq.plist
-rw-r--r--    1 rabol  staff   770 Jun 16 09:57 homebrew.mxcl.mailpit.plist
-rw-r--r--    1 rabol  staff   685 Jun 16 09:57 homebrew.mxcl.nginx.plist
-rw-r--r--    1 rabol  staff   781 Jun 16 09:57 homebrew.mxcl.php.plist
-rw-r--r--    1 rabol  staff   880 Jun 16 09:57 homebrew.mxcl.redis.plist
-rw-r--r--    1 rabol  staff   724 Jun 19 13:55 homebrew.mxcl.supervisor.plist

ls -al /Library/LaunchAgents | grep homebrew

ls -al /Library/LaunchDaemons | grep homebrew

-rw-r--r--   1 root  admin   797 Jun 20 11:00 homebrew.mxcl.dnsmasq.plist
-rw-r--r--   1 root  admin   685 Jun 20 11:00 homebrew.mxcl.nginx.plist
-rw-r--r--   1 root  admin   781 Jun 20 11:00 homebrew.mxcl.php.plist

ls -al /Library/LaunchDaemons | grep "com.laravel.valet."

ls -aln /etc/resolv.conf

lrwxr-xr-x  1 0  0  22 May  7 09:01 /etc/resolv.conf -> ../var/run/resolv.conf

cat /etc/resolv.conf

#
# macOS Notice
#
# This file is not consulted for DNS hostname resolution, address
# resolution, or the DNS query routing mechanism used by most
# processes on this system.
#
# To view the DNS configuration used by this system, use:
#   scutil --dns
#
# SEE ALSO
#   dns-sd(1), scutil(8)
#
# This file is automatically generated.
#
search home
nameserver 192.168.1.1

ifconfig lo0

lo0: flags=8049 mtu 16384
    options=1203
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128 
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
    nd6 options=201

sh -c 'echo "------\n/opt/homebrew/etc/nginx/valet/valet.conf\n---\n"; cat /opt/homebrew/etc/nginx/valet/valet.conf | grep -n "# valet loopback"; echo "\n------\n"'

------
/opt/homebrew/etc/nginx/valet/valet.conf
---

3:    #listen VALET_LOOPBACK:80; # valet loopback

------

sh -c 'for file in ~/.config/valet/dnsmasq.d/*; do echo "------\n~/.config/valet/dnsmasq.d/$(basename $file)\n---\n"; cat $file; echo "\n------\n"; done'

------
~/.config/valet/dnsmasq.d/tld-test.conf
---

address=/.test/127.0.0.1
listen-address=127.0.0.1

------

sh -c 'for file in ~/.config/valet/nginx/*; do echo "------\n~/.config/valet/nginx/$(basename $file)\n---\n"; cat $file | grep -n "# valet loopback"; echo "\n------\n"; done'

------
~/.config/valet/nginx/compudesign.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen VALET_LOOPBACK:443 ssl; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/gottherecipe.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen VALET_LOOPBACK:443 ssl; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/invoice.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen VALET_LOOPBACK:443 ssl; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/isemailspam.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen VALET_LOOPBACK:443 ssl; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/lw.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen VALET_LOOPBACK:443 ssl; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/myteslastat.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen VALET_LOOPBACK:443 ssl; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/packdev.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen VALET_LOOPBACK:443 ssl; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/roach.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen VALET_LOOPBACK:443 ssl; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/setasign.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen VALET_LOOPBACK:443 ssl; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/sign.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen VALET_LOOPBACK:443 ssl; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/test.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen VALET_LOOPBACK:443 ssl; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/wifdt.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen VALET_LOOPBACK:443 ssl; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

[driesvints]

Not super sure but @adrum could this be related to your PR? https://github.com/laravel/valet/pull/1463

[adrum]

Not super sure but @adrum could this be related to your PR? #1463

I'll try to reproduce this.

@rabol What browser are you seeing this error in? Can you confirm if the Laravel CA is trusted in Keychain? It should happen whenever you call valet secure.

[rabol]

It happens in Safari and Chrome As far as I can see the CA is trusted, but I still get the error :(

[adrum]

@rabol Can you run the following commands and let me know the output?

1. security verify-cert -c ~/.config/valet/CA/LaravelValetCASelfSigned.pem

2. security verify-cert -c ~/.config/valet/Certificates/app.test.crt

3. openssl verify -CAfile ~/.config/valet/CA/LaravelValetCASelfSigned.pem ~/.config/valet/Certificates/app.test.crt

4. cat ~/.config/valet/Nginx/app.test

5. curl --insecure -vvI https://app.test 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'

Be sure to replace app.test.crt in 2 & 3, and app.test in 4 & 5 with the domain you are experiencing the issue with. Feel free to redact any info in step 4.

[balu-lt]

Hey! I’m running into issue as well.

Error: NET::ERR_CERT_DATE_INVALID

Running commands:

1. Cert Verify Result: CSSMERR_TP_CERT_EXPIRED
2. Cert Verify Result: CSSMERR_TP_CERT_EXPIRED

3. O=Laravel Valet CA Self Signed Organization, CN=Laravel Valet CA Self Signed CN, OU=Developers, emailAddress=rootcertificate@laravel.valet
   error 10 at 1 depth lookup: certificate has expired
   error /Users/balu/.config/valet/Certificates/app.test.crt: verification failed

4. 
   server {
   listen 127.0.0.1:80;
   #listen 127.0.0.1:80; # valet loopback
   server_name app.test www.app.test *.app.test;
   return 301 https://$host$request_uri;
   }

server { listen 127.0.0.1:443 ssl;

listen VALET_LOOPBACK:443 ssl; # valet loopback

server_name app.test www.app.test *.app.test;
root /;
charset utf-8;
client_max_body_size 512M;
http2  on;

location /41c270e4-5535-4daa-b23e-c269744c2f45/ {
    internal;
    alias /;
    try_files $uri $uri/;
}

ssl_certificate "/Users/balu/.config/valet/Certificates/app.test.crt";
ssl_certificate_key "/Users/balu/.config/valet/Certificates/app.test.key";

location / {
    rewrite ^ "/Users/balu/.composer/vendor/laravel/valet/server.php" last;
}

location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt  { access_log off; log_not_found off; }

access_log off;
error_log "/Users/balu/.config/valet/Log/nginx-error.log";

error_page 404 "/Users/balu/.composer/vendor/laravel/valet/server.php";

location ~ [^/]\.php(/|$) {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass "unix:/Users/balu/.config/valet/valet.sock";
    fastcgi_index "/Users/balu/.composer/vendor/laravel/valet/server.php";
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME "/Users/balu/.composer/vendor/laravel/valet/server.php";
    fastcgi_param PATH_INFO $fastcgi_path_info;
}

location ~ /\.ht {
    deny all;
}

}

server { listen 127.0.0.1:60;

listen 127.0.0.1:60; # valet loopback

server_name app.test www.app.test *.app.test;
root /;
charset utf-8;
client_max_body_size 128M;

add_header X-Robots-Tag 'noindex, nofollow, nosnippet, noarchive';

location /41c270e4-5535-4daa-b23e-c269744c2f45/ {
    internal;
    alias /;
    try_files $uri $uri/;
}

location / {
    rewrite ^ "/Users/balu/.composer/vendor/laravel/valet/server.php" last;
}

location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt  { access_log off; log_not_found off; }

access_log off;
error_log "/Users/balu/.config/valet/Log/nginx-error.log";

error_page 404 "/Users/balu/.composer/vendor/laravel/valet/server.php";

location ~ [^/]\.php(/|$) {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass "unix:/Users/balu/.config/valet/valet.sock";
    fastcgi_index "/Users/balu/.composer/vendor/laravel/valet/server.php";
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME "/Users/balu/.composer/vendor/laravel/valet/server.php";
    fastcgi_param PATH_INFO $fastcgi_path_info;
}

location ~ /\.ht {
    deny all;
}

}

5.

• SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
• ALPN: server accepted h2
• Server certificate:
• subject: CN=app.test; emailAddress=app.test@laravel.valet
• start date: Jun 24 13:45:30 2024 GMT
• expire date: Jun 27 13:45:30 2025 GMT
• issuer: O=Laravel Valet CA Self Signed Organization; CN=Laravel Valet CA Self Signed CN; OU=Developers; emailAddress=rootcertificate@laravel.valet
• SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
• using HTTP/2
• [HTTP/2] [1] OPENED stream for https://app.test/
• [HTTP/2] [1] [:method: HEAD]
• [HTTP/2] [1] [:scheme: https]
• [HTTP/2] [1] [:authority: app.test]
• [HTTP/2] [1] [:path: /]
• [HTTP/2] [1] [user-agent: curl/8.4.0]
• [HTTP/2] [1] [accept: /]
• Connection #0 to host app.test left intact

[driesvints]

Fix will be included in tomorrow's release. Thanks everyone!

[rabol]

Sorry, the new version did not solve the issue for me Note: I have used the

valet trust

Command so I do not get prompted for passwords. I tried to turn it off, then I get prompted for passwrd, but the result is the same.

here is the output of the 5 command that @adrum asked for

➜  ~ security verify-cert -c ~/.config/valet/CA/LaravelValetCASelfSigned.pem
...certificate verification successful.
➜  ~ security verify-cert -c ~/.config/valet/CA/LaravelValetCASelfSigned.pem
...certificate verification successful.
➜  ~ security verify-cert -c ~/.config/valet/Certificates/sign.test.crt
Cert Verify Result: CSSMERR_TP_NOT_TRUSTED
➜  ~ openssl verify -CAfile ~/.config/valet/CA/LaravelValetCASelfSigned.pem ~/.config/valet/Certificates/app.test.crt
Could not open file or uri for loading certificate file from /Users/rabol/.config/valet/Certificates/app.test.crt: No such file or directory
➜  ~ openssl verify -CAfile ~/.config/valet/CA/LaravelValetCASelfSigned.pem ~/.config/valet/Certificates/sign.test.crt
/Users/rabol/.config/valet/Certificates/sign.test.crt: OK
➜  ~ cat ~/.config/valet/Nginx/sign.test
server {
    listen 127.0.0.1:80;
    #listen 127.0.0.1:80; # valet loopback
    server_name sign.test www.sign.test *.sign.test;
    return 301 https://$host$request_uri;
}

server {
    listen 127.0.0.1:443 ssl;
    #listen VALET_LOOPBACK:443 ssl; # valet loopback
    server_name sign.test www.sign.test *.sign.test;
    root /;
    charset utf-8;
    client_max_body_size 512M;
    http2  on;

    location /41c270e4-5535-4daa-b23e-c269744c2f45/ {
        internal;
        alias /;
        try_files $uri $uri/;
    }

    ssl_certificate "/Users/rabol/.config/valet/Certificates/sign.test.crt";
    ssl_certificate_key "/Users/rabol/.config/valet/Certificates/sign.test.key";

    location / {
        rewrite ^ "/Users/rabol/.composer/vendor/laravel/valet/server.php" last;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log "/Users/rabol/.config/valet/Log/nginx-error.log";

    error_page 404 "/Users/rabol/.composer/vendor/laravel/valet/server.php";

    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass "unix:/Users/rabol/.config/valet/valet.sock";
        fastcgi_index "/Users/rabol/.composer/vendor/laravel/valet/server.php";
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME "/Users/rabol/.composer/vendor/laravel/valet/server.php";
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }

    location ~ /\.ht {
        deny all;
    }
}

server {
    listen 127.0.0.1:60;
    #listen 127.0.0.1:60; # valet loopback
    server_name sign.test www.sign.test *.sign.test;
    root /;
    charset utf-8;
    client_max_body_size 128M;

    add_header X-Robots-Tag 'noindex, nofollow, nosnippet, noarchive';

    location /41c270e4-5535-4daa-b23e-c269744c2f45/ {
        internal;
        alias /;
        try_files $uri $uri/;
    }

    location / {
        rewrite ^ "/Users/rabol/.composer/vendor/laravel/valet/server.php" last;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log "/Users/rabol/.config/valet/Log/nginx-error.log";

    error_page 404 "/Users/rabol/.composer/vendor/laravel/valet/server.php";

    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass "unix:/Users/rabol/.config/valet/valet.sock";
        fastcgi_index "/Users/rabol/.composer/vendor/laravel/valet/server.php";
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME "/Users/rabol/.composer/vendor/laravel/valet/server.php";
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }

    location ~ /\.ht {
        deny all;
    }
}

➜  ~ 
➜  ~ 
➜  ~ curl --insecure -vvI https://sign.test 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=sign.test; emailAddress=sign.test@laravel.valet
*  start date: Jun 26 06:35:50 2024 GMT
*  expire date: Jun 29 06:35:50 2025 GMT
*  issuer: O=Laravel Valet CA Self Signed Organization; CN=Laravel Valet CA Self Signed CN; OU=Developers; emailAddress=rootcertificate@laravel.valet
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://sign.test/
* [HTTP/2] [1] [:method: HEAD]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: sign.test]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.6.0]
* [HTTP/2] [1] [accept: */*]
* Connection #0 to host sign.test left intact

[driesvints]

@adrum ^

[adrum]

Hey! I’m running into issue as well.

Error: NET::ERR_CERT_DATE_INVALID

Running commands:

1. Cert Verify Result: CSSMERR_TP_CERT_EXPIRED
2. Cert Verify Result: CSSMERR_TP_CERT_EXPIRED

O=Laravel Valet CA Self Signed Organization, CN=Laravel Valet CA Self Signed CN, OU=Developers, emailAddress=rootcertificate@laravel.valet
error 10 at 1 depth lookup: certificate has expired
error /Users/balu/.config/valet/Certificates/app.test.crt: verification failed

server {
    listen 127.0.0.1:80;
    #listen 127.0.0.1:80; # valet loopback
    server_name app.test www.app.test *.app.test;
    return 301 https://$host$request_uri;
}

server {
    listen 127.0.0.1:443 ssl;
    #listen VALET_LOOPBACK:443 ssl; # valet loopback
    server_name app.test www.app.test *.app.test;
    root /;
    charset utf-8;
    client_max_body_size 512M;
    http2  on;

    location /41c270e4-5535-4daa-b23e-c269744c2f45/ {
        internal;
        alias /;
        try_files $uri $uri/;
    }

    ssl_certificate "/Users/balu/.config/valet/Certificates/app.test.crt";
    ssl_certificate_key "/Users/balu/.config/valet/Certificates/app.test.key";

    location / {
        rewrite ^ "/Users/balu/.composer/vendor/laravel/valet/server.php" last;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log "/Users/balu/.config/valet/Log/nginx-error.log";

    error_page 404 "/Users/balu/.composer/vendor/laravel/valet/server.php";

    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass "unix:/Users/balu/.config/valet/valet.sock";
        fastcgi_index "/Users/balu/.composer/vendor/laravel/valet/server.php";
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME "/Users/balu/.composer/vendor/laravel/valet/server.php";
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }

    location ~ /\.ht {
        deny all;
    }
}

server {
    listen 127.0.0.1:60;
    #listen 127.0.0.1:60; # valet loopback
    server_name app.test www.app.test *.app.test;
    root /;
    charset utf-8;
    client_max_body_size 128M;

    add_header X-Robots-Tag 'noindex, nofollow, nosnippet, noarchive';

    location /41c270e4-5535-4daa-b23e-c269744c2f45/ {
        internal;
        alias /;
        try_files $uri $uri/;
    }

    location / {
        rewrite ^ "/Users/balu/.composer/vendor/laravel/valet/server.php" last;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log "/Users/balu/.config/valet/Log/nginx-error.log";

    error_page 404 "/Users/balu/.composer/vendor/laravel/valet/server.php";

    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass "unix:/Users/balu/.config/valet/valet.sock";
        fastcgi_index "/Users/balu/.composer/vendor/laravel/valet/server.php";
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME "/Users/balu/.composer/vendor/laravel/valet/server.php";
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }

    location ~ /\.ht {
        deny all;
    }
}

* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=app.test; emailAddress=app.test@laravel.valet
*  start date: Jun 24 13:45:30 2024 GMT
*  expire date: Jun 27 13:45:30 2025 GMT
*  issuer: O=Laravel Valet CA Self Signed Organization; CN=Laravel Valet CA Self Signed CN; OU=Developers; emailAddress=rootcertificate@laravel.valet
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://app.test/
* [HTTP/2] [1] [:method: HEAD]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: app.test]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
* Connection #0 to host app.test left intact

Hey @balu-lt -- Your issue is a separate issue, which means your cert expired. You should be able run valet renew to get back into a working state. Additionally, you can run valet secured to see a list of all secured sites and their expiration dates. If prompted for typing in your password for the Keychain Access prompt, be sure to approve it so it can trust the CA. This is only required once after upgrading to Valet 4.7.0 or later. Before 4.7.0, you would have needed to type in your password for every new cert.

Note: I also found out the hard way Valet certs expire and wanted to add visibility to this via https://github.com/laravel/valet/pull/1461, which introduces the valet secured command.

[adrum]

Hey @rabol After upgrading to Valet 4.7.1, did you try running valet renew, valet secure, or valet install? This is required, as it will add the CA to your macOS Keychain Access store if needed.

The valet trust command does not impact removing the password requirement when interacting with the keychain. That's only there for sudo related tasks like restarting services on privileged ports like NGINX and dnsmasq. You should see the GUI prompt as shown in my previous message.

Just for good measure, can you run the following commands?

1. valet -V
2. valet unsecure
3. valet secure
4. security verify-cert -c ~/.config/valet/CA/LaravelValetCASelfSigned.pem
5. openssl verify -CAfile ~/.config/valet/CA/LaravelValetCASelfSigned.pem ~/.config/valet/Certificates/app.test.crt
6. curl --insecure -vvI https://app.test 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'

Additionally, you should see this in the Keychain Access app.

---

Please post the output after running these commands.

You should see something like the following:

austin@austins-Virtual-Machine ~ % valet -V                             
Password:
Laravel Valet 4.7.1
austin@austins-Virtual-Machine app % valet unsecure
Restarting nginx...
The [app.test] site will now serve traffic over HTTP.
austin@austins-Virtual-Machine app % valet secure
Restarting nginx...
The [app.test] site has been secured with a fresh TLS certificate.
austin@austins-Virtual-Machine app % security verify-cert -c ~/.config/valet/CA/LaravelValetCASelfSigned.pem
...certificate verification successful.
austin@austins-Virtual-Machine app % security verify-cert -c ~/.config/valet/Certificates/app.test.crt
...certificate verification successful.
austin@austins-Virtual-Machine app % openssl verify -CAfile ~/.config/valet/CA/LaravelValetCASelfSigned.pem ~/.config/valet/Certificates/app.test.crt
/Users/austin/.config/valet/Certificates/app.test.crt: OK
austin@austins-Virtual-Machine app % curl --insecure -vvI https://app.test 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=app.test; emailAddress=app.test@laravel.valet
*  start date: Jun 27 23:17:09 2024 GMT
*  expire date: Jun 30 23:17:09 2025 GMT
*  issuer: O=Laravel Valet CA Self Signed Organization; CN=Laravel Valet CA Self Signed CN; OU=Developers; emailAddress=rootcertificate@laravel.valet
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://app.test/
* [HTTP/2] [1] [:method: HEAD]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: app.test]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.6.0]
* [HTTP/2] [1] [accept: */*]
* Connection #0 to host app.test left intact

If it still isn't working, I suggest rebooting your machine to ensure a rouge NGINX process isn't around with old certs being served.

[rabol]

@adrum I think I have done all combinations of secure/unsecure, renew :)

and I would like to point out - one more time - that I am not prompted for password, after running the valet trust command.

Right now i have done:

valet unsecure --all
valet uninstall

reboot machine

then:

valet install
go to my app folder
valet secure

same error

reboot machine same error

if I open the site in firefox I get another error

Error code: SEC_ERROR_BAD_SIGNATURE

output of commands:

app valet -V
Laravel Valet 4.7.1

app valet unsecure

Restarting nginx...
The [app.test] site will now serve traffic over HTTP.

alet secure
Restarting nginx...
The [app.test] site has been secured with a fresh TLS certificate.

security verify-cert -c ~/.config/valet/CA/LaravelValetCASelfSigned.pem
...certificate verification successful.

app openssl verify -CAfile ~/.config/valet/CA/LaravelValetCASelfSigned.pem ~/.config/valet/Certificates/app.test.crt
/Users/rabol/.config/valet/Certificates/app.test.crt: OK

app openssl verify -CAfile ~/.config/valet/CA/LaravelValetCASelfSigned.pem ~/.config/valet/Certificates/app.test.crt
/Users/rabol/.config/valet/Certificates/app.test.crt: OK
➜  app curl --insecure -vvI https://app.test 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=app.test; emailAddress=app.test@laravel.valet
*  start date: Jun 28 03:57:35 2024 GMT
*  expire date: Jul  1 03:57:35 2025 GMT
*  issuer: O=Laravel Valet CA Self Signed Organization; CN=Laravel Valet CA Self Signed CN; OU=Developers; emailAddress=rootcertificate@laravel.valet
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://app.test/
* [HTTP/2] [1] [:method: HEAD]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: app.test]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.6.0]
* [HTTP/2] [1] [accept: */*]
* Connection #0 to host app.test left intact

What I have noticed that in your screenshot of the keychain, the certificate is in the 'login' section, mine is in the system section

I have not tried to do valet uninstall and the remove the certificate files and remove the certificate from keychain

[adrum]

Hey @rabol, Thank you for sending that back. My certificate is actually in the System, too. It's indicated in the last column in the table. It appears searching the Login keychain will also pull in matching System items.

Can you try this next?

1. Quit your browsers.
2. sudo security delete-certificate -c "Laravel Valet CA Self Signed CN" /Library/Keychains/System.keychain -- This will remove the cert from your System Keychain.
3. sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/.config/valet/CA/LaravelValetCASelfSigned.pem -- This will add it back
4. valet unsecure
5. valet secure
6. Test the site

You should be prompted in the GUI on step 3.

[rabol]

Eureka!!

Now it works - thanks a lot.

[driesvints]

Glad this was solved, thanks all 👍