Local SSL Cert overrides real TLD Certs #1144

iandbanks · 2021-09-29T15:21:33Z

iandbanks
Sep 29, 2021

Clear description of your problem

When changing to another TLD such as .io and securing it the certificate overrides any real website's TLD (e.g. codepen.io pulls my valet certificate).

Expected behavior

The certificate generated should only affect the local website(s) I setup rather than EVERY site with that TLD.

Current behavior

Any website visited at a non-local TLD (.com, .net, .dev, .io, .app, .etc) uses the Laravel Valet certificate instead of the actual website's certificate.

Steps to Reproduce

valet link // link some site
valet secure // secure some site
valet tld io // change the tld to .io
Visit any .io site eg: https://codepen.io/

Output of these steps

 A [apps.site] symbolic link has been created in [/Users/ianbanks/.config/valet/Sites/apps.site].

 Restarting nginx...
 The [apps.site.local] site has been secured with a fresh TLS certificate.

 Updating Dnsmasq configuration...
 Restarting dnsmasq...
 Valet is configured to serve for TLD [.io]
 Restarting php...
 Restarting nginx...
 Your Valet TLD has been updated to [io].

Possible solution

At this point I've just reverted back to using the .local TLD

Diagnosis

sw_vers

ProductName:	macOS
ProductVersion:	11.5.2
BuildVersion:	20G95

valet --version

Laravel Valet 2.16.0

cat ~/.config/valet/config.json

{
    "tld": "io",
    "paths": [
        "/Users/ianbanks/.config/valet/Sites"
    ],
    "loopback": "127.0.0.1"
}

cat ~/.composer/composer.json

{
    "require": {
        "laravel/valet": "^2.11",
        "laravel/installer": "^4.2"
    }
}

composer global diagnose

Changed current directory to /Users/ianbanks/.composer
Checking composer.json: WARNING
No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license.
Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com rate limit: OK
Checking disk free space: OK
Checking pubkeys: 
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking composer version: OK
Composer version: 2.1.8
PHP version: 7.4.11
PHP binary path: /usr/local/Cellar/php/7.4.11/bin/php
OpenSSL version: OpenSSL 1.1.1g  21 Apr 2020
cURL version: 7.75.0 libz 1.2.11 ssl (SecureTransport) OpenSSL/1.1.1j
zip: extension present, unzip present, 7-Zip not available

composer global outdated

Changed current directory to /Users/ianbanks/.composer
Legend:
! patch or minor release available - update recommended
~ major release available - update possible
psr/container 1.1.1 ~ 2.0.1 Common Container Interface (PHP FIG PSR-11)

ls -al /etc/sudoers.d/

total 16
drwxr-xr-x   4 root  wheel   128 Aug 19 09:32 .
drwxr-xr-x  87 root  wheel  2784 Sep 13 13:24 ..
-rw-r--r--   1 root  wheel    80 Apr  7 17:34 brew
-rw-r--r--   1 root  wheel    83 Apr  7 17:34 valet

brew config

HOMEBREW_VERSION: 3.2.14
ORIGIN: https://github.com/Homebrew/brew
HEAD: 4e6919b73444e9f9e02ad81d8afc4bbd97533567
Last commit: 2 hours ago
Core tap ORIGIN: https://github.com/Homebrew/homebrew-core
Core tap HEAD: 85aa2182a6e9c6b3612a554b868d170df9dc9296
Core tap last commit: 2 minutes ago
Core tap branch: master
HOMEBREW_PREFIX: /usr/local
HOMEBREW_CASK_OPTS: []
HOMEBREW_MAKE_JOBS: 16
Homebrew Ruby: 2.6.3 => /System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/bin/ruby
CPU: 16-core 64-bit kabylake
Clang: 12.0.5 build 1205
Git: 2.30.1 => /Library/Developer/CommandLineTools/usr/bin/git
Curl: 7.64.1 => /usr/bin/curl
macOS: 11.5.2-x86_64
CLT: 12.5.1.0.1.1623191612
Xcode: 13.0

brew services list

19968
Name      Status  User     Plist
dnsmasq   stopped          
httpd     stopped          
mailhog   started ianbanks /Users/ianbanks/Library/LaunchAgents/homebrew.mxcl.mailhog.plist
mysql     started ianbanks /Users/ianbanks/Library/LaunchAgents/homebrew.mxcl.mysql.plist
[email protected] stopped          
nginx     stopped          
php       error   ianbanks /usr/local/opt/php/homebrew.mxcl.php.plist
[email protected]   stopped          
[email protected]   stopped          
[email protected]   stopped

dnsmasq 2.82
mailhog 1.0.1
mysql 8.0.21_1
[email protected] 5.7.31
nginx 1.19.3
[email protected] 1.1.1h 1.1.1j
php 7.4.11
[email protected] 7.2.34_1 7.2.33
[email protected] 7.3.23
[email protected] 7.4.15

brew outdated

autoconf
c-ares
composer
curl
dnsmasq
freetds
freetype
gd
gdbm
glib
gmp
httpd
icu4c
jansson
krb5
libffi
libidn
libidn2
libpq
libssh2
libtiff
libtool
libzip
lz4
mysql
[email protected]
nghttp2
nginx
node
oniguruma
openldap
[email protected]
pcre
pcre2
perl
php
[email protected]
[email protected]
[email protected]
phpmyadmin
protobuf
[email protected]
[email protected]
sqlite
svn
tidy-html5
unixodbc
utf8proc
webp
wget
yarn
zstd

brew tap

homebrew/cask
homebrew/core
homebrew/services
nicoverbruggen/cask

php -v

PHP 7.4.11 (cli) (built: Oct  1 2020 23:30:54) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.15, Copyright (c), by Zend Technologies
    with Xdebug v2.9.8, Copyright (c) 2002-2020, by Derick Rethans

which -a php

/usr/local/bin/php
/usr/bin/php
/usr/local/bin/php

php --ini

Configuration File (php.ini) Path: /usr/local/etc/php/7.4
Loaded Configuration File:         /usr/local/etc/php/7.4/php.ini
Scan for additional .ini files in: /usr/local/etc/php/7.4/conf.d
Additional .ini files parsed:      /usr/local/etc/php/7.4/conf.d/ext-opcache.ini,
/usr/local/etc/php/7.4/conf.d/ext-xdebug.ini,
/usr/local/etc/php/7.4/conf.d/php-memory-limits.ini

nginx -v

nginx version: nginx/1.19.3

curl --version

curl 7.64.1 (x86_64-apple-darwin20.0) libcurl/7.64.1 (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.41.0
Release-Date: 2019-03-27
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets

php --ri curl

curl
cURL support => enabled

cURL Information => 7.75.0

Age => 8

Features

AsynchDNS => Yes

CharConv => No

Debug => No

GSS-Negotiate => No

IDN => Yes

IPv6 => Yes

krb4 => No

Largefile => Yes

libz => Yes

NTLM => Yes

NTLMWB => Yes

SPNEGO => Yes

SSL => Yes

SSPI => No

TLS-SRP => Yes

HTTP2 => Yes

GSSAPI => Yes

KERBEROS5 => Yes

UNIX_SOCKETS => Yes

PSL => No

HTTPS_PROXY => Yes

MULTI_SSL => Yes

BROTLI => Yes

Protocols => dict, file, ftp, ftps, gopher, gophers, http, https, imap, imaps, ldap, ldaps, mqtt, pop3, pop3s, rtmp, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp

Host => x86_64-apple-darwin20.2.0

SSL Version => (SecureTransport) OpenSSL/1.1.1j

ZLib Version => 1.2.11

libSSH Version => libssh2/1.9.0
Directive => Local Value => Master Value

curl.cainfo => no value => no value

~/.composer/vendor/laravel/valet/bin/ngrok version

ngrok version 2.3.40

ls -al ~/.ngrok2

ls: /Users/ianbanks/.ngrok2: No such file or directory

brew info nginx

nginx: stable 1.21.3 (bottled), HEAD HTTP(S) server and reverse proxy, and IMAP/POP3 proxy server https://nginx.org/ /usr/local/Cellar/nginx/1.19.3 (25 files, 2.2MB) * Poured from bottle on 2020-10-05 at 12:00:08 From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/nginx.rb License: BSD-2-Clause ==> Dependencies Required: [email protected], pcre ==> Options --HEAD Install HEAD version ==> Caveats Docroot is: /usr/local/var/www

The default port has been set in /usr/local/etc/nginx/nginx.conf to 8080 so that
nginx can run without sudo.

nginx will load all files in /usr/local/etc/nginx/servers/.

To start nginx:
brew services start nginx
Or, if you don't want/need a background service you can just run:
/usr/local/opt/nginx/bin/nginx -g 'daemon off;'

brew info php

php: stable 8.0.11 (bottled), HEAD General-purpose scripting language https://www.php.net/ /usr/local/Cellar/php/7.4.11 (497 files, 72.3MB) * Poured from bottle on 2020-10-12 at 13:11:02 From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/php.rb License: PHP-3.01 ==> Dependencies Build: httpd, pkg-config Required: apr, apr-util, argon2, aspell, autoconf, curl, freetds, gd, gettext, glib, gmp, icu4c, krb5, libffi, libpq, libsodium, libzip, oniguruma, openldap, [email protected], pcre2, sqlite, tidy-html5, unixodbc ==> Options --HEAD Install HEAD version ==> Caveats To enable PHP in Apache add the following to httpd.conf and restart Apache: LoadModule php_module /usr/local/opt/php/lib/httpd/modules/libphp.so

<FilesMatch \.php$>
    SetHandler application/x-httpd-php
</FilesMatch>

Finally, check DirectoryIndex includes index.php
DirectoryIndex index.php index.html

The php.ini and php-fpm.ini file can be found in:
/usr/local/etc/php/8.0/

To restart php after an upgrade:
brew services restart php
Or, if you don't want/need a background service you can just run:
/usr/local/opt/php/sbin/php-fpm --nodaemonize

brew info openssl

openssl@3: stable 3.0.0 (bottled) [keg-only] Cryptography and SSL/TLS Toolkit https://openssl.org/ Not installed From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/[email protected] License: Apache-2.0 ==> Caveats A CA file has been bootstrapped using certificates from the system keychain. To add additional certificates, place .pem files in /usr/local/etc/openssl@3/certs

and run
/usr/local/opt/openssl@3/bin/c_rehash

openssl@3 is keg-only, which means it was not symlinked into /usr/local,
because macOS provides LibreSSL.

openssl version -a

LibreSSL 2.8.3
built on: date not available
platform: information not available
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: information not available
OPENSSLDIR: "/private/etc/ssl"

openssl ciphers

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:GOST2012256-GOST89-GOST89:DHE-RSA-CAMELLIA256-SHA256:DHE-RSA-CAMELLIA256-SHA:GOST2001-GOST89-GOST89:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA256:CAMELLIA128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA

sudo nginx -t

nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful

which -a php-fpm

/usr/sbin/php-fpm

/usr/local/opt/php/sbin/php-fpm -v

PHP 7.4.11 (fpm-fcgi) (built: Oct  1 2020 23:31:04)
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.15, Copyright (c), by Zend Technologies
    with Xdebug v2.9.8, Copyright (c) 2002-2020, by Derick Rethans

sudo /usr/local/opt/php/sbin/php-fpm -y /usr/local/etc/php/7.4/php-fpm.conf --test

[29-Sep-2021 10:11:37] NOTICE: configuration file /usr/local/etc/php/7.4/php-fpm.conf test is successful

ls -al ~/Library/LaunchAgents | grep homebrew

-rw-r--r--   1 ianbanks  staff   581 Jun 14 15:15 homebrew.mxcl.mailhog.plist
-rw-r--r--   1 ianbanks  staff   543 Oct 12  2020 homebrew.mxcl.mysql.plist
-rw-r--r--   1 ianbanks  staff   628 Feb  4  2021 homebrew.mxcl.php.plist

ls -al /Library/LaunchAgents | grep homebrew

ls -al /Library/LaunchDaemons | grep homebrew

-rw-r--r--   1 root  admin   657 Sep 29 10:00 homebrew.mxcl.dnsmasq.plist
-rw-r--r--   1 root  admin   571 Sep 29 10:01 homebrew.mxcl.nginx.plist
-rw-r--r--   1 root  admin   628 Sep 29 10:00 homebrew.mxcl.php.plist

ls -al /Library/LaunchDaemons | grep "com.laravel.valet."

ls -aln /etc/resolv.conf

lrwxr-xr-x  1 0  0  22 Jan  1  2020 /etc/resolv.conf -> ../var/run/resolv.conf

cat /etc/resolv.conf

#
# macOS Notice
#
# This file is not consulted for DNS hostname resolution, address
# resolution, or the DNS query routing mechanism used by most
# processes on this system.
#
# To view the DNS configuration used by this system, use:
#   scutil --dns
#
# SEE ALSO
#   dns-sd(1), scutil(8)
#
# This file is automatically generated.
#
nameserver 192.168.1.1

ifconfig lo0

lo0: flags=8049 mtu 16384
	options=1203
	inet 127.0.0.1 netmask 0xff000000 
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
	nd6 options=201

sh -c 'echo "------\n/usr/local/etc/nginx/valet/valet.conf\n---\n"; cat /usr/local/etc/nginx/valet/valet.conf | grep -n "# valet loopback"; echo "\n------\n"'

------ /usr/local/etc/nginx/valet/valet.conf ---

------

sh -c 'for file in ~/.config/valet/dnsmasq.d/*; do echo "------\n~/.config/valet/dnsmasq.d/$(basename $file)\n---\n"; cat $file; echo "\n------\n"; done'

------
~/.config/valet/dnsmasq.d/tld-io.conf
---
address=/.io/127.0.0.1

listen-address=127.0.0.1
------

sh -c 'for file in ~/.config/valet/nginx/*; do echo "------\n~/.config/valet/nginx/$(basename $file)\n---\n"; cat $file | grep -n "# valet loopback"; echo "\n------\n"; done'

------ ~/.config/valet/nginx/apps.fiveq.io ---