Valet Secure - lifetime too long since Chrome 58 - Max CA lifetime is 368 days

[icyrizard]

• Valet Version: 2.16.2
• PHP Version: php7.4

Description:

Valet secure creates certificates that are too long for Chrome v58, see max allowed life time of these certificates here: https://chromium.googlesource.com/chromium/src/+/HEAD/net/docs/certificate_lifetimes.md

If the certificate is longer than 368 days you will get the following error for each request:

net::ERR_CERT_VALIDITY_TOO_LONG

Life time is hardcoded and set to 730 days in valet secure -> Site::secure. This should be configureable.

valet/cli/Valet/Site.php

Line 518 in d4aad6f

'openssl req -new -newkey rsa:2048 -days 730 -nodes -x509 -subj "/C=/ST=/O=%s/localityName=/commonName=%s/organizationalUnitName=Developers/emailAddress=%s/" -keyout "%s" -out "%s"',

!! Note that this is NOT a duplicate of #1103

Steps To Reproduce:

1. Run valet
2. Run valet park in your toplevel folder
3. Run valet secure
4. Run valet parked and confirm the following,

Max sure the SSL certificate column has an X as seen below:

+-------------------+-----+-------------------------------+---------------------------------------+
| Site              | SSL | URL                           | Path                                  |
+-------------------+-----+-------------------------------+---------------------------------------+
| config-service    |  X  | https://config-service.test   | /Users/richard/Work/config-service    |
+-------------------+-----+-------------------------------+---------------------------------------+

Diagnosis

<details>
<summary>sw_vers</summary>
<pre>ProductName:	Mac OS X
ProductVersion:	10.15.7
BuildVersion:	19H1419</pre>
</details>
<details>
<summary>valet --version</summary>
<pre>Laravel Valet 2.16.2</pre>
</details>
<details>
<summary>cat ~/.config/valet/config.json</summary>
<pre>{
    "tld": "test",
    "loopback": "127.0.0.1",
    "paths": [
        "/Users/richard/Work"
    ]
}</pre>
</details>
<details>
<summary>cat ~/.composer/composer.json</summary>
<pre>{
    "require": {
        "laravel/valet": "^2.16",
        "squizlabs/php_codesniffer": "*",
        "phpmd/phpmd": "*",
        "friendsofphp/php-cs-fixer": "2.19",
        "laravel/installer": "^4.0"
    },
    "config": {
	    "platform-check": false
    }
}</pre>
</details>
<details>
<summary>composer global diagnose</summary>
<pre>Changed current directory to /Users/richard/.composer
Checking composer.json: WARNING
No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license.
require.squizlabs/php_codesniffer : unbound version constraints (*) should be avoided
require.phpmd/phpmd : unbound version constraints (*) should be avoided
require.friendsofphp/php-cs-fixer : exact version constraints (2.19) should be avoided if the package follows semantic versioning
Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com rate limit: OK
Checking disk free space: OK
Checking pubkeys: 
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking composer version: You are not running the latest stable version, run `composer self-update` to update (2.0.14 => 2.1.14)
Composer version: 2.0.14
PHP version: 7.4.26
PHP binary path: /usr/local/Cellar/php@7.4/7.4.26_1/bin/php
OpenSSL version: OpenSSL 1.1.1l  24 Aug 2021
cURL version: 7.80.0 libz 1.2.11 ssl (SecureTransport) OpenSSL/1.1.1l
zip: extension present, unzip present</pre>
</details>
<details>
<summary>composer global outdated</summary>
<pre>Changed current directory to /Users/richard/.composer
composer/xdebug-handler      2.0.2   ! 2.0.3   Restarts a process without Xdebug.
friendsofphp/php-cs-fixer    v2.19.0 ~ v3.4.0  A tool to automatically fix PHP code style
illuminate/container         v8.74.0 ! v8.75.0 The Illuminate Container package.
illuminate/contracts         v8.74.0 ! v8.75.0 The Illuminate Contracts package.
mnapoli/silly                1.7.2   ! 1.7.3   Silly CLI micro-framework based on Symfony Console
nategood/httpful             0.2.20  ~ 0.3.2   A Readable, Chainable, REST friendly, PHP HTTP Client
php-cs-fixer/diff            v1.3.1  ~ v2.0.2  sebastian/diff v2 backport support for PHP5.6
php-di/invoker               2.3.2   ! 2.3.3   Generic and extensible callable invoker
psr/container                1.1.2   ~ 2.0.2   Common Container Interface (PHP FIG PSR-11)
squizlabs/php_codesniffer    3.6.1   ! 3.6.2   PHP_CodeSniffer tokenizes PHP, JavaScript and CSS files and detects violations of a defined set of coding standards.
symfony/console              v5.4.0  ! v5.4.1  Eases the creation of beautiful and testable command line interfaces
symfony/dependency-injection v5.4.0  ! v5.4.1  Allows you to standardize and centralize the way objects are constructed in your application
symfony/var-dumper           v5.4.0  ! v5.4.1  Provides mechanisms for walking through any arbitrary PHP variable
tightenco/collect            v8.68.0 ! v8.75.0 Collect - Illuminate Collections as a separate package.</pre>
</details>
<details>
<summary>ls -al /etc/sudoers.d/</summary>
<pre>total 0
drwxr-xr-x   2 root  wheel    64 Jun  8  2020 .
drwxr-xr-x  86 root  wheel  2752 Dec 12 15:23 ..</pre>
</details>
<details>
<summary>brew config</summary>
<pre>HOMEBREW_VERSION: 3.3.7-47-g3f0b412
ORIGIN: https://github.com/Homebrew/brew
HEAD: 3f0b412951996a675b8a48037e9a978f0ccd8363
Last commit: 16 hours ago
Core tap ORIGIN: https://github.com/Homebrew/homebrew-core
Core tap HEAD: 9cec8a98224cf1cdfd1f21567306e83a86e096fb
Core tap last commit: 28 minutes ago
Core tap branch: master
HOMEBREW_PREFIX: /usr/local
HOMEBREW_CASK_OPTS: []
HOMEBREW_CORE_GIT_REMOTE: https://github.com/Homebrew/homebrew-core
HOMEBREW_EDITOR: vim
HOMEBREW_MAKE_JOBS: 8
Homebrew Ruby: 2.6.8 => /usr/local/Homebrew/Library/Homebrew/vendor/portable-ruby/2.6.8/bin/ruby
CPU: octa-core 64-bit kabylake
Clang: 12.0.0 build 1200
Git: 2.34.1 => /usr/local/bin/git
Curl: 7.64.1 => /usr/bin/curl
macOS: 10.15.7-x86_64
CLT: 12.0.0.32.29
Xcode: 12.4</pre>
</details>
<details>
<summary>brew services list</summary>
<pre>Name      Status  User    File
dnsmasq   none root    
httpd     none         
mailhog   started richard ~/Library/LaunchAgents/homebrew.mxcl.mailhog.plist
mysql@5.7 started richard ~/Library/LaunchAgents/homebrew.mxcl.mysql@5.7.plist
nginx     none root    
php@7.4   none root</pre>
</details>
<details>
<summary>brew list --formula --versions | grep -E "(php|nginx|dnsmasq|mariadb|mysql|mailhog|openssl)(@\d\..*)?\s"</summary>
<pre>dnsmasq 2.86 2.85
mailhog 1.0.1
mysql@5.7 5.7.36
nginx 1.21.3 1.21.0
openssl@1.1 1.1.1l_1
php@7.4 7.4.26_1</pre>
</details>
<details>
<summary>brew outdated</summary>
<pre>groonga
lua
minio/stable/mc
minio/stable/minio
ncurses
nginx
pyenv
python@3.10
ruby
ruby-build
shellcheck</pre>
</details>
<details>
<summary>brew tap</summary>
<pre>homebrew/cask
homebrew/core
homebrew/services
minio/stable
shivammathur/php
ubuntu/microk8s</pre>
</details>
<details>
<summary>php -v</summary>
<pre>PHP 7.4.26 (cli) (built: Nov 28 2021 17:07:05) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Xdebug v3.1.2, Copyright (c) 2002-2021, by Derick Rethans
    with Zend OPcache v7.4.26, Copyright (c), by Zend Technologies</pre>
</details>
<details>
<summary>which -a php</summary>
<pre>/usr/local/opt/php@7.4/bin/php
/usr/local/bin/php
/usr/local/bin/php
/usr/local/bin/php
/usr/bin/php</pre>
</details>
<details>
<summary>php --ini</summary>
<pre>Configuration File (php.ini) Path: /usr/local/etc/php/7.4
Loaded Configuration File:         /usr/local/etc/php/7.4/php.ini
Scan for additional .ini files in: /usr/local/etc/php/7.4/conf.d
Additional .ini files parsed:      /usr/local/etc/php/7.4/conf.d/error_log.ini,
/usr/local/etc/php/7.4/conf.d/ext-opcache.ini,
/usr/local/etc/php/7.4/conf.d/php-memory-limits.ini</pre>
</details>
<details>
<summary>nginx -v</summary>
<pre>nginx version: nginx/1.21.3</pre>
</details>
<details>
<summary>curl --version</summary>
<pre>curl 7.64.1 (x86_64-apple-darwin19.0) libcurl/7.64.1 (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.39.2
Release-Date: 2019-03-27
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets</pre>
</details>
<details>
<summary>php --ri curl</summary>
<pre>curl

cURL support => enabled
cURL Information => 7.80.0
Age => 9
Features
AsynchDNS => Yes
CharConv => No
Debug => No
GSS-Negotiate => No
IDN => Yes
IPv6 => Yes
krb4 => No
Largefile => Yes
libz => Yes
NTLM => Yes
NTLMWB => Yes
SPNEGO => Yes
SSL => Yes
SSPI => No
TLS-SRP => Yes
HTTP2 => Yes
GSSAPI => Yes
KERBEROS5 => Yes
UNIX_SOCKETS => Yes
PSL => No
HTTPS_PROXY => Yes
MULTI_SSL => Yes
BROTLI => Yes
Protocols => dict, file, ftp, ftps, gopher, gophers, http, https, imap, imaps, ldap, ldaps, mqtt, pop3, pop3s, rtmp, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp
Host => x86_64-apple-darwin19.6.0
SSL Version => (SecureTransport) OpenSSL/1.1.1l
ZLib Version => 1.2.11
libSSH Version => libssh2/1.10.0

Directive => Local Value => Master Value
curl.cainfo => no value => no value</pre>
</details>
<details>
<summary>~/.composer/vendor/laravel/valet/bin/ngrok version</summary>
<pre>ngrok version 2.3.40</pre>
</details>
<details>
<summary>ls -al ~/.ngrok2</summary>
<pre>ls: /Users/richard/.ngrok2: No such file or directory</pre>
</details>
<details>
<summary>brew info nginx</summary>
<pre>nginx: stable 1.21.4 (bottled), HEAD
HTTP(S) server and reverse proxy, and IMAP/POP3 proxy server
https://nginx.org/
/usr/local/Cellar/nginx/1.21.0 (22 files, 2.2MB)
  Built from source
/usr/local/Cellar/nginx/1.21.3 (26 files, 2.2MB) *
  Poured from bottle on 2021-11-01 at 11:10:28
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/nginx.rb
License: BSD-2-Clause
==> Dependencies
Required: openssl@1.1, pcre
==> Options
--HEAD
	Install HEAD version
==> Caveats
Docroot is: /usr/local/var/www

The default port has been set in /usr/local/etc/nginx/nginx.conf to 8080 so that
nginx can run without sudo.

nginx will load all files in /usr/local/etc/nginx/servers/.

To restart nginx after an upgrade:
  brew services restart nginx
Or, if you don't want/need a background service you can just run:
  /usr/local/opt/nginx/bin/nginx -g daemon off;
==> Analytics
install: 37,778 (30 days), 124,547 (90 days), 506,334 (365 days)
install-on-request: 37,727 (30 days), 124,278 (90 days), 505,213 (365 days)
build-error: 53 (30 days)</pre>
</details>
<details>
<summary>brew info php</summary>
<pre>php: stable 8.1.0 (bottled), HEAD
General-purpose scripting language
https://www.php.net/
Not installed
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/php.rb
License: PHP-3.01
==> Dependencies
Build: httpd, pkg-config
Required: apr, apr-util, argon2, aspell, autoconf, curl, freetds, gd, gettext, gmp, icu4c, krb5, libpq, libsodium, libzip, oniguruma, openldap, openssl@1.1, pcre2, sqlite, tidy-html5, unixodbc
==> Options
--HEAD
	Install HEAD version
==> Caveats
To enable PHP in Apache add the following to httpd.conf and restart Apache:
    LoadModule php_module /usr/local/opt/php/lib/httpd/modules/libphp.so

    <FilesMatch \.php$>
        SetHandler application/x-httpd-php
    </FilesMatch>

Finally, check DirectoryIndex includes index.php
    DirectoryIndex index.php index.html

The php.ini and php-fpm.ini file can be found in:
    /usr/local/etc/php/8.1/

To restart php after an upgrade:
  brew services restart php
Or, if you don't want/need a background service you can just run:
  /usr/local/opt/php/sbin/php-fpm --nodaemonize
==> Analytics
install: 116,800 (30 days), 256,935 (90 days), 706,777 (365 days)
install-on-request: 93,131 (30 days), 219,819 (90 days), 661,568 (365 days)
build-error: 98 (30 days)</pre>
</details>
<details>
<summary>brew info openssl</summary>
<pre>openssl@3: stable 3.0.0 (bottled) [keg-only]
Cryptography and SSL/TLS Toolkit
https://openssl.org/
Not installed
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/openssl@3.rb
License: Apache-2.0
==> Dependencies
Required: ca-certificates
==> Caveats
A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
  /usr/local/etc/openssl@3/certs

and run
  /usr/local/opt/openssl@3/bin/c_rehash

openssl@3 is keg-only, which means it was not symlinked into /usr/local,
because macOS provides LibreSSL.

==> Analytics
install: 79,961 (30 days), 235,131 (90 days), 235,145 (365 days)
install-on-request: 66,769 (30 days), 193,100 (90 days), 193,114 (365 days)
build-error: 4,629 (30 days)</pre>
</details>
<details>
<summary>openssl version -a</summary>
<pre>LibreSSL 2.8.3
built on: date not available
platform: information not available
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: information not available
OPENSSLDIR: "/private/etc/ssl"</pre>
</details>
<details>
<summary>openssl ciphers</summary>
<pre>ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:GOST2012256-GOST89-GOST89:DHE-RSA-CAMELLIA256-SHA256:DHE-RSA-CAMELLIA256-SHA:GOST2001-GOST89-GOST89:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA256:CAMELLIA128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA</pre>
</details>
<details>
<summary>sudo nginx -t</summary>
<pre>nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful</pre>
</details>
<details>
<summary>which -a php-fpm</summary>
<pre>/usr/local/sbin/php-fpm
/usr/local/sbin/php-fpm
/usr/sbin/php-fpm</pre>
</details>
<details>
<summary>/usr/local/opt/php/sbin/php-fpm -v</summary>
<pre>sudo: /usr/local/opt/php/sbin/php-fpm: command not found</pre>
</details>
<details>
<summary>sudo /usr/local/opt/php/sbin/php-fpm -y /usr/local/etc/php/7.4/php-fpm.conf --test</summary>
<pre>sudo: /usr/local/opt/php/sbin/php-fpm: command not found</pre>
</details>
<details>
<summary>ls -al ~/Library/LaunchAgents | grep homebrew</summary>
<pre>-rw-r--r--   1 richard  staff   581 Jun  2  2021 homebrew.mxcl.mailhog.plist
-rw-r--r--   1 richard  staff   536 Dec  4 18:36 homebrew.mxcl.mysql@5.7.plist
-rw-r--r--   1 richard  staff   585 Dec  7 11:56 homebrew.mxcl.php@7.2.plist</pre>
</details>
<details>
<summary>ls -al /Library/LaunchAgents | grep homebrew</summary>
<pre></pre>
</details>
<details>
<summary>ls -al /Library/LaunchDaemons | grep homebrew</summary>
<pre>-rw-r--r--   1 root  admin   593 Dec 13 12:54 homebrew.mxcl.dnsmasq.plist
-rw-r--r--   1 root  admin   484 Dec 13 12:55 homebrew.mxcl.nginx.plist
-rw-r--r--   1 root  admin   585 Dec  3 10:45 homebrew.mxcl.php@7.2.plist
-rw-r--r--   1 root  admin   585 Dec 13 12:54 homebrew.mxcl.php@7.4.plist</pre>
</details>
<details>
<summary>ls -al /Library/LaunchDaemons | grep "com.laravel.valet."</summary>
<pre></pre>
</details>
<details>
<summary>ls -aln /etc/resolv.conf</summary>
<pre>lrwxr-xr-x  1 0  0  22 Jun  1  2021 /etc/resolv.conf -> ../var/run/resolv.conf</pre>
</details>
<details>
<summary>cat /etc/resolv.conf</summary>
<pre>#
# macOS Notice
#
# This file is not consulted for DNS hostname resolution, address
# resolution, or the DNS query routing mechanism used by most
# processes on this system.
#
# To view the DNS configuration used by this system, use:
#   scutil --dns
#
# SEE ALSO
#   dns-sd(1), scutil(8)
#
# This file is automatically generated.
#
nameserver 212.54.44.54
nameserver 212.54.40.25</pre>
</details>
<details>
<summary>ifconfig lo0</summary>
<pre>lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
	inet 127.0.0.1 netmask 0xff000000 
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
	nd6 options=201<PERFORMNUD,DAD></pre>
</details>
<details>
<summary>sh -c 'echo "------\n/usr/local/etc/nginx/valet/valet.conf\n---\n"; cat /usr/local/etc/nginx/valet/valet.conf | grep -n "# valet loopback"; echo "\n------\n"'</summary>
<pre>------
/usr/local/etc/nginx/valet/valet.conf
---

3:    #listen VALET_LOOPBACK:80; # valet loopback

------</pre>
</details>
<details>
<summary>sh -c 'for file in ~/.config/valet/dnsmasq.d/*; do echo "------\n~/.config/valet/dnsmasq.d/$(basename $file)\n---\n"; cat $file; echo "\n------\n"; done'</summary>
<pre>------
~/.config/valet/dnsmasq.d/tld-test.conf
---

address=/.test/127.0.0.1
listen-address=127.0.0.1

------</pre>
</details>
<details>
<summary>sh -c 'for file in ~/.config/valet/nginx/*; do echo "------\n~/.config/valet/nginx/$(basename $file)\n---\n"; cat $file | grep -n "# valet loopback"; echo "\n------\n"; done'</summary>
<pre>------
~/.config/valet/nginx/config-service.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------</pre>
</details>

[driesvints]

This seems like a duplicate of #1103

[icyrizard]

@driesvints It's not, read the other issue.

[icyrizard]

It says that it should be configurable, not 'conveniently renewable'

[icyrizard]

Please open this issue.

[icyrizard]

@driesvints This has everything to do with the new Chrome version which generates an error like the following,

[driesvints]

Thanks @icyrizard. I now indeed see that the issue is different. We'll try to look into his as soon as we can.