valet install asking for certificate permission for each existing site

[datashaman]

• Valet Version: 3.0.1
• PHP Version: 8.1.4

Description:

Running valet install after upgrade to version 3 results in a seemingly endless loop of asking for permission to alter the certificate store.

Steps To Reproduce:

> composer global require laravel/valet
> valet install
valet install
Stopping nginx...
Installing nginx configuration...
Installing nginx directory...

Now it asks for permission to alter certificate trust. Over and over and over again.

Once I manage to Cancel then the process continues as follows (I must press Cancel for each one too):

Updating PHP configuration for php@8.1...
Restarting php...
Updating Dnsmasq configuration...
Restarting dnsmasq...
Valet is configured to serve for TLD [.test]
Restarting nginx...

Valet installed successfully!

I have 24 secure sites in valet. Can this permission not be asked for once? I don't know if it's endless, it might be only 24 times I have to do this. EDIT: It's 26 times. Yay.

I've just had to cancel the thing 26 times (2 extra for 2 non-secure sites). So it's doing it for each site.

Diagnosis

Details Diagnosis

$ sw_vers
ProductName:	macOS
ProductVersion:	12.3
BuildVersion:	21E230
--------------------
$ valet --version
Laravel Valet 3.0.1
--------------------
$ cat ~/.config/valet/config.json
{
    "tld": "test",
    "paths": [
        "/Users/marlinf/.config/valet/Sites",
        "/Users/marlinf/Projects"
    ],
    "loopback": "127.0.0.1"
}
--------------------
$ cat ~/.composer/composer.json
{
    "require": {
        "laravel/valet": "^3.0"
    },
    "repositories": [
    ],
    "config": {
        "allow-plugins": {
            "ergebnis/composer-normalize": false
        }
    }
}
--------------------
$ composer global diagnose
Changed current directory to /Users/marlinf/.composer
Checking composer.json: WARNING
No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license.
Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com oauth access: OK
Checking disk free space: OK
Checking pubkeys: 
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking composer version: You are not running the latest stable version, run `composer self-update` to update (2.2.6 => 2.3.2)
Composer version: 2.2.6
PHP version: 8.1.4
PHP binary path: /usr/local/Cellar/php/8.1.4.reinstall/bin/php
OpenSSL version: OpenSSL 1.1.1m  14 Dec 2021
cURL version: 7.82.0 libz 1.2.11 ssl (SecureTransport) OpenSSL/1.1.1n
zip: extension present, unzip present, 7-Zip not available
--------------------
$ composer global outdated
Changed current directory to /Users/marlinf/.composer
Info from https://repo.packagist.org: �[37;44m#StandWith�[30;43mUkraine�[0m
Legend:
! patch or minor release available - update recommended
~ major release available - update possible
guzzlehttp/guzzle                7.4.1   ! 7.4.2   Guzzle is a PHP HTTP client library
guzzlehttp/psr7                  2.1.0   ! 2.2.1   PSR-7 message implementation that also provides common utility methods
illuminate/container             v9.1.0  ! v9.6.0  The Illuminate Container package.
illuminate/contracts             v9.1.0  ! v9.6.0  The Illuminate Contracts package.
mnapoli/silly                    1.7.3   ! 1.8.0   Silly CLI micro-framework based on Symfony Console
symfony/console                  v5.4.3  ~ v6.0.5  Eases the creation of beautiful and testable command line interfaces
symfony/polyfill-ctype           v1.24.0 ! v1.25.0 Symfony polyfill for ctype functions
symfony/polyfill-intl-grapheme   v1.24.0 ! v1.25.0 Symfony polyfill for intl's grapheme_* functions
symfony/polyfill-intl-normalizer v1.24.0 ! v1.25.0 Symfony polyfill for intl's Normalizer class and related functions
symfony/polyfill-mbstring        v1.24.0 ! v1.25.0 Symfony polyfill for the Mbstring extension
symfony/polyfill-php73           v1.24.0 ! v1.25.0 Symfony polyfill backporting some PHP 7.3+ features to lower PHP versions
symfony/polyfill-php80           v1.24.0 ! v1.25.0 Symfony polyfill backporting some PHP 8.0+ features to lower PHP versions
symfony/process                  v6.0.3  ! v6.0.5  Executes commands in sub-processes
symfony/var-dumper               v6.0.3  ! v6.0.6  Provides mechanisms for walking through any arbitrary PHP variable
tightenco/collect                v8.83.1 ~ v9.4.1  Collect - Illuminate Collections as a separate package.
--------------------
$ ls -al /etc/sudoers.d/
total 16
drwxr-xr-x   4 root  wheel   128 Mar 23 20:22 .
drwxr-xr-x  81 root  wheel  2592 Mar 23 20:23 ..
-rw-r--r--   1 root  wheel    80 Aug 17  2021 brew
-rw-r--r--   1 root  wheel    83 Aug 17  2021 valet
--------------------
$ brew config
HOMEBREW_VERSION: 3.4.4-44-gb2b029e
ORIGIN: https://github.com/Homebrew/brew
HEAD: b2b029e311ca64b77635e5ea2478fd2b5a32e656
Last commit: 2 hours ago
Core tap ORIGIN: https://github.com/Homebrew/homebrew-core
Core tap HEAD: 9f4d70f60ef3409347ab61ee237fb82d93bb9137
Core tap last commit: 38 minutes ago
Core tap branch: master
HOMEBREW_PREFIX: /usr/local
HOMEBREW_CASK_OPTS: []
HOMEBREW_CORE_GIT_REMOTE: https://github.com/Homebrew/homebrew-core
HOMEBREW_EDITOR: vim
HOMEBREW_MAKE_JOBS: 16
Homebrew Ruby: 2.6.8 => /System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/bin/ruby
CPU: 16-core 64-bit kabylake
Clang: 13.1.6 build 1316
Git: 2.35.1 => /usr/local/bin/git
Curl: 7.79.1 => /usr/bin/curl
macOS: 12.3-x86_64
CLT: 13.3.0.0.1.1645755326
Xcode: 13.3
--------------------
$ brew services list
Name           Status User    File
dnsmasq        error  512      root    ~/Library/LaunchAgents/homebrew.mxcl.dnsmasq.plist
docker-machine error  256      marlinf ~/Library/LaunchAgents/homebrew.mxcl.docker-machine.plist
mysql          none                    
nginx          error  256      root    ~/Library/LaunchAgents/homebrew.mxcl.nginx.plist
opensearch     started         marlinf ~/Library/LaunchAgents/homebrew.mxcl.opensearch.plist
php            none            root    
php@7.4        none                    
php@8.0        none                    
redis          none                    
unbound        none
--------------------
$ brew list --formula --versions | grep -E "(php|nginx|dnsmasq|mariadb|mysql|mailhog|openssl)(@\d\..*)?\s"
dnsmasq 2.86
mysql 8.0.28_1
nginx 1.21.5 1.21.6_1 1.21.3 1.21.4
openssl@1.1 1.1.1n
php 8.1.2.reinstall 8.1.4.reinstall 8.1.3_1 8.1.0 8.1.1 8.1.4
php@7.4 7.4.28_1.reinstall 7.4.27 7.4.25
php@8.0 8.0.15 8.0.13 8.0.16_1 8.0.17.reinstall
--------------------
$ brew outdated
aws/tap/aws-sam-cli
awscli
awscli@1
ca-certificates
cmake
direnv
docker
frei0r
gh
glib
gnu-tar
harfbuzz
imagemagick
libarchive
libgcrypt
libomp
lua
openjdk
phive
pipenv
python@3.9
ruby-build
sqlite
--------------------
$ brew tap
augmentable-dev/askgit
aws/tap
discoteq/discoteq
ethpm/ethpm-cli
hashicorp/tap
helix-editor/helix
homebrew/cask
homebrew/core
homebrew/services
shivammathur/php
--------------------
$ php -v
PHP 8.1.4 (cli) (built: Mar 18 2022 09:45:20) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.4, Copyright (c) Zend Technologies
    with Zend OPcache v8.1.4, Copyright (c), by Zend Technologies
--------------------
$ which -a php
/usr/local/bin/php
--------------------
$ php --ini
Configuration File (php.ini) Path: /usr/local/etc/php/8.1
Loaded Configuration File:         /usr/local/etc/php/8.1/php.ini
Scan for additional .ini files in: /usr/local/etc/php/8.1/conf.d
Additional .ini files parsed:      /usr/local/etc/php/8.1/conf.d/error_log.ini,
/usr/local/etc/php/8.1/conf.d/ext-opcache.ini,
/usr/local/etc/php/8.1/conf.d/php-memory-limits.ini
--------------------
$ nginx -v
nginx version: nginx/1.21.6
--------------------
$ curl --version
curl 7.71.1 (x86_64-apple-darwin13.4.0) libcurl/7.71.1 OpenSSL/1.1.1k zlib/1.2.11 libssh2/1.9.0
Release-Date: 2020-07-01
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS GSS-API HTTPS-proxy IPv6 Kerberos Largefile libz NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets
--------------------
$ php --ri curl
curl

cURL support => enabled
cURL Information => 7.82.0
Age => 9
Features
AsynchDNS => Yes
CharConv => No
Debug => No
GSS-Negotiate => No
IDN => Yes
IPv6 => Yes
krb4 => No
Largefile => Yes
libz => Yes
NTLM => Yes
NTLMWB => Yes
SPNEGO => Yes
SSL => Yes
SSPI => No
TLS-SRP => Yes
HTTP2 => Yes
GSSAPI => Yes
KERBEROS5 => Yes
UNIX_SOCKETS => Yes
PSL => No
HTTPS_PROXY => Yes
MULTI_SSL => Yes
BROTLI => Yes
Protocols => dict, file, ftp, ftps, gopher, gophers, http, https, imap, imaps, ldap, ldaps, mqtt, pop3, pop3s, rtmp, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp
Host => x86_64-apple-darwin21.3.0
SSL Version => (SecureTransport) OpenSSL/1.1.1n
ZLib Version => 1.2.11
libSSH Version => libssh2/1.10.0

Directive => Local Value => Master Value
curl.cainfo => no value => no value
--------------------
$ ~/.composer/vendor/laravel/valet/bin/ngrok version
ngrok version 2.3.40
--------------------
$ ~/.composer/vendor/laravel/valet/bin/ngrok-arm version
sudo: unable to execute /Users/marlinf/.composer/vendor/laravel/valet/bin/ngrok-arm: Bad CPU type in executable
--------------------
$ ls -al ~/.ngrok2
ls: /Users/marlinf/.ngrok2: No such file or directory
--------------------
$ brew info nginx
nginx: stable 1.21.6 (bottled), HEAD
HTTP(S) server and reverse proxy, and IMAP/POP3 proxy server
https://nginx.org/
/usr/local/Cellar/nginx/1.21.3 (23 files, 2.2MB)
  Built from source
/usr/local/Cellar/nginx/1.21.4 (23 files, 2.2MB)
  Built from source
/usr/local/Cellar/nginx/1.21.5 (23 files, 2.2MB)
  Built from source
/usr/local/Cellar/nginx/1.21.6_1 (26 files, 2.2MB) *
  Poured from bottle on 2022-03-14 at 17:16:10
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/nginx.rb
License: BSD-2-Clause
==> Dependencies
Required: openssl@1.1, pcre2
==> Options
--HEAD
	Install HEAD version
==> Caveats
Docroot is: /usr/local/var/www

The default port has been set in /usr/local/etc/nginx/nginx.conf to 8080 so that
nginx can run without sudo.

nginx will load all files in /usr/local/etc/nginx/servers/.

To restart nginx after an upgrade:
  brew services restart nginx
Or, if you don't want/need a background service you can just run:
  /usr/local/opt/nginx/bin/nginx -g daemon off;
==> Analytics
install: 45,734 (30 days), 125,469 (90 days), 491,233 (365 days)
install-on-request: 45,645 (30 days), 125,251 (90 days), 490,208 (365 days)
build-error: 15 (30 days)
--------------------
$ brew info php
php: stable 8.1.4 (bottled), HEAD
General-purpose scripting language
https://www.php.net/
/usr/local/Cellar/php/8.1.0 (504 files, 79.8MB)
  Built from source
/usr/local/Cellar/php/8.1.1 (509 files, 79.9MB)
  Built from source
/usr/local/Cellar/php/8.1.2.reinstall (193 files, 32.5MB)
  Built from source
/usr/local/Cellar/php/8.1.3_1 (510 files, 80.0MB)
  Built from source
/usr/local/Cellar/php/8.1.4 (513 files, 80MB)
  Poured from bottle on 2022-03-24 at 12:12:21
/usr/local/Cellar/php/8.1.4.reinstall (513 files, 80MB) *
  Poured from bottle on 2022-03-24 at 08:40:33
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/php.rb
License: PHP-3.01
==> Dependencies
Build: httpd, pkg-config
Required: apr, apr-util, argon2, aspell, autoconf, curl, freetds, gd, gettext, gmp, icu4c, krb5, libpq, libsodium, libzip, oniguruma, openldap, openssl@1.1, pcre2, sqlite, tidy-html5, unixodbc
==> Options
--HEAD
	Install HEAD version
==> Caveats
To enable PHP in Apache add the following to httpd.conf and restart Apache:
    LoadModule php_module /usr/local/opt/php/lib/httpd/modules/libphp.so

    <filesmatch \.php$="">
        SetHandler application/x-httpd-php
    </filesmatch>

Finally, check DirectoryIndex includes index.php
    DirectoryIndex index.php index.html

The php.ini and php-fpm.ini file can be found in:
    /usr/local/etc/php/8.1/

To restart php after an upgrade:
  brew services restart php
Or, if you don't want/need a background service you can just run:
  /usr/local/opt/php/sbin/php-fpm --nodaemonize
==&gt; Analytics
install: 147,179 (30 days), 371,940 (90 days), 962,915 (365 days)
install-on-request: 123,987 (30 days), 307,328 (90 days), 843,983 (365 days)
build-error: 64 (30 days)
--------------------
$ brew info openssl
openssl@3: stable 3.0.2 (bottled) [keg-only]
Cryptography and SSL/TLS Toolkit
https://openssl.org/
/usr/local/Cellar/openssl@3/3.0.2 (6,429 files, 28.2MB)
  Poured from bottle on 2022-03-24 at 08:37:30
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/openssl@3.rb
License: Apache-2.0
==&gt; Dependencies
Required: ca-certificates
==&gt; Caveats
A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
  /usr/local/etc/openssl@3/certs

and run
  /usr/local/opt/openssl@3/bin/c_rehash

openssl@3 is keg-only, which means it was not symlinked into /usr/local,
because macOS provides LibreSSL.

If you need to have openssl@3 first in your PATH, run:
  echo 'export PATH="/usr/local/opt/openssl@3/bin:$PATH"' &gt;&gt; ~/.zshrc

For compilers to find openssl@3 you may need to set:
  export LDFLAGS="-L/usr/local/opt/openssl@3/lib"
  export CPPFLAGS="-I/usr/local/opt/openssl@3/include"

For pkg-config to find openssl@3 you may need to set:
  export PKG_CONFIG_PATH="/usr/local/opt/openssl@3/lib/pkgconfig"

==&gt; Analytics
install: 151,302 (30 days), 357,080 (90 days), 659,716 (365 days)
install-on-request: 119,345 (30 days), 276,898 (90 days), 517,035 (365 days)
build-error: 5,498 (30 days)
--------------------
$ openssl version -a
OpenSSL 1.1.1k  25 Mar 2021
built on: Thu Mar 25 14:53:07 2021 UTC
platform: darwin64-x86_64-cc
options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) 
compiler: x86_64-apple-darwin13.4.0-clang -D_FORTIFY_SOURCE=2 -mmacosx-version-min=10.9 -isystem /Users/marlinf/opt/anaconda3/include -march=core2 -mtune=haswell -mssse3 -ftree-vectorize -fPIC -fPIE -fstack-protector-strong -O2 -pipe -isystem /Users/marlinf/opt/anaconda3/include -fdebug-prefix-map=/opt/concourse/worker/volumes/live/d6cc10a3-c4ff-4472-4e1b-a339b333e76e/volume/openssl_1616683945709/work=/usr/local/src/conda/openssl-1.1.1k -fdebug-prefix-map=/Users/marlinf/opt/anaconda3=/usr/local/src/conda-prefix -fPIC -arch x86_64 -march=core2 -mtune=haswell -mssse3 -ftree-vectorize -fPIC -fPIE -fstack-protector-strong -O2 -pipe -isystem /Users/marlinf/opt/anaconda3/include -fdebug-prefix-map=/opt/concourse/worker/volumes/live/d6cc10a3-c4ff-4472-4e1b-a339b333e76e/volume/openssl_1616683945709/work=/usr/local/src/conda/openssl-1.1.1k -fdebug-prefix-map=/Users/marlinf/opt/anaconda3=/usr/local/src/conda-prefix -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_REENTRANT -DNDEBUG -D_FORTIFY_SOURCE=2 -mmacosx-version-min=10.9 -isystem /Users/marlinf/opt/anaconda3/include
OPENSSLDIR: "/Users/marlinf/opt/anaconda3/ssl"
ENGINESDIR: "/Users/marlinf/opt/anaconda3/lib/engines-1.1"
Seeding source: os-specific
--------------------
$ openssl ciphers
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA
--------------------
$ sudo nginx -t
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
--------------------
$ which -a php-fpm
/usr/local/sbin/php-fpm
--------------------
$ /usr/local/opt/php/sbin/php-fpm -v
PHP 8.1.4 (fpm-fcgi) (built: Mar 18 2022 09:45:29)
Copyright (c) The PHP Group
Zend Engine v4.1.4, Copyright (c) Zend Technologies
    with Zend OPcache v8.1.4, Copyright (c), by Zend Technologies
--------------------
$ sudo /usr/local/opt/php/sbin/php-fpm -y /usr/local/etc/php/8.1/php-fpm.conf --test
[31-Mar-2022 12:49:04] NOTICE: configuration file /usr/local/etc/php/8.1/php-fpm.conf test is successful
--------------------
$ ls -al ~/Library/LaunchAgents | grep homebrew
-rw-r--r--    1 marlinf  staff   593 Mar 17 10:46 homebrew.mxcl.dnsmasq.plist
-rw-r--r--    1 marlinf  staff   658 Jan 25 10:29 homebrew.mxcl.docker-machine.plist
-rw-r--r--    1 marlinf  staff   484 Dec  1 10:49 homebrew.mxcl.nginx.plist
-rw-r--r--    1 marlinf  staff   612 Feb  3 17:03 homebrew.mxcl.opensearch.plist
--------------------
$ ls -al /Library/LaunchAgents | grep homebrew

--------------------
$ ls -al /Library/LaunchDaemons | grep homebrew
-rw-r--r--   1 root  admin   593 Mar 31 12:46 homebrew.mxcl.dnsmasq.plist
-rw-r--r--   1 root  admin   484 Mar 31 12:46 homebrew.mxcl.nginx.plist
-rw-r--r--   1 root  admin   577 Mar 31 12:45 homebrew.mxcl.php.plist
--------------------
$ ls -al /Library/LaunchDaemons | grep "com.laravel.valet."

--------------------
$ ls -aln /etc/resolv.conf
lrwxr-xr-x  1 0  0  22 Feb 26 09:05 /etc/resolv.conf -&gt; ../var/run/resolv.conf
--------------------
$ cat /etc/resolv.conf
#
# macOS Notice
#
# This file is not consulted for DNS hostname resolution, address
# resolution, or the DNS query routing mechanism used by most
# processes on this system.
#
# To view the DNS configuration used by this system, use:
#   scutil --dns
#
# SEE ALSO
#   dns-sd(1), scutil(8)
#
# This file is automatically generated.
#
nameserver 8.8.8.8
--------------------
$ ifconfig lo0
lo0: flags=8049<up,loopback,running,multicast> mtu 16384
	options=1203<rxcsum,txcsum,txstatus,sw_timestamp>
	inet 127.0.0.1 netmask 0xff000000 
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
	nd6 options=201<performnud,dad>
--------------------
$ sh -c 'echo "------\n/usr/local/etc/nginx/valet/valet.conf\n---\n"; cat /usr/local/etc/nginx/valet/valet.conf | grep -n "# valet loopback"; echo "\n------\n"'
------
/usr/local/etc/nginx/valet/valet.conf
---

3:    #listen VALET_LOOPBACK:80; # valet loopback

------
--------------------
$ sh -c 'for file in ~/.config/valet/dnsmasq.d/*; do echo "------\n~/.config/valet/dnsmasq.d/$(basename $file)\n---\n"; cat $file; echo "\n------\n"; done'
------
~/.config/valet/dnsmasq.d/tld-test.conf
---

address=/.test/127.0.0.1
listen-address=127.0.0.1

------
--------------------
$ sh -c 'for file in ~/.config/valet/nginx/*; do echo "------\n~/.config/valet/nginx/$(basename $file)\n---\n"; cat $file | grep -n "# valet loopback"; echo "\n------\n"; done'
------
~/.config/valet/nginx/admin.mbnd.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/api-hz-ed.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/api-hz-hz.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/api-hz-pi.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/api-hz-qe.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/api-hz-zo.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/api.mbnd.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/blah.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/brk.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/desktop.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/fw-marketplace.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/fw-publishing-service.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/fw-sync-service.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/grappa.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/hz-ed.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/hz-hz.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/hz-pi.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/hz-qe.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/hz-zo.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/imo.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/ke-cars.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/ke-jobs.test.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/ke.kazi.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/ke.kazi.test.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/mbnd.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/rollout.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/sdc-console.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/tms-api.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

------
~/.config/valet/nginx/tms-console.test
---

3:    #listen 127.0.0.1:80; # valet loopback
10:    #listen 127.0.0.1:443 ssl http2; # valet loopback
54:    #listen 127.0.0.1:60; # valet loopback

------

</performnud,dad></rxcsum,txcsum,txstatus,sw_timestamp></up,loopback,running,multicast>

[datashaman]

Posting a diagnosis seems to leak a lot of my work information, is there a less public way for this information to be sent? It includes my local machine's userid (which leaks my real name) and the names and locations of all of my projects on the filesystem.

[driesvints]

@datashaman best to filter that out manually. There isn't a secure way to share this right now.

Seems to be related to #1224 probably?

[nicoverbruggen]

You can try the workaround in this comment which disables the pop-ups whenever /usr/bin/security is invoked for certificate trust, which Valet invokes whenever a new domain certificate is set up.

I was looking into this very issue myself yesterday as well, but it seems that you have to trust on a per-certificate basis (you can't use /usr/bin/security to trust multiple certs or a cert bundle in one go, which unfortunately means you'll get a bunch of pop-ups requesting admin permissions for every domain.

The workaround:

security authorizationdb read com.apple.trust-settings.admin > ~/.config/valet/apple-trust-settings > /dev/null 2>& 1
sudo security authorizationdb write com.apple.trust-settings.admin allow > /dev/null 2>& 1

Might be worth adding something akin to valet trust that runs this workaround?

[NasirNobin]

These password prompts are pretty annoying when you have lots of secured sites. One of my colleagues has 15+ secured sites and he's using an older MacBook that doesn't have a Touch ID. Running valet install is a nightmare in that situation.

I'm wondering if it would be a good idea to submit a PR with a flag like --skip-prompt, that would adjust com.apple.trust-settings.admin to disable password prompts before running valet install then once the installation is done, it would revert the settings to the original state. Any thoughts?

[nicoverbruggen]

I'm wondering if it would be a good idea to submit a PR with a flag like --skip-prompt, that would adjust com.apple.trust-settings.admin to disable password prompts before running valet install then once the installation is done, it would revert the settings to the original state. Any thoughts?

I think that sounds like an improvement over the potentially many prompts you'd have to wrestle through today. You could probably even do it without needing the flag? (I imagine most folks will not look up the possible flags for valet install, and as default behaviour I think it's okay as long as the original preference is restored afterwards... What does everyone else think?)

[datashaman]

@nicoverbruggen, I experienced a flawless handsfree installation after running those commands, thanks.

[driesvints]

@nicoverbruggen @NasirNobin I think it's worth exploring to update the install command like that, however, I'm a bit cautious as to what would happen if the command fails in the middle of execution and the settings aren't reverted?

[NasirNobin]

My initial idea on handling exceptions was to wrap the whole process in a try/catch. So we can still revert in case of errors.

But there could always be other cases, like if the user or any other application forcefully kills the process in the middle.

I guess we can print some info and link to the doc about this in the output, so the user is aware of what's happening and can revert back manually if something like this happens.

Also, we can add another logic, like Valet would only disable password prompts, if the user's machine has 2+ SSL sites. So users with 2 or fewer SSL sites won't be affected at all.

[driesvints]

Yeah the exception handling would be useful but indeed, there can always be manual termination or other things that can happen.

I'm not sure about checking the amount of sites. I'd just make the behavior the default one regardless of amount of sites. But maybe @mattstauffer has a different opinion?

[nicoverbruggen]

manual termination or other things that can happen

But this also applies to Homebrew and such. You can break your installation easily if you keep manually terminating the terminal/proces while Homebrew is working, I wouldn't worry about that too much.

I'd just make the behavior the default one regardless of amount of sites.

I agree with this.

I'd also like to add:

Whenever I build something like this, I generally write a file to disk (or persist some information somewhere) that indicates that a sensitive or important operation did not complete successfully.

That way, if something failed, you can check for the file's existence the next time you use the program (whether app or CLI) and perhaps restore the original configuration before resuming whatever the user has asked to do.

This already happens here:

security authorizationdb read com.apple.trust-settings.admin > ~/.config/valet/apple-trust-settings

The particular .plist file (authorizationdb configuration) prior to modification is written to a file. You could theoretically restore it after securing the domains, and if that failed somehow the apple-trust-settings file will be present the next time you run Valet, and you could restore it then if needed. Might be worth making it work like this?

[mattstauffer]

I think @nicoverbruggen's suggestion here is likely our best option. @driesvints and I have been digging into this because he's the first person I've been able to reproduce this issue with, and so far the only idea we have is to go with Nico's suggestion:

• Before running valet install, disable the prompts
• Write to a temp file
• Once valet install completes, re-enable the prompts
• If it's not a performance hit, check for that temp file in all/some other commands, and if it still exists, re-enable the prompts

Any thoughts/concerns?

[JackWH]

I've just spent the past 2 hours struggling with the same issue described by @driesvints in #1224 — I see that issue was closed, but it seems related to this one.

I tried to upgrade Valet this evening and couldn't get past the "Installing nginx directory..." prompt either. I followed all the usual suggestions (brew doctor, brew clean, composer global update, system reboot, etc.). In the end I completely uninstalled Valet and all associated services, restarted, and tried again from scratch...

Still no luck! So I thought I'd have another go, and whilst reviewing the instructions from valet uninstall I went to Keychain Access to remove any Valet-specific certificates...

Weirdly, trying to delete the Valet certificate caused Keychain Access to stop responding. macOS started hanging too, until eventually allowing me to force-quit Keychain Access. By the time I was even trying this, all other Valet services had been uninstalled. I verified with sudo top there weren't any dangling processes left over (no sign of brew, valet, php, composer, or macOS security), tried deleting the certificate in Keychain Access again, same problem came back.

Sounds like a macOS bug to me...?

With that in mind, I was finally able to install Valet by NOT using Touch ID when prompted — just typing my password manually instead. 🤨

Like others in #1224, I'm on a 2021 M1 MacBook Pro running Monterey 12.3.1.

[driesvints]

@JackWH there's no macOS bug. Just tighter restrictions around keychain access in Monterey.

[JackWH]

@driesvints Sorry if I wasn't clear, this was about an observation related to #1224 (which has been closed), but I thought it might relate to this issue too. The OS chooses whether to show a password dialog or a TouchID prompt automatically, and only when using TouchID do future auth prompts stop appearing (and Keychain Access hangs). So the issue in #1224 must be a bug in macOS, surely?

[driesvints]

Hi all. Since there's no clear and good solution to this without fiddling with macOS security settings, we're going to close this one as a no-fix. For now, this is going to be the behavior until a better solution presents itself.

I'll pin this tweet so people can find it when trying to find answers to this. Thanks all.

[matthewjohns0n]

According to an Apple dev, it looks like it would be possible to write a utility that could accomplish this without having to change that security setting:

Fortunately, macOS has APIs for adding keychain items (<Security/SecItem.h>) and configuring trust settings (<Security/SecTrustSettings.h>).

• https://developer.apple.com/forums/thread/671582

Unfortunately, at this point, I have no idea how to build that tool, but I thought it was worth documenting here in case someone else has the skills/desire to work on that. (Found this thread because I usually have 15+ secure sites locally, and this makes running valet install very annoying to me 😜)

[nicoverbruggen]

Fortunately, macOS has APIs for adding keychain items (<Security/SecItem.h>) and configuring trust settings (<Security/SecTrustSettings.h>).

If I find the time I would't mind trying to build a small CLI app that you can give a list of certificates to trust... Been a while since I last wrote Obj-C though. I won't guarantee I can produce anything workable but I want to look into this for sure.

[nicoverbruggen]

So... I made a proof-of-concept test CLI app that attempts to add the (self-generated) Laravel Root CA certificate to the login keychain (not the system keychain — as is the current behaviour — which is not necessary, I think).

The method responsible for actually marking the cert as trusted (SecTrustSettingsSetTrustSettings in my proof-of-concept code) pops up the auth dialog.

It's likely that trusting multiple certs in one go is simply not possible, as looping over an array of items would simply result in the same outcome as before. Even Keychain.app sadly pops up multiple alerts when you want to add/remove in bulk. So this may not be fixable...

However!

Adding the root CA authority worked, and doing this was actually sufficient for Safari and Microsoft Edge to start serving my sites!

This being the case, there may not be any need for a separate app if we can do a single auth prompt like this (trusting only the CA cert, since that implicitly makes the other certs trusted as well).

So, only trusting the CA certificate works with Safari and Edge. What about Firefox? You need to manually import the certificate authority there, it doesn't use the system wide CA list. That has been the case for a while now.

Sadly, Chrome also does not seem to want to play nice with this. After doing some searching, the reason for this may be a missing subjectAltName requirement for the root CA? Not sure if this is actually the case since the message from Chrome is simply NET::ERR_CERT_AUTHORITY_INVALID.

Testing `subjectAltName` theory (not sure if this is the actual cause)

After installing openssl via brew (which supports the -ext param) I ran the following to verify if the v3 extensions are present:

$ /opt/homebrew/opt/openssl@3/bin/openssl x509 -noout -ext subjectAltName -in /Users/nicoverbruggen/.config/valet/CA/LaravelValetCASelfSigned.pem
No extensions in certificate

and the extension appears to be missing on my system.

Perhaps if the root CA is generated with subjectAltName (*.test), perhaps Chrome will serve sites correctly as well, without requiring more than one pop-up.

The root cert is generated here and seems to be lacking this subjectAltName. Notably, Valet does ship with an openssl config file that does correctly set the subjectAltName.

TL;DR: I think that trusting a correctly-generated single root CA cert is actually sufficient to have most browsers work with Valet out of the box (with Firefox as the only exception since it doesn't make use of keychain's certificates to check if a domain is trusted). To be clear, you obviously still need to generate individual certificates but they I believe they don't all need to be individually trusted with a password prompt. This means that the only time a user will see that auth pop-up is when the CA cert needs to be trusted (once every 24 months?). I am uncertain what one has to do to make the certificate authority valid for Chrome, however. Anyone else have experience with this?