Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Laravel Valet's Self-signed Certs does not play with Firefox #296

Closed
djasnowski opened this issue Jan 15, 2017 · 40 comments
Closed

Laravel Valet's Self-signed Certs does not play with Firefox #296

djasnowski opened this issue Jan 15, 2017 · 40 comments

Comments

@djasnowski
Copy link

A fresh install of Laravel Valet and then a valet secure <my site>.

OK, on Chrome, I can get it HTTPS -- nice.

However on Firefox (and FirefoxDev), I get the insecure self-signed error. Is this because Mozilla has stricter control or just an error on Valet's part? Or maybe Chrome has a looser control on self-signed certs. Anyone ever experienced anything like this? (Of course in prod, I would not be using a self-signed cert but that's beside the case.)

Thanks!

@loganhenson
Copy link

Valet adds the certificate as "trusted" in the OSX keychain. However -- Firefox uses its own certificate manager, so doesn't see it.

@philiparthurmoore
Copy link

Facing the same issue in Firefox Quantum.

@AnalogMemory
Copy link

@philiparthurmoore You can add a exception for the site if you click the advanced button

@philiparthurmoore
Copy link

I've done that. Not ideal for the frequent creation and destruction of links but certainly a viable option. 👍

@hellerbenjamin
Copy link

Now the accept button is gone on my latest version of Firefox.

@drizki
Copy link

drizki commented Feb 8, 2018

@hellerbenjamin Same for me, the "Add Exception" button is no longer there.

@Baadier-Sydow
Copy link

I added an exception but once I restarted it seems to ignore the exception and I the button on the frontend to Add Exception is no longer there.

@AnalogMemory
Copy link

AnalogMemory commented Feb 9, 2018

Which version of Firefox is this happening for ya'll? I'm at (58.0.2 (64-bit)) and on pages it shows me the security warning, after clicking the "Advanced" button, the "Add Exception" link is available.

Also you can manually add sites in preferences.
Privacy & Security Preferences → View Certificates... → Servers → Add Exception

But yeah they don't make it easy 💩

@Baadier-Sydow
Copy link

I'm using Firefox 59 and Firefox Developer 59.

On both the first time it allows you to add an exception but it stops working. Thereafter the Add Exception button no longer shows.

Then if you view the certificates I can confirm that the domains are included. If I remove the domain I can then re-add it. After re-adding it stil does not work.

@Kompas
Copy link

Kompas commented Feb 16, 2018

FF 59 does not offer a solution. I am forced to use another browser now!
A self-signed certificate is not accepted anymore! Adding a website as exception does not solve the problem.

Who knows a solution? Is it possible to use another CA?

@andreicristianpetcu
Copy link

have you tried importing the CA? https://vimeo.com/245172191

@AnalogMemory
Copy link

AnalogMemory commented Feb 17, 2018

Downloaded the latest Firefox Developer Edition and was able to open Valet sites using the certs it creates. Still able to add each individual site as a security exception

Are ya'll still using the .dev domain? That domain no longer works unless you're Google. It stopped working in Chrome back in December and Firefox just added it to the preloaded HSTS lists. So that could be your issue. Try using .test or .localhost (or anything not in the HSTS lists) as your dev domain
https://ma.ttias.be/chrome-force-dev-domains-https-via-preloaded-hsts/

@hellerbenjamin
Copy link

I was still using the dev domain. Thanks for the response.

@aginanjar
Copy link

I'm facing the same problem on firefox. But dev domain works well on safari. I change dev domain to local domain, and now I can continue my work. Thanks @AnalogMemory for the link!

@denmasyarikin
Copy link

because not all domain are allowed to use, I think valet should be validate domain before used.

@amnkhan
Copy link

amnkhan commented Jul 18, 2018

Any solution yet, I am facing the same problem in my Firefox Browser. Add Exception is not available now. Looking for a permanent solution.

@philiparthurmoore
Copy link

@amnkhan I haven't found a permanent solution to this issue yet. Adding exceptions is the only thing that seems to work on my end.

@arunsathiya
Copy link

I am pretty much stuck with the same issue. Using .app domain does not seem to work for me on Firefox Quantum - there is no option to accept the self-signed certificate, as an exception either.

@drbyte
Copy link
Contributor

drbyte commented Dec 15, 2018

FIREFOX SOLUTION:

Instead of manually adding exceptions separtely for each site served by valet, IMPORT valet's CA to Firefox's certificate Authorities:
firefox certificate part 1
firefox certificates part 2
firefox certificate part 3

@dimsav
Copy link

dimsav commented Dec 17, 2018

@drbyte thank you!

FIREFOX SOLUTION:

Instead of manually adding exceptions separtely for each site served by valet, IMPORT valet's CA to Firefox's certificate Authorities:

If you can't find the ~/config/valet folder, make sure you upgrade to the latest version.

@drbyte
Copy link
Contributor

drbyte commented Jan 16, 2019

@mattstauffer IMO this can be closed.

@r-martins
Copy link

It seems the latest version creates new .pem for every link you create. So it meand I would need to add a new trusted certificate for every domain .dev I create.

@drbyte
Copy link
Contributor

drbyte commented Jan 28, 2020

It seems the latest version creates new .pem for every link you create.

I'm not sure where you're getting that from.

Using valet 2.8.1 my valet ~/.config/valet/CA/LaravelValetCASelfSigned.pem file does not change when I run valet secure or valet link.

@r-martins
Copy link

r-martins commented Jan 28, 2020

If I use domain test it works fine on firefox, and I don't even need to import certificate.
However, if I use domain dev it complains and doesn't allow me to continue. The import doesn't work because it uses a domain-name.pem certificate.

Did_Not_Connect__Potential_Security_Issue

Opening_pagseguro-exemplo-m2-dev_pem_and_about_certificate

With domain test...

Warning__Potential_Security_Risk_Ahead

It seems to be an issue specific to .dev domains, which can also be a public TLD, and that's why Firefox doesn't allow it anymore. More here..

@drbyte
Copy link
Contributor

drbyte commented Jan 28, 2020

Valet only generates a .pem file for the core CA (certificate authority) that it uses to generate site-specific certificates.
That CA file, which is what you should be importing, is found at:
/Users/your_username/.config/valet/CA/LaravelValetCASelfSigned.pem

It does not generate .pem files for individual sites. So I don't know where you're getting your pagseguro-exemplo-m2-dev.pem file from.

@r-martins
Copy link

That's the one I've imported... Never mind.. It's ok to use .test or some other non-official-tld name. ;)

@selfagency
Copy link

selfagency commented Mar 6, 2020

When I try importing the CA file, I get the error:

This personal certificate can’t be installed because you do not own the corresponding private key which was created when the certificate was requested.

Meanwhile, I can't view any sites using https in Firefox and all my local domains get redirected to an error message from Dnsmasq saying Invalid host. It's also been causing issues for me with Node.js doing network requests.

Like, what is even happening here? These problems don't exist in Webkit or Blink browsers.

Screenshot 2020-03-06 02 44 29

Screenshot 2020-03-06 02 47 07

@drbyte
Copy link
Contributor

drbyte commented Mar 6, 2020

When I try importing the CA file, I get the error:

This personal certificate can’t be installed because you do not own the corresponding private key which was created when the certificate was requested.

Meanwhile, I can't view any sites using https in Firefox and all my local domains get redirected to an error message from Dnsmasq saying Invalid host. It's also been causing issues for me with Node.js doing network requests.

Like, what is even happening here? These problems don't exist in Webkit or Blink browsers.

Screenshot 2020-03-06 02 44 29

Screenshot 2020-03-06 02 47 07

Interesting observations:

  • for some unexplained reason your Firefox Dev Edition is using a Valet certificate when visiting google.com ... that suggests maybe you've got a hosts file entry that's redirecting google.com to localhost or some domain that's configured to be served by Valet.
  • localhost:1337/Pages -> "Invalid host: pages". This looks like a redirect rule in whatever app is running on localhost port 1337 ... and Valet doesn't run on port 1337 by default, nor does Valet or Dnsmasq issue an error message worded "Invalid host: xyz" in any of its parsing of sites it would serve.

So as far as I can tell you've got other things going on that are interfering with Valet's normal operation. I'd start by diagnosing what's making google.com be served by localhost instead of normal dns operation.
As for your localhost:1337 thing, that's not something Valet normally responds to, nor is the "invalid host: pages" a Dnsmasq error.

@jasperf
Copy link

jasperf commented Jun 7, 2020

FIREFOX SOLUTION:

Instead of manually adding exceptions separtely for each site served by valet, IMPORT valet's CA to Firefox's certificate Authorities:
firefox certificate part 1
firefox certificates part 2
firefox certificate part 3

Thanks a lot @drbyte . Just followed your instructions on the latest Firefox Developer browser on macOS Catalina and it worked really well.

@AnalogMemory
Copy link

This works on Firefox 77 as well

@selfagency
Copy link

@drbyte It's been a minute since I followed up on this but the errors I was getting were related to the use of Blockstack, which was hijacking ports. Once removed, the issue was resolved.

@lasseeee
Copy link

lasseeee commented Oct 20, 2020

I had to rm ~/.config/valet/CA/* and then valet install before importing the newly created LaravelValetCASelfSigned.pem into FireFox as per the instructions posted earlier.

@benlk
Copy link

benlk commented Nov 13, 2020

Making a note here that, after 2 years of using Valet on this computer, the certificate I was using has finally expired.

$ openssl x509 -in /Users/user/.config/valet/CA/LaravelValetCASelfSigned.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            <snip>
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = Laravel Valet CA Self Signed Organization, CN = Laravel Valet CA Self Signed CN, OU = Developers, emailAddress = rootcertificate@laravel.valet
        Validity
            Not Before: Nov 11 23:53:55 2018 GMT
            Not After : Nov 10 23:53:55 2020 GMT
        Subject: O = Laravel Valet CA Self Signed Organization, CN = Laravel Valet CA Self Signed CN, OU = Developers, emailAddress = rootcertificate@laravel.valet

After following @lasseeee's solution, my cert is updated:

        Validity
            Not Before: Nov 13 00:46:53 2020 GMT
            Not After : Nov 13 00:46:53 2022 GMT

@jasperf
Copy link

jasperf commented May 14, 2021

I had to rm ~/.config/valet/CA/* and then valet install before importing the newly created LaravelValetCASelfSigned.pem into FireFox as per the instructions posted earlier.

After I imported the Valet CA certificate nothing changed.. found this thread and I realized my certificate had expired as well so removed it as you suggested and installed Laravel Valet again. Thanks for the tip.

@benjibee
Copy link

benjibee commented Feb 9, 2022

It looks like @drbyte's solution is still needed.

I'm using Valet 2.18.9 and Firefox 97 and valet secure works for Google Chrome but not Firefox. Manually adding the CA fixes this. Perhaps this should be added to the documentation or this repo's readme as it's not immediately clear unless you scan the issues as I did.

@soyaaroncervantes
Copy link

In my case, after I tried all the recommendation, I had to change my domain from *.app to .localhost, and it started working.

@lasseeee
Copy link

lasseeee commented May 23, 2022

Yah, .app is considered a generic top level domain owned by Google since 2015, better use .localhost og .test or any of the other local development domains.

https://en.wikipedia.org/wiki/.app_(gTLD)

@UXandre
Copy link

UXandre commented May 24, 2022

After removing outdated CA via the solution given by @lasseeee, I still faced the same issue. Spent hours and couldn't figure out. So I went to bed. But you know what, this morning I booted the laptop everything somehow started working again. Guess that may be the issue of cache or something?

But rebooting did the magic for me.

@kodmanyagha
Copy link

You don't need to change TLD. You must completely clear (not remove, only clear) valet, clear everything about valet in KeyChain (I'm using Macos). For clearing keychain you can search "valet" in search box and delete these.

How to clear valet? Let me write all commands.

rm ~/.config/valet/CA/*
rm ~/.config/valet/Certificates/*
rm ~/.config/valet/Nginx/*
rm ~/.config/valet/Sites/*

You need only remove content of these folders. After that you can use valet link and valet secure commands. Valet will create new SSL files in CA and Certificates folder and import these to system certificates. And everything is fine now.

@brendanfalkowski
Copy link

Was just living with broken local certificates since Valet 3.0 update. The solution from @kodmanyagha finally got it working for me. Empty out Keychain Access, update Valet, install Valet, empty Valet config dirs, and re-link sites.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests