Laravel Valet's Self-signed Certs does not play with Firefox

[djasnowski]

A fresh install of Laravel Valet and then a valet secure <my site>.

OK, on Chrome, I can get it HTTPS -- nice.

However on Firefox (and FirefoxDev), I get the insecure self-signed error. Is this because Mozilla has stricter control or just an error on Valet's part? Or maybe Chrome has a looser control on self-signed certs. Anyone ever experienced anything like this? (Of course in prod, I would not be using a self-signed cert but that's beside the case.)

Thanks!

[loganhenson]

Valet adds the certificate as "trusted" in the OSX keychain. However -- Firefox uses its own certificate manager, so doesn't see it.

[philiparthurmoore]

Facing the same issue in Firefox Quantum.

[AnalogMemory]

@philiparthurmoore You can add a exception for the site if you click the advanced button

[philiparthurmoore]

I've done that. Not ideal for the frequent creation and destruction of links but certainly a viable option. 👍

[hellerbenjamin]

Now the accept button is gone on my latest version of Firefox.

[drizki]

@hellerbenjamin Same for me, the "Add Exception" button is no longer there.

[Baadier-Sydow]

I added an exception but once I restarted it seems to ignore the exception and I the button on the frontend to Add Exception is no longer there.

[AnalogMemory]

Which version of Firefox is this happening for ya'll? I'm at (58.0.2 (64-bit)) and on pages it shows me the security warning, after clicking the "Advanced" button, the "Add Exception" link is available.

Also you can manually add sites in preferences.
Privacy & Security Preferences → View Certificates... → Servers → Add Exception

But yeah they don't make it easy 💩

[Baadier-Sydow]

I'm using Firefox 59 and Firefox Developer 59.

On both the first time it allows you to add an exception but it stops working. Thereafter the Add Exception button no longer shows.

Then if you view the certificates I can confirm that the domains are included. If I remove the domain I can then re-add it. After re-adding it stil does not work.

[Kompas]

FF 59 does not offer a solution. I am forced to use another browser now!
A self-signed certificate is not accepted anymore! Adding a website as exception does not solve the problem.

Who knows a solution? Is it possible to use another CA?

[andreicristianpetcu]

have you tried importing the CA? https://vimeo.com/245172191

[AnalogMemory]

Downloaded the latest Firefox Developer Edition and was able to open Valet sites using the certs it creates. Still able to add each individual site as a security exception

Are ya'll still using the .dev domain? That domain no longer works unless you're Google. It stopped working in Chrome back in December and Firefox just added it to the preloaded HSTS lists. So that could be your issue. Try using .test or .localhost (or anything not in the HSTS lists) as your dev domain
https://ma.ttias.be/chrome-force-dev-domains-https-via-preloaded-hsts/

[hellerbenjamin]

I was still using the dev domain. Thanks for the response.

[aginanjar]

I'm facing the same problem on firefox. But dev domain works well on safari. I change dev domain to local domain, and now I can continue my work. Thanks @AnalogMemory for the link!

[denmasyarikin]

because not all domain are allowed to use, I think valet should be validate domain before used.

[amnkhan]

Any solution yet, I am facing the same problem in my Firefox Browser. Add Exception is not available now. Looking for a permanent solution.

[philiparthurmoore]

@amnkhan I haven't found a permanent solution to this issue yet. Adding exceptions is the only thing that seems to work on my end.

[arunsathiya]

I am pretty much stuck with the same issue. Using .app domain does not seem to work for me on Firefox Quantum - there is no option to accept the self-signed certificate, as an exception either.

[drbyte]

FIREFOX SOLUTION:

Instead of manually adding exceptions separtely for each site served by valet, IMPORT valet's CA to Firefox's certificate Authorities:

[dimsav]

@drbyte thank you!

FIREFOX SOLUTION:

Instead of manually adding exceptions separtely for each site served by valet, IMPORT valet's CA to Firefox's certificate Authorities:

If you can't find the ~/config/valet folder, make sure you upgrade to the latest version.

[drbyte]

@mattstauffer IMO this can be closed.

[r-martins]

It seems the latest version creates new .pem for every link you create. So it meand I would need to add a new trusted certificate for every domain .dev I create.

[drbyte]

It seems the latest version creates new .pem for every link you create.

I'm not sure where you're getting that from.

Using valet 2.8.1 my valet ~/.config/valet/CA/LaravelValetCASelfSigned.pem file does not change when I run valet secure or valet link.

[r-martins]

If I use domain test it works fine on firefox, and I don't even need to import certificate.
However, if I use domain dev it complains and doesn't allow me to continue. The import doesn't work because it uses a domain-name.pem certificate.

With domain test...

It seems to be an issue specific to .dev domains, which can also be a public TLD, and that's why Firefox doesn't allow it anymore. More here..

[drbyte]

Valet only generates a .pem file for the core CA (certificate authority) that it uses to generate site-specific certificates.
That CA file, which is what you should be importing, is found at:
/Users/your_username/.config/valet/CA/LaravelValetCASelfSigned.pem

It does not generate .pem files for individual sites. So I don't know where you're getting your pagseguro-exemplo-m2-dev.pem file from.

[r-martins]

That's the one I've imported... Never mind.. It's ok to use .test or some other non-official-tld name. ;)

[selfagency]

When I try importing the CA file, I get the error:

This personal certificate can’t be installed because you do not own the corresponding private key which was created when the certificate was requested.

Meanwhile, I can't view any sites using https in Firefox and all my local domains get redirected to an error message from Dnsmasq saying Invalid host. It's also been causing issues for me with Node.js doing network requests.

Like, what is even happening here? These problems don't exist in Webkit or Blink browsers.

[drbyte]

When I try importing the CA file, I get the error:

This personal certificate can’t be installed because you do not own the corresponding private key which was created when the certificate was requested.

Meanwhile, I can't view any sites using https in Firefox and all my local domains get redirected to an error message from Dnsmasq saying Invalid host. It's also been causing issues for me with Node.js doing network requests.

Like, what is even happening here? These problems don't exist in Webkit or Blink browsers.

Interesting observations:

• for some unexplained reason your Firefox Dev Edition is using a Valet certificate when visiting google.com ... that suggests maybe you've got a hosts file entry that's redirecting google.com to localhost or some domain that's configured to be served by Valet.
• localhost:1337/Pages -> "Invalid host: pages". This looks like a redirect rule in whatever app is running on localhost port 1337 ... and Valet doesn't run on port 1337 by default, nor does Valet or Dnsmasq issue an error message worded "Invalid host: xyz" in any of its parsing of sites it would serve.

So as far as I can tell you've got other things going on that are interfering with Valet's normal operation. I'd start by diagnosing what's making google.com be served by localhost instead of normal dns operation.
As for your localhost:1337 thing, that's not something Valet normally responds to, nor is the "invalid host: pages" a Dnsmasq error.

[jasperf]

FIREFOX SOLUTION:

Instead of manually adding exceptions separtely for each site served by valet, IMPORT valet's CA to Firefox's certificate Authorities:

Thanks a lot @drbyte . Just followed your instructions on the latest Firefox Developer browser on macOS Catalina and it worked really well.

[AnalogMemory]

This works on Firefox 77 as well

[selfagency]

@drbyte It's been a minute since I followed up on this but the errors I was getting were related to the use of Blockstack, which was hijacking ports. Once removed, the issue was resolved.

[lasseeee]

I had to rm ~/.config/valet/CA/* and then valet install before importing the newly created LaravelValetCASelfSigned.pem into FireFox as per the instructions posted earlier.

[benlk]

Making a note here that, after 2 years of using Valet on this computer, the certificate I was using has finally expired.

$ openssl x509 -in /Users/user/.config/valet/CA/LaravelValetCASelfSigned.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            <snip>
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = Laravel Valet CA Self Signed Organization, CN = Laravel Valet CA Self Signed CN, OU = Developers, emailAddress = rootcertificate@laravel.valet
        Validity
            Not Before: Nov 11 23:53:55 2018 GMT
            Not After : Nov 10 23:53:55 2020 GMT
        Subject: O = Laravel Valet CA Self Signed Organization, CN = Laravel Valet CA Self Signed CN, OU = Developers, emailAddress = rootcertificate@laravel.valet

After following @lasseeee's solution, my cert is updated:

        Validity
            Not Before: Nov 13 00:46:53 2020 GMT
            Not After : Nov 13 00:46:53 2022 GMT

[jasperf]

I had to rm ~/.config/valet/CA/* and then valet install before importing the newly created LaravelValetCASelfSigned.pem into FireFox as per the instructions posted earlier.

After I imported the Valet CA certificate nothing changed.. found this thread and I realized my certificate had expired as well so removed it as you suggested and installed Laravel Valet again. Thanks for the tip.

[benjibee]

It looks like @drbyte's solution is still needed.

I'm using Valet 2.18.9 and Firefox 97 and valet secure works for Google Chrome but not Firefox. Manually adding the CA fixes this. Perhaps this should be added to the documentation or this repo's readme as it's not immediately clear unless you scan the issues as I did.

[soyaaroncervantes]

In my case, after I tried all the recommendation, I had to change my domain from *.app to .localhost, and it started working.

[lasseeee]

Yah, .app is considered a generic top level domain owned by Google since 2015, better use .localhost og .test or any of the other local development domains.

https://en.wikipedia.org/wiki/.app_(gTLD)

[UXandre]

After removing outdated CA via the solution given by @lasseeee, I still faced the same issue. Spent hours and couldn't figure out. So I went to bed. But you know what, this morning I booted the laptop everything somehow started working again. Guess that may be the issue of cache or something?

But rebooting did the magic for me.

[kodmanyagha]

You don't need to change TLD. You must completely clear (not remove, only clear) valet, clear everything about valet in KeyChain (I'm using Macos). For clearing keychain you can search "valet" in search box and delete these.

How to clear valet? Let me write all commands.

rm ~/.config/valet/CA/*
rm ~/.config/valet/Certificates/*
rm ~/.config/valet/Nginx/*
rm ~/.config/valet/Sites/*

You need only remove content of these folders. After that you can use valet link and valet secure commands. Valet will create new SSL files in CA and Certificates folder and import these to system certificates. And everything is fine now.

[brendanfalkowski]

Was just living with broken local certificates since Valet 3.0 update. The solution from @kodmanyagha finally got it working for me. Empty out Keychain Access, update Valet, install Valet, empty Valet config dirs, and re-link sites.