-
Notifications
You must be signed in to change notification settings - Fork 701
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trust CA Certificate only #1463
Conversation
Woot! I like the simplicity of this! |
What are the chances that someone might need to explicitly trust a certificate managed by Valet? Should we offer an optional parameter to trigger that? (ie: backward compatibility) Or am I overthinking? 😂 |
I actually thought about adding this logic to the valet trust command, but ultimately decided calling it whenever secure is called seemed like the most natural flow. For anyone with existing installs, their certs will be already trusted. The next time they call the secure or renew command, their CA will now be trusted if it's not. The new generated cert won't be explicitly trusted in the keychain, but it would be trusted via the CA. |
I re-read your comment, and I don't think it would be necessary since the CA is trusted. We could pass a --trust option to the secure command, but I don't think it would be necessary. |
Nah, that command has a different intention anyway. |
Agreed. |
Yeah, that's why I decided it didn't make any sense. Let me know how your testing goes! I eventually removed all my certs from the keychain to validate, but feel free to try both existing and fresh installs. It seemed to work just fine for me, including subdomains. |
Yup. Looks good to me. /cc @mattstauffer |
I've been using this update for several days. Works fine. Firefox did (as expected, as it always has) initially flag a warning because Valet's CA is self-signed, but accepting that certificate was a one-time prompt. No issues since. |
@drbyte I don't use Firefox, but I was curious enough to try to understand why it doesn't use the System Keychain. Upon my first attempt at reproducing the FF issue, it worked for me the first time without accepting anything. Do you know what setting your https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox |
@drbyte Anything else needed from me for this one? |
No. Thanks for that. |
I'm satisfied that this is ready for merge and release. /cc @mattstauffer |
Apologies for the delays y'all. We've been talking about this change for a while; it's great to see it working! |
As a follow-up to #1461, this PR changes the certificate trust logic only to need to trust the
LaravelValetCASelfSigned.pem
certificate. Since all site certificates are generated from this CA, trusting the CA makes trusting the site certificate redundant.I noticed my
LaravelValetCASelfSigned.pem
was not trusted on my system, so I added a check for that anytimesecure
is called to ensure the root CA is trusted.This will make sure the sudo call to add an entry to the system keychain is called at most once when calling the renew command. Once the CA is trusted, there will be no need to authenticate when calling
secure
orrenew
commands.I left the
unsecure
command alone since it won't hurt to clean up old certificates if needed.