From 45e4ce17db11cf2dc015c7b4dc3c9b9c1b903e38 Mon Sep 17 00:00:00 2001 From: Cameron Steel Date: Mon, 15 Sep 2025 22:22:04 +1000 Subject: [PATCH 1/2] fix(TLS): create OpenSSL strict-mode compliant certs --- cli/Valet/Site.php | 4 ++-- cli/stubs/openssl.conf | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/cli/Valet/Site.php b/cli/Valet/Site.php index ff1fd1a..a38005e 100644 --- a/cli/Valet/Site.php +++ b/cli/Valet/Site.php @@ -570,7 +570,7 @@ public function createCa(int $caExpireInDays): void )); $this->cli->runAsUser(sprintf( - 'openssl req -new -newkey rsa:2048 -days %s -nodes -x509 -subj "/C=/ST=/O=%s/localityName=/commonName=%s/organizationalUnitName=Developers/emailAddress=%s/" -keyout "%s" -out "%s"', + 'openssl req -new -newkey rsa:2048 -days %s -nodes -x509 -subj "/C=/ST=/O=%s/localityName=/commonName=%s/organizationalUnitName=Developers/emailAddress=%s/" -keyout "%s" -out "%s" -addext "basicConstraints=critical,CA:TRUE" -addext "keyUsage=critical,digitalSignature,keyCertSign" -addext "subjectKeyIdentifier=hash"', $caExpireInDays, $oName, $cName, 'rootcertificate@laravel.valet', $caKeyPath, $caPemPath )); $this->trustCa($caPemPath); @@ -649,7 +649,7 @@ public function createPrivateKey(string $keyPath): void public function createSigningRequest(string $url, string $keyPath, string $csrPath, string $confPath): void { $this->cli->runAsUser(sprintf( - 'openssl req -new -key "%s" -out "%s" -subj "/C=/ST=/O=/localityName=/commonName=%s/organizationalUnitName=/emailAddress=%s%s/" -config "%s"', + 'openssl req -new -key "%s" -out "%s" -subj "/C=/ST=/O=/localityName=/commonName=%s/organizationalUnitName=/emailAddress=%s%s/"', $keyPath, $csrPath, $url, $url, '@laravel.valet', $confPath )); } diff --git a/cli/stubs/openssl.conf b/cli/stubs/openssl.conf index d81f8d7..0ec736c 100644 --- a/cli/stubs/openssl.conf +++ b/cli/stubs/openssl.conf @@ -16,9 +16,11 @@ commonName_max = 64 [ v3_req ] # Extensions to add to a certificate request -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment +basicConstraints = critical,CA:FALSE +keyUsage = critical,nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names +authorityKeyIdentifier = keyid +subjectKeyIdentifier = hash [alt_names] DNS.1 = VALET_DOMAIN From 631fb7a1ca2b35c891f7d893eb11fa799175ef51 Mon Sep 17 00:00:00 2001 From: Cameron Steel Date: Thu, 18 Sep 2025 12:33:34 +1000 Subject: [PATCH 2/2] remove unused $confPath --- cli/Valet/Site.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cli/Valet/Site.php b/cli/Valet/Site.php index a38005e..86ba1d4 100644 --- a/cli/Valet/Site.php +++ b/cli/Valet/Site.php @@ -614,7 +614,7 @@ public function createCertificate(string $url, int $caExpireInDays): void $this->buildCertificateConf($confPath, $url); $this->createPrivateKey($keyPath); - $this->createSigningRequest($url, $keyPath, $csrPath, $confPath); + $this->createSigningRequest($url, $keyPath, $csrPath); $caSrlParam = '-CAserial "'.$caSrlPath.'"'; if (! $this->files->exists($caSrlPath)) { @@ -646,11 +646,11 @@ public function createPrivateKey(string $keyPath): void /** * Create the signing request for the TLS certificate. */ - public function createSigningRequest(string $url, string $keyPath, string $csrPath, string $confPath): void + public function createSigningRequest(string $url, string $keyPath, string $csrPath): void { $this->cli->runAsUser(sprintf( 'openssl req -new -key "%s" -out "%s" -subj "/C=/ST=/O=/localityName=/commonName=%s/organizationalUnitName=/emailAddress=%s%s/"', - $keyPath, $csrPath, $url, $url, '@laravel.valet', $confPath + $keyPath, $csrPath, $url, $url, '@laravel.valet' )); }