starred/mkcert
1
0
Fork 0
mirror of https://github.com/FiloSottile/mkcert.git synced 2026-04-25 05:26:03 +03:00
Code Issues 165 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #199] Support openssl pem file for mac os homebrew #125

New issue
Open
opened 2026-02-25 22:32:40 +03:00 by kerem · 7 comments
kerem commented 2026-02-25 22:32:40 +03:00
Owner
Copy link

Originally created by @DanielSiepmann on GitHub (Sep 18, 2019).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/199

We discovered that mkcert did not work as expected with PHP on Mac OS when installed via Homebrew. The reason seems to be that PHP via homebrew is compiled against homebrews curl version, which in turn is using homebrews openssl, which provides his own root storage at /usr/local/etc/openssl/cert.pem.

This file is not updated by mkcert -install. Therefore requests via PHP curl will not work with mkcert certificates.

Our propose would be to detect this file and print either a warning that this is not updated, but needs to be adjusted by the user, or to update this file. In any case a warning might be useful, as I expect the file to be managed by homebrew and the package. Therefore updates might remove the added mkcert root certificate. Maybe there is a concept like hooks inside of homebrew, allowing mkcert to re add his root certificate on every update.

Used versions:
PHP Version 7.0.33
brew info openssl
openssl: stable 1.0.2s (bottled) [keg-only]
brew info curl
curl: stable 7.66.0 (bottled), HEAD [keg-only]
brew info mkcert
mkcert: stable 1.4.0 (bottled)

Workaround right now:

cat "$(mkcert -CAROOT)/rootCA.pem" >> /usr/local/etc/openssl/cert.pem
Originally created by @DanielSiepmann on GitHub (Sep 18, 2019). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/199 We discovered that mkcert did not work as expected with PHP on Mac OS when installed via Homebrew. The reason seems to be that PHP via homebrew is compiled against homebrews curl version, which in turn is using homebrews openssl, which provides his own root storage at `/usr/local/etc/openssl/cert.pem`. This file is not updated by `mkcert -install`. Therefore requests via PHP curl will not work with mkcert certificates. Our propose would be to detect this file and print either a warning that this is not updated, but needs to be adjusted by the user, or to update this file. In any case a warning might be useful, as I expect the file to be managed by homebrew and the package. Therefore updates might remove the added mkcert root certificate. Maybe there is a concept like hooks inside of homebrew, allowing mkcert to re add his root certificate on every update. Used versions: PHP Version 7.0.33 brew info openssl openssl: stable 1.0.2s (bottled) [keg-only] brew info curl curl: stable 7.66.0 (bottled), HEAD [keg-only] brew info mkcert mkcert: stable 1.4.0 (bottled) Workaround right now: ``` cat "$(mkcert -CAROOT)/rootCA.pem" >> /usr/local/etc/openssl/cert.pem ```
kerem commented 2026-02-25 22:32:40 +03:00
Author
Owner
Copy link

@FiloSottile commented on GitHub (Nov 9, 2019):

Yes, we should add it to /usr/local/etc/openssl@1.1/certs and run /usr/local/opt/openssl@1.1/bin/c_rehash (with and without @1.1). Leaving for v1.4.2.

<!-- gh-comment-id:552145312 --> @FiloSottile commented on GitHub (Nov 9, 2019): Yes, we should add it to `/usr/local/etc/openssl@1.1/certs` and run `/usr/local/opt/openssl@1.1/bin/c_rehash` (with and without `@1.1`). Leaving for v1.4.2.
kerem commented 2026-02-25 22:32:40 +03:00
Author
Owner
Copy link

@asyalove commented on GitHub (Feb 20, 2020):

Yes, we should add it to /usr/local/etc/openssl@1.1/certs and run /usr/local/opt/openssl@1.1/bin/c_rehash (with and without @1.1). Leaving for v1.4.2.

<!-- gh-comment-id:588991789 --> @asyalove commented on GitHub (Feb 20, 2020): > Yes, we should add it to `/usr/local/etc/openssl@1.1/certs` and run `/usr/local/opt/openssl@1.1/bin/c_rehash` (with and without `@1.1`). Leaving for v1.4.2.
kerem commented 2026-02-25 22:32:40 +03:00
Author
Owner
Copy link

@Shotster commented on GitHub (Jun 23, 2020):

I encountered similar when using curl from the macos terminal app; and so, as described in item 4 on this page under Certificate Verification, I simply added the CURL_CA_BUNDLE environment variable and pointed it to...

"/Users/username/Library/Application Support/mkcert/rootCA.pem"

...and that seems to work.

<!-- gh-comment-id:648351260 --> @Shotster commented on GitHub (Jun 23, 2020): I encountered similar when using `curl` from the macos terminal app; and so, as described in [item 4 on this page](https://curl.haxx.se/docs/sslcerts.html) under **Certificate Verification**, I simply added the `CURL_CA_BUNDLE` environment variable and pointed it to... `"/Users/username/Library/Application Support/mkcert/rootCA.pem"` ...and that seems to work.
kerem commented 2026-02-25 22:32:40 +03:00
Author
Owner
Copy link

@chetan commented on GitHub (Nov 12, 2020):

To summarize, this should work -

mkdir -p /usr/local/etc/openssl@1.1/certs
cat "$(mkcert -CAROOT)/rootCA.pem" >> /usr/local/etc/openssl@1.1/certs/mkcert_ca.pem
/usr/local/opt/openssl@1.1/bin/c_rehash

I tested with php 7.4 + openssl@1.1 from homebrew.

<!-- gh-comment-id:726289511 --> @chetan commented on GitHub (Nov 12, 2020): To summarize, this should work - ```sh mkdir -p /usr/local/etc/openssl@1.1/certs cat "$(mkcert -CAROOT)/rootCA.pem" >> /usr/local/etc/openssl@1.1/certs/mkcert_ca.pem /usr/local/opt/openssl@1.1/bin/c_rehash ``` I tested with php 7.4 + openssl@1.1 from homebrew.
kerem commented 2026-02-25 22:32:40 +03:00
Author
Owner
Copy link

@bhrutledge commented on GitHub (Dec 6, 2020):

Really glad I found this! I was getting this error from wget ... https://127.0.0.1:8000:

ERROR: cannot verify 127.0.0.1's certificate, issued by ‘CN=mkcert ...’:
  Unable to locally verify the issuer's authority.
To connect to 127.0.0.1 insecurely, use `--no-check-certificate'.

The commands in @chetan's comment seem like the best solution, but adding this option to wget also worked:

--ca-certificate="$(mkcert -CAROOT)/rootCA.pem"

<!-- gh-comment-id:739574012 --> @bhrutledge commented on GitHub (Dec 6, 2020): Really glad I found this! I was getting this error from `wget ... https://127.0.0.1:8000`: ``` ERROR: cannot verify 127.0.0.1's certificate, issued by ‘CN=mkcert ...’: Unable to locally verify the issuer's authority. To connect to 127.0.0.1 insecurely, use `--no-check-certificate'. ``` The commands in @chetan's comment seem like the best solution, but adding this option to `wget` also worked: ```--ca-certificate="$(mkcert -CAROOT)/rootCA.pem"```
kerem commented 2026-02-25 22:32:40 +03:00
Author
Owner
Copy link

@simPod commented on GitHub (Mar 31, 2022):

Anyone made this working with homebrew installing openssl into /opt/homebrew?

I ran

cat "$(mkcert -CAROOT)/rootCA.pem" >> /opt/homebrew/etc/openssl@1.1/certs/mkcert_ca.pem
/opt/homebrew/Cellar/openssl@1.1/1.1.1n/bin/c_rehash

my php uses that openssl

Openssl default config => /opt/homebrew/etc/openssl@1.1/openssl.cnf
openssl.cafile => /opt/homebrew/etc/openssl@1.1/cert.pem => /opt/homebrew/etc/openssl@1.1/cert.pem
openssl.capath => /opt/homebrew/etc/openssl@1.1/certs => /opt/homebrew/etc/openssl@1.1/certs

but still getting SSL certificate problem: unable to get local issuer certificate for xxxx

<!-- gh-comment-id:1084584066 --> @simPod commented on GitHub (Mar 31, 2022): Anyone made this working with homebrew installing openssl into /opt/homebrew? I ran ```sh cat "$(mkcert -CAROOT)/rootCA.pem" >> /opt/homebrew/etc/openssl@1.1/certs/mkcert_ca.pem /opt/homebrew/Cellar/openssl@1.1/1.1.1n/bin/c_rehash ``` my php uses that openssl ``` Openssl default config => /opt/homebrew/etc/openssl@1.1/openssl.cnf openssl.cafile => /opt/homebrew/etc/openssl@1.1/cert.pem => /opt/homebrew/etc/openssl@1.1/cert.pem openssl.capath => /opt/homebrew/etc/openssl@1.1/certs => /opt/homebrew/etc/openssl@1.1/certs ``` but still getting SSL certificate problem: unable to get local issuer certificate for xxxx
kerem commented 2026-02-25 22:32:40 +03:00
Author
Owner
Copy link

@aacassandra commented on GitHub (Feb 12, 2023):

when, im running
cat "$(mkcert -CAROOT)/rootCA.pem"
i got error message
cat: /rootCA.pem: No such file or directory

anyone can help me? thankyou

<!-- gh-comment-id:1426948292 --> @aacassandra commented on GitHub (Feb 12, 2023): when, im running cat "$(mkcert -CAROOT)/rootCA.pem" i got error message cat: /rootCA.pem: No such file or directory anyone can help me? thankyou
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.0
v1.2.0
v1.1.2
v1.1.1
v1.1.0
v1.0.1
v1.0.0
v0.9.1
v0.9.0
Labels
Clear labels   
TLS stack issue

   
Windows

   
bug

   
duplicate

   
duplicate

   
enhancement

   
help wanted

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
root store

   
waiting for info
No labels
TLS stack issue
Windows
bug
duplicate
duplicate
enhancement
help wanted
help wanted
pull-request
question
question
root store
waiting for info
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/mkcert#125
No description provided.