valet secure returns issue about undefined command line value

What version of Valet are you using? (run valet -V)

Can you provide the output from each of these commands?

valet -V
sw_vers
which -a php
php -v
nginx -V
openssl version

$ valet -V
Laravel Valet 2.3.4

$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.14.6
BuildVersion:   18G87

$ which -a php
/usr/local/opt/[email protected]/bin/php
/usr/local/opt/[email protected]/bin/php
/usr/local/bin/php
/usr/bin/php
/usr/local/opt/[email protected]/bin/php
/usr/local/opt/[email protected]/bin/php

$ php -v
PHP 7.2.22 (cli) (built: Aug 30 2019 11:00:25) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Xdebug v2.7.2, Copyright (c) 2002-2019, by Derick Rethans
    with Zend OPcache v7.2.22, Copyright (c) 1999-2018, by Zend Technologies

$ nginx -V
nginx version: nginx/1.15.8
built by clang 10.0.0 (clang-1000.11.45.5)
built with OpenSSL 1.0.2q  20 Nov 2018 (running with OpenSSL 1.0.2s  28 May 2019)
TLS SNI support enabled
configure arguments: --prefix=/usr/local/Cellar/nginx/1.15.8 --sbin-path=/usr/local/Cellar/nginx/1.15.8/bin/nginx --with-cc-opt='-I/usr/local/opt/pcre/include -I/usr/local/opt/openssl/include' --with-ld-opt='-L/usr/local/opt/pcre/lib -L/usr/local/opt/openssl/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --pid-path=/usr/local/var/run/nginx.pid --lock-path=/usr/local/var/run/nginx.lock --http-client-body-temp-path=/usr/local/var/run/nginx/client_body_temp --http-proxy-temp-path=/usr/local/var/run/nginx/proxy_temp --http-fastcgi-temp-path=/usr/local/var/run/nginx/fastcgi_temp --http-uwsgi-temp-path=/usr/local/var/run/nginx/uwsgi_temp --http-scgi-temp-path=/usr/local/var/run/nginx/scgi_temp --http-log-path=/usr/local/var/log/nginx/access.log --error-log-path=/usr/local/var/log/nginx/error.log --with-debug --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-ipv6 --with-mail --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module

$ openssl version
LibreSSL 2.6.5

The $NF variable is a auto-generated variable in the awk command being run/looped over found certificates in
https://github.com/laravel/valet/blob/52a168eb96ad0dd9555be134696dda9785f3ddbf/cli/Valet/Site.php#L422-L425

What it's doing is looking for all certificates already matching the details of the certificate Valet would generate for the site you're securing, so that it can avoid duplication.

More specifically, it's getting a list of matching certificates, finding the detail line that shows the SHA-1 hash for it. That line would look like:
SHA-1 hash: 044EA9EFC7B997B66A482962D188168AF4E19E0C
It passes that line to awk, which uses $NF to grab the actual hash (here, $NF is the "number of fields on the line", which in practice refers to the hash portion of the line, since it's the last field on the line), which it then passes through to the delete command to remove it, based on the hash.

Normally an empty result from find-certificate | grep would just be ignored by awk. Much like a PHP foreach loop.

Why yours is doing something different is peculiar, and probably related to your environment.

More questions, which could reveal things influencing the expected outcome:
What Terminal application are you using?
Which command Shell are you running?
echo $SHELL
What's the outcome of the command (I'm expecting it to be blank):
sudo security find-certificate -e "[email protected]" -a -Z | grep SHA-1

This is happening with me, too, on Mac OS X 10.14 and now (after a system update) 10.15.

valet secure [domain] returns
Command line is missing a value for key "$NF": sudo security find-certificate -e "[email protected]" -a -Z | grep SHA-1 | sudo awk '{system("security delete-certificate -Z "$NF" /Library/Keychains/System.keychain")}'.

I suspect it's something to do with stricter Mac OS security settings, but that's only a hunch at this point.

I'm using the Mac Terminal (default Mac Terminal)
Bash Shell (haven't switched to zsh yet)
If I run the commands alone: sudo security find-certificate -e "[email protected]" -a -Z | grep SHA-1
There is no output.

@ramseyp Did you manage to resolve this for you?

Appears to be something in a more recent version, Im running Catalina 10.15.1 and Valet 2.3.3 and everything is working as it should.

I have the same issue, im running on Catalina 10.15.1 and using Valet 2.5.2.

While "me too" comments help indicate that others "have the problem too", posting answers to the previously asked questions will go much further towards helping diagnose/fix things.

1. Please post the output of:

valet -V
sw_vers
which -a php
php -v
nginx -V
openssl version
echo $SHELL

1. What Terminal application are you using?
2. What's the outcome of the command (I'm expecting it to be blank):
   sudo security find-certificate -e "[email protected]" -a -Z | grep SHA-1

1.

Laravel Valet 2.5.2
ProductName:    Mac OS X
ProductVersion: 10.15
BuildVersion:   19A583
/usr/local/bin/php
/usr/bin/php
PHP 7.3.5 (cli) (built: May  2 2019 12:40:36) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.5, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.5, Copyright (c) 1999-2018, by Zend Technologies
nginx version: nginx/1.15.8
built by clang 10.0.0 (clang-1000.11.45.5)
built with OpenSSL 1.0.2q  20 Nov 2018 (running with OpenSSL 1.0.2s  28 May 2019)
TLS SNI support enabled
configure arguments: --prefix=/usr/local/Cellar/nginx/1.15.8 --sbin-path=/usr/local/Cellar/nginx/1.15.8/bin/nginx --with-cc-opt='-I/usr/local/opt/pcre/include -I/usr/local/opt/openssl/include' --with-ld-opt='-L/usr/local/opt/pcre/lib -L/usr/local/opt/openssl/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --pid-path=/usr/local/var/run/nginx.pid --lock-path=/usr/local/var/run/nginx.lock --http-client-body-temp-path=/usr/local/var/run/nginx/client_body_temp --http-proxy-temp-path=/usr/local/var/run/nginx/proxy_temp --http-fastcgi-temp-path=/usr/local/var/run/nginx/fastcgi_temp --http-uwsgi-temp-path=/usr/local/var/run/nginx/uwsgi_temp --http-scgi-temp-path=/usr/local/var/run/nginx/scgi_temp --http-log-path=/usr/local/var/log/nginx/access.log --error-log-path=/usr/local/var/log/nginx/error.log --with-debug --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-ipv6 --with-mail --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module
LibreSSL 2.8.3
/bin/zsh

1. Default macOS Terminal
2. Empty.

I'm still running into the problem. More of my environment:

Laravel Valet 2.3.4
ProductName:    Mac OS X
ProductVersion: 10.15.1
BuildVersion:   19B88
PHP 7.3.11 (cli) (built: Oct 24 2019 11:29:00) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.11, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.11, Copyright (c) 1999-2018, by Zend Technologies
nginx version: nginx/1.15.0
built by clang 9.1.0 (clang-902.0.39.2)
built with OpenSSL 1.0.2o  27 Mar 2018 (running with OpenSSL 1.0.2r  26 Feb 2019)
LibreSSL 2.8.3
/bin/bash

Using the Mac Terminal, and running sudo security find-certificate -e "[email protected]" -a -Z | grep SHA-1 returns nothing

$ valet -V
Laravel Valet 2.5.2

$ sw_vers

ProductName:    Mac OS X
ProductVersion: 10.15.1
BuildVersion:   19B88

$ which -a php

/usr/local/bin/php
/usr/bin/php

$ php -v

PHP 7.3.8 (cli) (built: Aug  6 2019 23:15:07) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.8, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.8, Copyright (c) 1999-2018, by Zend Technologies

$ nginx -V

nginx version: nginx/1.17.3
built by clang 10.0.1 (clang-1001.0.46.4)
built with OpenSSL 1.0.2s  28 May 2019
TLS SNI support enabled
configure arguments: --prefix=/usr/local/Cellar/nginx/1.17.3 --sbin-path=/usr/local/Cellar/nginx/1.17.3/bin/nginx --with-cc-opt='-I/usr/local/opt/pcre/include -I/usr/local/opt/openssl/include' --with-ld-opt='-L/usr/local/opt/pcre/lib -L/usr/local/opt/openssl/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --pid-path=/usr/local/var/run/nginx.pid --lock-path=/usr/local/var/run/nginx.lock --http-client-body-temp-path=/usr/local/var/run/nginx/client_body_temp --http-proxy-temp-path=/usr/local/var/run/nginx/proxy_temp --http-fastcgi-temp-path=/usr/local/var/run/nginx/fastcgi_temp --http-uwsgi-temp-path=/usr/local/var/run/nginx/uwsgi_temp --http-scgi-temp-path=/usr/local/var/run/nginx/scgi_temp --http-log-path=/usr/local/var/log/nginx/access.log --error-log-path=/usr/local/var/log/nginx/error.log --with-compat --with-debug --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-ipv6 --with-mail --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module

$ openssl version
LibreSSL 2.8.3

$ echo $SHELL
/bin/bash

Not sure if this matters but here's my awk version
$ awk --version
awk version 20070501

1. Default macOS Terminal
2. empty

As a workaround, I've commented out that statement in the Site.php code in vendor/laravel/valet. I can run the awk command manually without issue.

$ valet -V
Laravel Valet 2.5.2

$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.15.1
BuildVersion: 19B88

$ which -a php
/usr/local/bin/php
/usr/bin/php

$ nginx -V
nginx version: nginx/1.17.3
built by clang 11.0.0 (clang-1100.0.33.8)
built with OpenSSL 1.1.1d 10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/usr/local/Cellar/nginx/1.17.3_1 --sbin-path=/usr/local/Cellar/nginx/1.17.3_1/bin/nginx --with-cc-opt='-I/usr/local/opt/pcre/include -I/usr/local/opt/[email protected]/include' --with-ld-opt='-L/usr/local/opt/pcre/lib -L/usr/local/opt/[email protected]/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --pid-path=/usr/local/var/run/nginx.pid --lock-path=/usr/local/var/run/nginx.lock --http-client-body-temp-path=/usr/local/var/run/nginx/client_body_temp --http-proxy-temp-path=/usr/local/var/run/nginx/proxy_temp --http-fastcgi-temp-path=/usr/local/var/run/nginx/fastcgi_temp --http-uwsgi-temp-path=/usr/local/var/run/nginx/uwsgi_temp --http-scgi-temp-path=/usr/local/var/run/nginx/scgi_temp --http-log-path=/usr/local/var/log/nginx/access.log --error-log-path=/usr/local/var/log/nginx/error.log --with-compat --with-debug --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-ipv6 --with-mail --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module

$ openssl version
LibreSSL 2.8.3

$echo $SHELL
/bin/zsh

1. What Terminal application are you using?
   iTerm2

2. What's the outcome of the command (I'm expecting it to be blank):
   Empty

What's the outcome of the command (I'm expecting it to be blank):

Makes sense for it to be empty tho as there is no certificate with that name?

Makes sense for it to be empty tho as there is no certificate with that name?

Isn't Valet generating the certificate?

Makes sense for it to be empty tho as there is no certificate with that name?

Isn't Valet generating the certificate?

If I run valet secure on a newly linked directory it still tries to delete the certificate first.

I'm guessing that the issue may be resolvable by understanding why $NF isn't being treated the same by awk as it was previously.

Unless perhaps you've got a different awk installed than what MacOS usually ships with?

I haven't heard of awk before today. So I'm pretty sure it's still the same awk.

I'm not sure the issue is awk, I'm still running Mojave so this change would have to be older than this issue suggests

But it's not awk that throws the error, it's Symfony/Process:
https://github.com/symfony/process/blob/master/Process.php#L1596

Yeah it's not clear what it's trying to do.

valet -vvv secure app

In Process.php line 1648:

  [Symfony\Component\Process\Exception\InvalidArgumentException]                                                                                                                                           
  Command line is missing a value for key "$NF": sudo security find-certificate -e "[email protected]" -a -Z | grep SHA-1 | sudo awk '{system("security delete-certificate -Z "$NF" /Library/Keychain  
  s/System.keychain")}'.                                                                                                                                                                                   


Exception trace:
  at /Users/XXX/.composer/vendor/symfony/process/Process.php:1648
 Symfony\Component\Process\Process->Symfony\Component\Process\{closure}() at n/a:n/a
 preg_replace_callback() at /Users/XXX/.composer/vendor/symfony/process/Process.php:1652
 Symfony\Component\Process\Process->replacePlaceholders() at /Users/XXX/.composer/vendor/symfony/process/Process.php:305
 Symfony\Component\Process\Process->start() at /Users/XXX/.composer/vendor/symfony/process/Process.php:234
 Symfony\Component\Process\Process->run() at /Users/XXX/.composer/vendor/laravel/valet/cli/Valet/CommandLine.php:90
 Valet\CommandLine->runCommand() at /Users/XXX/.composer/vendor/laravel/valet/cli/Valet/CommandLine.php:51
 Valet\CommandLine->run() at /Users/XXX/.composer/vendor/laravel/valet/cli/Valet/Site.php:483
 Valet\Site->unsecure() at /Users/XXX/.composer/vendor/laravel/valet/cli/Valet/Site.php:290
 Valet\Site->secure() at /Users/XXX/.composer/vendor/laravel/valet/cli/includes/facades.php:28
 Facade::__callStatic() at /Users/XXX/.composer/vendor/laravel/valet/cli/valet.php:157
 Silly\Application->{closure}() at n/a:n/a
 call_user_func_array() at /Users/XXX/.composer/vendor/php-di/invoker/src/Invoker.php:82
 Invoker\Invoker->call() at /Users/XXX/.composer/vendor/mnapoli/silly/src/Application.php:95
 Silly\Application->Silly\{closure}() at /Users/XXX/.composer/vendor/symfony/console/Command/Command.php:253
 Symfony\Component\Console\Command\Command->run() at /Users/XXX/.composer/vendor/symfony/console/Application.php:1011
 Symfony\Component\Console\Application->doRunCommand() at /Users/XXX/.composer/vendor/symfony/console/Application.php:272
 Symfony\Component\Console\Application->doRun() at /Users/XXX/.composer/vendor/symfony/console/Application.php:148
 Symfony\Component\Console\Application->run() at /Users/XXX/.composer/vendor/laravel/valet/cli/valet.php:384

secure [<domain>]

Maybe Process is trying to be "helpful" and parse out placeholders that weren't intended for replacement? "$NF" is intended to be passed literally, not with any PHP-based substitution.

Update: Yes, Process 4.4.0 changed things: https://github.com/symfony/process/compare/v4.3.8...v4.4.0#diff-9a01fc0e340da4c3f1e4a16029a63977R1644-R1653

Temporary workaround:
Downgrading Process to 4.3 seems to prevent it:
composer global require symfony/process:"4.3.*"

Alternatively, changing Sites.php to replace "$NF" with \'$NF\' appears to work too ... which I'll send a PR for.

@drbyte yes ! this works for me

Oh, interesting - Downgraded Process to 4.3 and valet secure seems to work now.

I've just encountered the same error and @drbyte's solution doesn't seem to work either, but this needs sorting. cc @taylorotwell @themsaid

Downgrading Process to 4.3 should definitely fix it, as the code that triggers the exception isn't in there.

yes downgraded, but none of my sites work now

This issue is about the error causing when running valet secure mydomain. If you downgraded, that's no longer the case. What's going wrong for you?

the error is no longer there, but what ever site i visit i.e app1.test app2.test doesn't work

This site can’t be reached
app1.test refused to connect.

Sorry for asking the obvious question: Did you try valet restart yet? 🙈

Yes I have done that also and re-linked etc
But still nothing.

Maybe try uninstall and reinstall it. If still no luck, maybe create another issue as it's not what this issue is about. 🙃

Please don't tag taylor and mohamed randomly on issues just because you're irritated.

Sorry @mattstauffer I just thought it should be addressed I am not irritated in any way shape or form.

https://github.com/laravel/valet/releases/tag/v2.5.3
This should be fixed in this release, thanks to @drbyte's unpaid and tireless work making this project better for all of us. If anyone has a similar issue after upgrading, please feel free to open a new issue. Thanks!

Thank @mattstauffer much appreciated sorry if it came across like i was irritated, please understand i wasn’t. I just felt the issue needed to be addressed. So please accept my apologies.

Kudos to @drbyte for this and sincere apologies if i came across as a complete tool, again this was not the case probably my stupid ass english!

Keep up the good work guys we all including me very very much appreciate it.