Vagrant's embedded OpenSSL is missing root certificates #3036

Closed
docwhat opened this Issue Feb 27, 2014 · 6 comments

Comments

Projects
None yet
3 participants

docwhat commented Feb 27, 2014

The embedded OpenSSL in Vagrant is missing the root certificate bundles.

Here's an example of the problem:

∵ /usr/bin/ruby -e "require 'open-uri' ; open('https://www.vagrantup.com/') { |f| puts f.read.size }"
4837

∵ /Applications/Vagrant/embedded/bin/ruby -e "require 'open-uri' ; open('https://www.vagrantup.com/') { |f| puts f.read.size }"
/Applications/Vagrant/embedded/lib/ruby/2.0.0/net/http.rb:918:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/net/http.rb:918:in `block in connect'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/timeout.rb:52:in `timeout'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/net/http.rb:918:in `connect'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/net/http.rb:862:in `do_start'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/net/http.rb:851:in `start'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:313:in `open_http'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:708:in `buffer_open'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:210:in `block in open_loop'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:208:in `catch'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:208:in `open_loop'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:149:in `open_uri'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:688:in `open'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:34:in `open'
        from -e:1:in `<main>'

It looks like libcrypto.dynlib is looking for cert.pem in /vagrant-installer/staging/embedded/ssl/cert.pem:

∵ strings -a /Applications/Vagrant/embedded/lib/libcrypto.dylib | grep /cert.pem
/vagrant-installer/staging/embedded/ssl/cert.pem

As a counter example, the Homebrew version of OpenSSL:

∵ strings -a /usr/local/opt/openssl/lib/libcrypto.dylib | grep /cert.pem
/usr/local/etc/openssl/cert.pem

What Homebrew does to provide some certificates is (get them from the Keychain) [https://github.com/Homebrew/homebrew/blob/master/Library/Formula/openssl.rb#L71]:

security find-certificate -a -p /Library/Keychains/System.keychain > cert.pem
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> cert.pem

However, you'll have to adjust the way you build Vagrant's OpenSSL so that it expects the cert.pem someplace within the embedded directory.

Of course, you could also use the export SSL_CERT_FILE=/path/to/cert.pem method within the vagrant command but it won't fix people trying to use the embedded ruby directly.

Ciao!

Owner

mitchellh commented Feb 27, 2014

We just upgraded this for the latest Vagrant from here: http://curl.haxx.se/docs/caextract.html

Let me know if thats not good enough. Will be part of Vagrant 1.5

@mitchellh mitchellh closed this Feb 27, 2014

docwhat commented Feb 27, 2014

Great!

ssayer commented Mar 4, 2014

Will Vagrant 1.5 not respect root certificates that are not part of the curl bundle in 1.5? I cannot install any non-local plugins in 1.4.3 as vagrant returns an error stating that it can't find the plugin. I did some digging, and it appears to be due to an SSL cert issue due the embedded rubygems not trusting my certificate.

docwhat commented Mar 5, 2014

@ssayer

From what @mitchellh said, 1.5 will only honor root certs that in the curl ca root certificates. This shouldn't be a problem except if you are talking via SSL to a server with a self signed certificate.

Vagrant < 1.5 doesn't have any root certificates. However, rubygems does have root certificates already bundled for rubygems.org and the s3 servers so it probably works for fetching normal gems.

What's your certificate? Is it in the curl's ca certificates?

Ciao!

ssayer commented Mar 5, 2014

@docwhat @mitchellh

My certificate is not in the CA bundle. The weird thing is that I can install gems using the embedded ruby gems directly, but ruby gems throws an ssl error when used through the vagrant plugin installer.

@tknerr tknerr referenced this issue in tknerr/bills-kitchen Mar 10, 2014

Closed

Bundle CA certificates #45

ssayer commented Mar 11, 2014

I see my solution was in the original post now.

Of course, you could also use the export SSL_CERT_FILE=/path/to/cert.pem method within the vagrant command but it won't fix people trying to use the embedded ruby directly.

I was setting the SSL_CERT_FILE env variable outside of the script, and so vagrant was clobbering my setting. I just changed this to point to my cert, and vagrant is happy again. Thanks @docwhat!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment