New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot download puppetlabs Vagrant Cloud boxes without cURL cert error #5001

Closed
AnthonyMastrean opened this Issue Dec 16, 2014 · 24 comments

Comments

Projects
None yet
@AnthonyMastrean

AnthonyMastrean commented Dec 16, 2014

I can't vagrant up or vagrant box add this puppetlabs Vagrant Cloud box on Ubuntu 14.04 x64 and Vagrant 1.7.1 x64 or 1.7.0 x64 (downloaded and installed the .deb from the Vagrant website). I get this error message from cURL.

$ vagrant box add puppetlabs/centos-6.5-64-puppet --force
==> box: Loading metadata for box 'puppetlabs/centos-6.5-64-puppet'
    box: URL: https://atlas.hashicorp.com/puppetlabs/centos-6.5-64-puppet
This box can work with multiple providers! The providers that it
can work with are listed below. Please review the list and choose
the provider you will be working with.

1) virtualbox
2) vmware_desktop
3) vmware_fusion

Enter your choice: 1
==> box: Adding box 'puppetlabs/centos-6.5-64-puppet' (v1.0.0) for provider: virtualbox
    box: Downloading: https://atlas.hashicorp.com/puppetlabs/boxes/centos-6.5-64-puppet/
versions/1.0.0/providers/virtualbox.box
An error occurred while downloading the remote file. The error
message, if any, is reproduced below. Please fix this error and try
again.

SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

I can download the box directly using the system cURL

$ curl -O -L https://vagrantcloud.com/puppetlabs/boxes/centos-6.5-64-puppet/versions/1.0.0/providers/virtualbox.box

and the Vagrant embedded cURL

$ /opt/vagrant/bin/../embedded/bin/curl -O -L https://vagrantcloud.com/puppetlabs/boxes/centos-6.5-64-puppet/versions/1.0.0/providers/virtualbox.box

I downgraded to Vagrant 1.6.5 x64 from the .deb on the website and tried again and it worked.


Here's the command debug log

@AnthonyMastrean AnthonyMastrean changed the title from Cannot download Vagrant Cloud boxes without cURL cert error to Cannot download puppetlabs Vagrant Cloud boxes without cURL cert error Dec 16, 2014

@sethvargo sethvargo added the bug label Dec 17, 2014

@choffee

This comment has been minimized.

choffee commented Dec 17, 2014

This is because the certificate bundle in the package is broken.

If I copy /etc/ssl/certs/ca-certificates.crt to /opt/vagrant/embedded/cacert.pem

It all works again.

@rykelley

This comment has been minimized.

rykelley commented Dec 18, 2014

I'm having this same issue but i discovered it using test-kitchen with chefDK. at first i thought it was a kitchen issue but chef helped point me to vagrant . so here some output on a ubuntu 12.04 box

ykelley@EOS01:~/workspace/base chef-repos/platform-engineering-chef/cookbooks/test$ vagrant box add hashicorp/precise64
The box 'hashicorp/precise64' could not be found or
could not be accessed in the remote catalog. If this is a private
box on HashiCorp's Atlas, please verify you're logged in via
vagrant login. Also, please double-check the name. The expanded
URL and error message are shown below:

URL: ["https://atlas.hashicorp.com/hashicorp/precise64"]
Error: SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

using vagrant up hashicorp/precise64 --insecure worked.

cat /etc/ssl/certs/ca-certificates.crt >> /opt/vagrant/embedded/cacert.pem from @choffee worked

@lamont-granquist

This comment has been minimized.

Contributor

lamont-granquist commented Dec 18, 2014

Relevant e-mail thread: http://curl.haxx.se/mail/archive-2014-10/0062.html

We wound up pinning to an old version.

Also reported to Amazon that the root key that signs their key is 1024-bit and it went right over the head of the employee that responded to me:

https://forums.aws.amazon.com/thread.jspa?threadID=164095

@sethvargo

This comment has been minimized.

Contributor

sethvargo commented Dec 18, 2014

@lamont-granquist thank you for chiming in. That's crappy of Amazon 😦. FWIW, Verisign has 2048-bit keys because that's what my blog is signed with. What version did you pin to?

@lamont-granquist

This comment has been minimized.

Contributor

lamont-granquist commented Dec 18, 2014

good:

-## Certificate data from Mozilla downloaded on: Wed Aug 20 03:12:04 2014

bad:

+## Certificate data from Mozilla downloaded on: Wed Sep  3 03:12:03 2014

You should probably go pop your head in both the curl mailing list and the amazon thread and poke folks there. The curl folks were going to do something with their script to not filter out those certs.

@lamont-granquist

This comment has been minimized.

Contributor

lamont-granquist commented Dec 18, 2014

The longer workaround is also baking mk-ca-bundle.pl directly into build scripts and bypassing the curl url, but I was hoping it'd just get fixed upstream.

@sethvargo sethvargo added the upstream label Dec 18, 2014

@sethvargo

This comment has been minimized.

Contributor

sethvargo commented Dec 18, 2014

Okay - I posted a note and the full certificate chain on that forum.

@vpassapera

This comment has been minimized.

vpassapera commented Dec 21, 2014

👍 @choffee

@brpaz

This comment has been minimized.

brpaz commented Jan 3, 2015

Some problem here Was having some problems downloading base boxes from VagrantCloud as well as executing chef provisioning in some projects.
the @choffee workaround worked for me also.

@klub

This comment has been minimized.

klub commented Jan 5, 2015

Try using this line in your vagrant file:

config.vm.box_download_insecure = true

@sethvargo

This comment has been minimized.

Contributor

sethvargo commented Jan 6, 2015

We are released Vagrant 1.7.2 later today and it includes a new cacert bundle that fixes this issue.

@sethvargo sethvargo closed this Jan 6, 2015

@tknerr

This comment has been minimized.

Contributor

tknerr commented Jan 7, 2015

Can verify that this is fixed in 1.7.2 now. Thanks all!

@jdub

This comment has been minimized.

jdub commented Jan 21, 2015

Is there a corresponding bug for OS X, or is this a good issue in which to report a similar problem? I just updated to 1.7.2, and am seeing the same error.

jdub@slender:~/src/wang$ vagrant version
Installed Version: 1.7.2
Latest Version: 1.7.2

You're running an up-to-date version of Vagrant!

jdub@slender:~/src/wang$ vagrant box update
==> default: Checking for updates to 'ubuntu/precise64'
    default: Latest installed version: 12.04.4
    default: Version constraints:
    default: Provider: virtualbox
There was an error while downloading the metadata for this box.
The error message is shown below:

SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
@rommsen

This comment has been minimized.

rommsen commented Jan 21, 2015

Same problem here on Ubuntu 14.04

vagrant version
Installed Version: 1.7.2
Latest Version: 1.7.2

You're running an up-to-date version of Vagrant!

vagrant box update 
==> default: Checking for updates to 'ubuntu/trusty64'
    default: Latest installed version: 14.04
    default: Version constraints: 
    default: Provider: virtualbox
There was an error while downloading the metadata for this box.
The error message is shown below:

SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

None of the workarounds above worked for me

@rommsen

This comment has been minimized.

rommsen commented Jan 21, 2015

What worked for me was the following

vagrant box add --insecure 'ubuntu/trusty64' https://atlas.hashicorp.com/ubuntu/boxes/trusty64/versions/14.04/providers/virtualbox.box

After this I can not use vagrant box update anymore. But at least I can start the VM:

vagrant box update
==> default: Checking for updates to 'ubuntu/trusty64'
    default: Latest installed version: 0
    default: Version constraints: 
    default: Provider: virtualbox
The box 'ubuntu/trusty64' is not a versioned box. The box was added
directly instead of from a box catalog. Vagrant can only
check the versions of boxes that were added from a catalog
such as from the public Vagrant Server.
@longthanhtran

This comment has been minimized.

longthanhtran commented Jan 21, 2015

my vagrant 1.7.2 on Windows 7 x64 has this issue just today "SSL certificate problem: unable to get local issuer certificate" and after check, I found vagrantcloud.com using rapidssl which my local curl unable verify complete ssl chain. Just need to grab the ssl cert (pem format) from https://ssl-tools.net/certificates/nakw2x-rapidssl-sha256-ca-g3 and append this to vagrant folder (vagrant\embedded)

@Tairy

This comment has been minimized.

Tairy commented Jan 25, 2015

@longthanhtran could you tell me how to append the pem file to vagrant folder. only copy this file to the forder? ths!

@longthanhtran

This comment has been minimized.

longthanhtran commented Jan 25, 2015

I think the incomplete certificate chain issue is solved now so you may not need to modify the local issuer certificate file.

If you want to know which file being used by curl then you check by running (for example)

curl -v 'http://vagrantcloud.com'

to

  • check if curl can handle https request or
  • find the local ca bundle file

then you can copy the content of cert file (download per previous link) and append it to current one (either curl-ca-bundle.crt or cacert.pem in the same folder with curl)

@cjw296

This comment has been minimized.

cjw296 commented Feb 26, 2015

I've opened #5391 as a separate issue for the Mac OS X problem.

@Ozsiix

This comment has been minimized.

Ozsiix commented Mar 10, 2016

Just add this line into your vagrantfile
config.vm.box_download_insecure = true

@anjaneyaprasad

This comment has been minimized.

anjaneyaprasad commented Dec 18, 2016

@Ozsiix you saved me...

@miscapu

This comment has been minimized.

miscapu commented Feb 5, 2017

Add in Vagrantfile, the following code:
config.vm.box_download_insecure = true
For more informations:
Machine Settings Vagrant

@Ozsiix

This comment has been minimized.

Ozsiix commented Feb 6, 2017

@miscapu thats literally what i said a year ago :p

@dragon788

This comment has been minimized.

Contributor

dragon788 commented Feb 9, 2017

Since it is a terrible practice to disable SSL verification long term, you can correct the certificate issue the right way by adding the certificate to the trust chain of the embedded Ruby and curl (painful but possible to automate) or better yet using the alternate CA path that was added to a newer Vagrant version? config.vm.box_download_ca_cert appears to be the new setting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment