Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Vagrant's embedded OpenSSL is missing root certificates #3036

Closed
docwhat opened this Issue · 6 comments

3 participants

@docwhat

The embedded OpenSSL in Vagrant is missing the root certificate bundles.

Here's an example of the problem:

∵ /usr/bin/ruby -e "require 'open-uri' ; open('https://www.vagrantup.com/') { |f| puts f.read.size }"
4837

∵ /Applications/Vagrant/embedded/bin/ruby -e "require 'open-uri' ; open('https://www.vagrantup.com/') { |f| puts f.read.size }"
/Applications/Vagrant/embedded/lib/ruby/2.0.0/net/http.rb:918:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/net/http.rb:918:in `block in connect'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/timeout.rb:52:in `timeout'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/net/http.rb:918:in `connect'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/net/http.rb:862:in `do_start'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/net/http.rb:851:in `start'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:313:in `open_http'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:708:in `buffer_open'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:210:in `block in open_loop'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:208:in `catch'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:208:in `open_loop'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:149:in `open_uri'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:688:in `open'
        from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:34:in `open'
        from -e:1:in `<main>'

It looks like libcrypto.dynlib is looking for cert.pem in /vagrant-installer/staging/embedded/ssl/cert.pem:

∵ strings -a /Applications/Vagrant/embedded/lib/libcrypto.dylib | grep /cert.pem
/vagrant-installer/staging/embedded/ssl/cert.pem

As a counter example, the Homebrew version of OpenSSL:

∵ strings -a /usr/local/opt/openssl/lib/libcrypto.dylib | grep /cert.pem
/usr/local/etc/openssl/cert.pem

What Homebrew does to provide some certificates is (get them from the Keychain) [https://github.com/Homebrew/homebrew/blob/master/Library/Formula/openssl.rb#L71]:

security find-certificate -a -p /Library/Keychains/System.keychain > cert.pem
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> cert.pem

However, you'll have to adjust the way you build Vagrant's OpenSSL so that it expects the cert.pem someplace within the embedded directory.

Of course, you could also use the export SSL_CERT_FILE=/path/to/cert.pem method within the vagrant command but it won't fix people trying to use the embedded ruby directly.

Ciao!

@mitchellh
Owner

We just upgraded this for the latest Vagrant from here: http://curl.haxx.se/docs/caextract.html

Let me know if thats not good enough. Will be part of Vagrant 1.5

@mitchellh mitchellh closed this
@docwhat

Great!

@ssayer

Will Vagrant 1.5 not respect root certificates that are not part of the curl bundle in 1.5? I cannot install any non-local plugins in 1.4.3 as vagrant returns an error stating that it can't find the plugin. I did some digging, and it appears to be due to an SSL cert issue due the embedded rubygems not trusting my certificate.

@docwhat

@ssayer

From what @mitchellh said, 1.5 will only honor root certs that in the curl ca root certificates. This shouldn't be a problem except if you are talking via SSL to a server with a self signed certificate.

Vagrant < 1.5 doesn't have any root certificates. However, rubygems does have root certificates already bundled for rubygems.org and the s3 servers so it probably works for fetching normal gems.

What's your certificate? Is it in the curl's ca certificates?

Ciao!

@ssayer

@docwhat @mitchellh

My certificate is not in the CA bundle. The weird thing is that I can install gems using the embedded ruby gems directly, but ruby gems throws an ssl error when used through the vagrant plugin installer.

@tknerr tknerr referenced this issue in tknerr/bills-kitchen
Closed

Bundle CA certificates #45

@ssayer

I see my solution was in the original post now.

Of course, you could also use the export SSL_CERT_FILE=/path/to/cert.pem method within the vagrant command but it won't fix people trying to use the embedded ruby directly.

I was setting the SSL_CERT_FILE env variable outside of the script, and so vagrant was clobbering my setting. I just changed this to point to my cert, and vagrant is happy again. Thanks @docwhat!

@cbandy cbandy referenced this issue from a commit
Commit has since been removed from the repository and is no longer available.
@cbandy cbandy referenced this issue from a commit
Commit has since been removed from the repository and is no longer available.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.