Re: [vagrant-up] SSL Certificate Problem When Downloading Box Behind Websense

410 views

Skip to first unread message

Message has been deleted

Alvaro Miranda Aguilera

unread,

Dec 14, 2017, 2:10:31 PM12/14/17

to vagra...@googlegroups.com

You can add your proxy into the local certs being used

Try setting the variable SSL_CERT_FILE to a file that includes your proxy certificate.

Alvaro.

On Thu, Dec 14, 2017 at 2:44 PM, Alex Drawbond <adra...@gmail.com> wrote:

Hello,

I am trying to run:
vagrant box update --box ubuntu/trusty64

from a macOS machine running behind Websense. I am taking the following error:

There was an error while downloading the metadata for this box. The error message is shown below: SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.

We assume the issue is that Websense is terminating SSL, inspecting the traffic and then injecting it's own certificate before passing the traffic along. Websense's certificate isn't recognized by curl and rejected. Using the --insecure option does resolve the problem. I would prefer to not use --insecure, and adding Websense's cert to the list of trusted certs isn't an option either. What I can do is have IP's whitelisted in Websense so that their SSL isn't interfered with. I am having a hard time tracking down all the IP's Vagrant is hitting behind scenes, and was hoping there was some documentation somewhere detailing which IP's need to be whitelisted to work with Websense?

Thanks,
Alex

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/mitchellh/vagrant/issues
IRC: #vagrant on Freenode
---
You received this message because you are subscribed to the Google Groups "Vagrant" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vagrant-up+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vagrant-up/7ccf979c-ab52-4486-a724-762faa5fcf9a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.