how to workaround curl SSL error downloading a box?

[CB]

I've grabbed the precise64 box, placed it on a local mirror and modified my Vagrantfile to point to that mirror.  When I command `vagrant up`, I get SSL errors caused by my group's self signed certificate;

    SSL certificate problem: unable to get local issuer certificate

    More details here: http://curl.haxx.se/docs/sslcerts.html

    ...

    If you'd like to turn off curl's verification of the certificate, use

     the -k (or --insecure) option.

While I work to resolve the certificate issue, is there an easy way to workaround this complaint from curl?

[CB]

I got my certificates installed, and they work with wget, and with svn, and NOT with vagrant/curl.

I also tried;

     $ CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt vagrant up

Perhaps curl is being fussy because of this bug in neon; https://bugs.launchpad.net/ubuntu/+source/neon27/+bug/576750

Short of hacking neon/curl/vagrant, is there another solution? Perhaps use a config.vm.box_url which is a file:// URL?

[CB]

On Tuesday, May 21, 2013 5:58:19 PM UTC-4, CB wrote:

Short of hacking neon/curl/vagrant, is there another solution? Perhaps use a config.vm.box_url which is a file:// URL?

Yes. it seems a file URL will work fine. 

[Oleg Yashchuk]

Did you solved this problem? I have exactly the same.

[Kev]

Same here, but even my $ vagrant box add ubuntu/trusty64 gives an error.

The box 'ubuntu/trusty64' could not be found or
could not be accessed in the remote catalog. If this is a private
box on HashiCorp's Atlas, please verify you're logged in via
`vagrant login`. Also, please double-check the name. The expanded
URL and error message are shown below:

URL: ["https://atlas.hashicorp.com/ubuntu/trusty64"]
Error: SSL certificate problem: unable to get local issuer certificate

More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).

If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

[Kev]

Alright, if you trust the site, you can bypass the security by implementing the --insecure option. However, the usage of the tool for options is incorrect.

Documentation Usage: vagrant [options] <command> [<args>]
Actual Usage: Usage: vagrant <command> [options] [<args>]

[Sayth Renshaw]

So was this solved ? I still can't get it to work?

Sayth

[Torben Knerr]

The latest cacerts bundle from http://curl.haxx.se/docs/sslcerts.html
has some weak 1024 bit RSA certs removed in September 2014:
http://curl.haxx.se/mail/lib-2014-09/0041.html

This causes some https sites to fail, among others Amazon S3 on which
several base boxes are hosted:
https://forums.aws.amazon.com/thread.jspa?threadID=164095

As a workaround, you can use an older version of the cacerts bundle
from August, e.g. this one here:
https://github.com/bagder/ca-bundle/blob/e9175fec5d0c4d42de24ed6d84a06d504d5e5a09/ca-bundle.crt

Dowload the file, then this should work:
```
export SSL_CERT_FILE=/path/to/ca-bundle.crt
vagrant up
```

HTH, Torben

On Wed, Dec 31, 2014 at 7:59 AM, Sayth Renshaw <flebbe...@gmail.com> wrote:
> So was this solved ? I still can't get it to work?
>
> Sayth
>

> --
> You received this message because you are subscribed to the Google Groups "Vagrant" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vagrant-up+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Sayth Renshaw]

Thanks

> To unsubscribe from this group and stop receiving emails from it, send an email to vagrant-up+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Vagrant" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vagrant-up/gp-vueK03WU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vagrant-up+unsubscribe@googlegroups.com.

[Adewole Ogunyadeka]

OK. I am having the same problem. I am actually trying to install Appscale on my ubuntu. unfortunately, when I get to the point of "vagrant up" I keep getting the error "SSL certificate problem: unable to get a local issuer certificate". I tried to use the
"vagrant up -k" option or "vagrant up --insecure" but it tells me it is an invalid option. Can someone give me a step by step way to workaround this as I am a beginner with this whole vagrant/linux environment.

On Wednesday, 31 December 2014 20:33:01 UTC, Sayth Renshaw wrote:

Thanks

On Wed, 31 Dec 2014 11:36 PM Torben Knerr <torben...@gmail.com> wrote:

The latest cacerts bundle from http://curl.haxx.se/docs/sslcerts.html
has some weak 1024 bit RSA certs removed in September 2014:
http://curl.haxx.se/mail/lib-2014-09/0041.html

This causes some https sites to fail, among others Amazon S3 on which
several base boxes are hosted:
https://forums.aws.amazon.com/thread.jspa?threadID=164095

As a workaround, you can use an older version of the cacerts bundle
from August, e.g. this one here:
https://github.com/bagder/ca-bundle/blob/e9175fec5d0c4d42de24ed6d84a06d504d5e5a09/ca-bundle.crt

Dowload the file, then this should work:
```
export SSL_CERT_FILE=/path/to/ca-bundle.crt
vagrant up
```

HTH, Torben



On Wed, Dec 31, 2014 at 7:59 AM, Sayth Renshaw <flebbe...@gmail.com> wrote:
> So was this solved ? I still can't get it to work?
>
> Sayth
>
> --
> You received this message because you are subscribed to the Google Groups "Vagrant" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to vagrant-up+...@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Vagrant" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vagrant-up/gp-vueK03WU/unsubscribe.

To unsubscribe from this group and all its topics, send an email to vagrant-up+...@googlegroups.com.

[Torben Knerr]

Does this work for you?

[Adewole Ogunyadeka]

How do I go about it. I havent seen any tab/button that allows me to download the file. how do I download it and when I download it how do I use it. Pardon me but I am very new to this environment

[Torben Knerr]

Hi Adewole,

try running this from your console:

```
wget -O /tmp/ca-bundle.crt
https://github.com/bagder/ca-bundle/blob/e9175fec5d0c4d42de24ed6d84a06d504d5e5a09/ca-bundle.crt
export SSL_CERT_FILE=/tmp/ca-bundle.crt
vagrant up
```

HTH, Torben

[Adewole Ogunyadeka]

I have run the given command but I still get the same error. I think it is better I put a screenshot so you can see. I also get a message saying default: box 'appscale/releases' could not be found. ALthough I have installed virtualbox already.

[Torben Knerr]

Weird. I'm sure I had it working a few days ago but now I'm getting exactly the same error.

* setting SSL_CERT_FILE does not help

* neither does replacing /opt/vagrant/embedded/cacert.pem

Might be something wrong with my current setup here, as I'm sure it did work that way.

Anyway, here is the related Github issue:

https://github.com/mitchellh/vagrant/issues/5001

You might want to comment there as well

Cheers, 

Torben

[Igor Itkin]

found on git:

sudo cp  /etc/ssl/certs/ca-certificates.crt /opt/vagrant/embedded/cacert.pem

it workes for me

понедельник, 20 мая 2013 г., 20:56:10 UTC+3 пользователь CB написал:

[Torben Knerr]

Hi everybody,

this should be fixed if you upgrade to Vagrant 1.7.2 released today

HTH,
Torben

[Josh Copeland]

This worked so good, thx

[Chris Withers]

Not for me I'm afraid...

I'm on Mac OS X Yosemite - 10.10.2 (14C109):

$ vagrant --version

Vagrant 1.7.2

$ /opt/vagrant/bin/../embedded/bin/curl -v https://atlas.hashicorp.com/

* About to connect() to atlas.hashicorp.com port 443 (#0)

*   Trying 107.23.224.212...

* Adding handle: conn: 0x82a200

* Adding handle: send: 0

* Adding handle: recv: 0

* Curl_addHandleToPipeline: length: 1

* - Conn 0 (0x82a200) send_pipe: 1, recv_pipe: 0

* Connected to atlas.hashicorp.com (107.23.224.212) port 443 (#0)

* SSLv3, TLS handshake, Client hello (1):

* SSLv3, TLS handshake, Server hello (2):

* SSLv3, TLS handshake, CERT (11):

* SSLv3, TLS alert, Server hello (2):

* SSL certificate problem: unable to get local issuer certificate

* Closing connection 0

curl: (60) SSL certificate problem: unable to get local issuer certificate

More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"

 of Certificate Authority (CA) public keys (CA certs). If the default

 bundle file isn't adequate, you can specify an alternate file

 using the --cacert option.

If this HTTPS server uses a certificate signed by a CA represented in

 the bundle, the certificate verification probably failed due to a

 problem with the certificate (it might be expired, or the name might

 not match the domain name in the URL).

If you'd like to turn off curl's verification of the certificate, use

 the -k (or --insecure) option.

The os-supplied curl works fine:

$ curl -v https://atlas.hashicorp.com/

* Hostname was NOT found in DNS cache

*   Trying 107.23.224.212...

* Connected to atlas.hashicorp.com (107.23.224.212) port 443 (#0)

* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

* Server certificate: *.hashicorp.com

* Server certificate: RapidSSL SHA256 CA - G3

* Server certificate: GeoTrust Global CA

> GET / HTTP/1.1

> User-Agent: curl/7.37.1

> Host: atlas.hashicorp.com

> Accept: */*

> 

< HTTP/1.1 200 OK

Out of curiosity, why does Vagrant ship with its own curl?

cheers,

Chris

[Andreas Offenhäuser]

If anyone else runs into this problem. In case you trust the source you can use the config.vm.box_download_insecure = true switch to force vagrant to use --insecure on the curl method.

[Alvaro Miranda Aguilera]

Hello Andreas

Just wondering, what version the Vagrant are you using?

vagrant version
vagrant plugin list

Thanks
Alvaro

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/mitchellh/vagrant/issues
> IRC: #vagrant on Freenode
> ---

> You received this message because you are subscribed to the Google Groups
> "Vagrant" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vagrant-up+...@googlegroups.com.

> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vagrant-up/4d0bffff-76e2-4fd2-b638-c4e6832242b5%40googlegroups.com.

[Geoff Hartnell]

On Friday, 18 September 2015 10:59:33 UTC+1, Andreas Offenhäuser wrote:

If anyone else runs into this problem. In case you trust the source you can use the config.vm.box_download_insecure = true switch to force vagrant to use --insecure on the curl method.

Andreas

I've run into this problem, but not quite sure where to use the switch - I've tried:

vagrant config.vm.box_download_insecure=true up

vagrant "config.vm.box_download_insecure = true" up

 - but these just displayed the help command

 

and because a previous poster suggested the options come after the commands, I tried:

vagrant up config.vm.box_download_insecure = true

 - but this just reported that the box config.vm.box_download_insecure was not found configured

 - so I guess the options do precede the commands

Can you explain where to use the switch - I'm using version 1.7.4

Thanks

Geoff

 

[Geoff Hartnell]

For anyone else who wants to know how to use the switch, it goes in the VagrantFile

I've added it there and attempted to invoke vagrant up - now I get:

Bringing machine 'default' up with 'virtualbox' provider...

==> default: Box 'hdheer/rh6' could not be found. Attempting to find and install...

    default: Box Provider: virtualbox

    default: Box Version: >= 0

The box 'hdheer/rh6' could not be found or

could not be accessed in the remote catalog. If this is a private

box on HashiCorp's Atlas, please verify you're logged in via

`vagrant login`. Also, please double-check the name. The expanded

URL and error message are shown below:

URL: ["https://atlas.hashicorp.com/hdheer/rh6"]

Error: The requested URL returned error: 401 Server Authentication Required 

I can browse to https://atlas.hashicorp.com/hdheer/rh6 in Chrome, but can't get vagrant to launch the first box

Any suggestions much appreciated / welcome

Thanks

Geoff

 

[Chendil Kumar Manoharan]

This works. Thanks Torben. :)

[Vishok Narayan]

This worked for me!

[Tony Ng]

Yes, I also got the same problem and the --insecure option only work with box add option as below,

vagrant box add ubuntu/trusty64 --insecure

Not required to download the old certificate. Just run above command line first and then you can run the up command properly.

vagrant up

It works on my Mac 10.14.5 and Vagrant 2.2.5

Good Luck!