Vagrant: Can't install vagrant plugin on proxy environment.

Created on 17 Dec 2013 · 16Comments · Source: hashicorp/vagrant

Can't install vagrant plugin on proxy environment.

1.4.0 -> NG.
1.3.5 -> OK.

MacOSX Maveriks

waiting-reply

Source

rkyymmt

Most helpful comment

That "evil IT" department likely has a requirement from your business to do inspection of all traffic including SSL. As such proxy systems such as zScaler, WebProxy and others will then break the SSL by doing a MITM attack most likely. In doing so they likely have already deployed the root cert for the proxy system to your local boxes. You can validate that by going to Chrome or Firefox for an https site. Go into the information for that and look at who issued it. ie. Facebook. If it doesn't say it was issued by someone like DigiCert it is likely your proxy helping get in the middle.

For you to be able to do a vagrant command you will need to get that root cert and make it trusted by vagrant.

Go to \vagrant\embedded\cacert.pem
Paste this cert into the bottom of the file. Include the ---- BEGIN and the ----- END lines appropriately.
Try your command again. That fixed it for me.

iguyking on 14 Jul 2016

👍15 ❤3

All 16 comments

Things I need:

The command you're running.
Gisted output with the --debug log present

mitchellh on 18 Dec 2013

https://gist.github.com/rkyymmt/8036561

rkyymmt on 19 Dec 2013

Hi @rkyymmt,

the essential change between 1.3.5 and 1.4.0 is that rubygems is upgraded to 2.x, which by default uses https to access rubygems.org.

I assume you have the HTTPS_PROXY environment variable set, too?

Still I can't understand where the _302 "Moved Temporarily"_ comes and why it errors out. I would suspect that your proxy is not behaving well here, as I can't reproduce the error using polipo. Does the proxy do some SSL interception?

tmatilai on 19 Dec 2013

:+1:

On Ubuntu 12.04.3 LTS behind corporate firewall and properly set up proxy variables, I get plain "no plugin found" human-friendly message from vagrant plugin install vagrant-cachier: https://gist.github.com/tuminoid/8312486

Our proxy does MITM so all SSL certs appear untrusted, could that be a key to this?

tuminoid on 8 Jan 2014

I can also confirm that 1.3.5 does install plugins successfully in our environment, but 1.4.2 does not. Looks like https issue like @tmatilai suspected.

tuminoid on 8 Jan 2014

@rkyymmt @tuminoid can you install gems manually like gem install vagrant-proxyconf with Rubygems 2.0? Do you have some _gemrc_ or other configuration that would help there. Note that gemrc is not read by Vagrant.

@tuminoid you can try to get around the MITM proxy cert issue by setting SSL_CERT_FILE environment variable to point to a certificate bundle which includes the one that your corporate proxy uses to sign the generated certificates.
Btw, out of curiosity, how do you handle the MITM CA installation to your Vagrant VMs? I assume your boxes would otherwise suffer from certificate validation errors too.

But back to the original issue. According the current information (and my own testings) this seems mostly like a proxy issue. I have no idea what Vagrant could do to fix or improve the situation. Maybe we could at least try to pass the log level to the gem (or bundler in 1.5) commands to help tracking there issues?

tmatilai on 8 Jan 2014

@tmatilai MITM proxy is not an issue generally, since everything usually include a switch to ignore the insecure cert errors. curl has -k etc.

My proposal is to add similar switch to Vagrant so it would ignore the errors about insecure certs and continue.

tuminoid on 8 Jan 2014

Sigh, the stupidity of IT "security" departments never ceases to surprise... For sure the proxy itself won't validate certs either (and it even can't validate self signed etc. certs that might be well trusted by clients in some cases). I think I need a beer. :/

But yeah, vagrant box add got --insecure some time ago. Maybe we could add it here too. But I'm not familiar with the new Bundler based plugin code yet. Have to take a closer look later.

tmatilai on 8 Jan 2014

You should be able to specify --plugin-source http://rubygems.org and it should work fine. I think this works well enough, I'd rtaher it be explicit like this rather than magic.

mitchellh on 11 Jan 2014

Tested and it works. It is good enough solution, just not too obvious.

tuminoid on 13 Jan 2014

:+1: for the --plugin-source http://rubygems.org solution!

gtback on 27 Aug 2014

excellent solution! was stuck on this for last two days....

swansog on 27 Jan 2015

We use a .gemrc and are hevy into the development CI with Chef DK and kitchen. we are also behind a heavy corprate fire wall and for good reason we do not pull anything from the internet. We have a ruby repo but no matter what I do I can not get vagrant to install from an internal repo.

I have tried all the other points listed above and even using chef exec to no evail.

Please let me know how do get this to work.

also no matter what soruce i use it is pointing to rubygems even our local ruby source that works for chefdk

athingisathing on 3 Feb 2015

For you to be able to do a vagrant command you will need to get that root cert and make it trusted by vagrant.

Go to \vagrant\embedded\cacert.pem
Paste this cert into the bottom of the file. Include the ---- BEGIN and the ----- END lines appropriately.
Try your command again. That fixed it for me.

iguyking on 14 Jul 2016

👍15 ❤3

This finally worked with my installation:

set http_proxy=http://xxx.yyy.zzz.aaa:8080
set https_proxy=%http_proxy%

vagrant plugin install vagrant-proxyconf --plugin-clean-sources --plugin-source http://rubygems.org

chatelao on 1 May 2019

👍4

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.