Vagrant: Vagrant doesn't use system CA certificates
Vagrant version
Vagrant 2.2.0
Host operating system
Ubuntu 18.04
I have my company's CA certificates installed in the system certificate store (/etc/ssl/certs), and most other applications report no issues when trying to connect to the internet through my company's intercepting proxy.
Vagrant, however, reports an error when trying to get box metadata:
==> proxy: There was a problem while downloading the metadata for your box
==> proxy: to check for updates. This is not an error, since it is usually due
==> proxy: to temporary network problems. This is just a warning. The problem
==> proxy: encountered was:
==> proxy:
==> proxy: SSL certificate problem: self signed certificate in certificate chain
==> proxy:
==> proxy: If you want to check for box updates, verify your network connection
==> proxy: is valid and try again.
This is likely because Vagrant isn't using the system CA certificates. Fixing the issue was easy enough with the following command:
sudo mv cacert.pem cacert.pem.old
sudo ln -s /etc/ssl/certs/ca-certificates.crt /opt/vagrant/embedded/cacert.pem
But it would be nice for people who might not be aware of this that this be done automatically as a part of the .deb installation triggers. I would create a PR myself, but I could not locate the source for the .deb packaging scripts in this repo.
wheelerlaw
All 5 comments
Vagrant respects the SSL_CERT_FILE and CURL_CA_BUNDLE which can be used to point to custom locations. Doesn't look like this is called out specifically in the docs so I'll be sure to add that in.
Cheers!
chrisroberts
on 2 Nov 2018
which can be used to point to custom locations.
/etc/ssl/certs is not a custom location. It is the standard location for system certificates for Debian-based Linux distros.
wheelerlaw
on 5 Nov 2018
@chrisroberts Once again, the location of the system CA certificates is not a custom location, and therefore Vagrant should be using those instead.
wheelerlaw
on 8 Nov 2018
@wheelerlaw I understand that it is not a custom location for Debian-based Linux distros but it _is_ a custom location from the point of view of the Vagrant executable which is the same used across Linux distros. The Vagrant package includes it's own cert bundle which is the default it uses. This allows the package to be installed and usable without dependencies. If the cert file is defined within an environment variable, Vagrant will respect that path and not use the default path of the builtin bundle.
We could define a list of "valid" host paths which could be checked when a custom env var is not provided, and fallback to the internal bundle when none of those files are available. I have an issue opened over in the installers repo to track that: hashicorp/vagrant-installers#143
Cheers!
chrisroberts
on 8 Nov 2018
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 28 Mar 2020
Related issues
bbaassssiiee
ยท
3Comments
rrzaripov
ยท
3Comments
Cbeck527
ยท
3Comments
cbednarski
ยท
3Comments
jazzfog
ยท
3Comments
Most helpful comment
Vagrant respects the
SSL_CERT_FILEandCURL_CA_BUNDLEwhich can be used to point to custom locations. Doesn't look like this is called out specifically in the docs so I'll be sure to add that in.Cheers!