Vagrant: Cannot download puppetlabs Vagrant Cloud boxes without cURL cert error

Created on 17 Dec 2014  路  24Comments  路  Source: hashicorp/vagrant

I can't vagrant up or vagrant box add this puppetlabs Vagrant Cloud box on Ubuntu 14.04 x64 and Vagrant 1.7.1 x64 or 1.7.0 x64 (downloaded and installed the .deb from the Vagrant website). I get this error message from cURL.

$ vagrant box add puppetlabs/centos-6.5-64-puppet --force
==> box: Loading metadata for box 'puppetlabs/centos-6.5-64-puppet'
    box: URL: https://atlas.hashicorp.com/puppetlabs/centos-6.5-64-puppet
This box can work with multiple providers! The providers that it
can work with are listed below. Please review the list and choose
the provider you will be working with.

1) virtualbox
2) vmware_desktop
3) vmware_fusion

Enter your choice: 1
==> box: Adding box 'puppetlabs/centos-6.5-64-puppet' (v1.0.0) for provider: virtualbox
    box: Downloading: https://atlas.hashicorp.com/puppetlabs/boxes/centos-6.5-64-puppet/
versions/1.0.0/providers/virtualbox.box
An error occurred while downloading the remote file. The error
message, if any, is reproduced below. Please fix this error and try
again.

SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

I can download the box directly using the system cURL

$ curl -O -L https://vagrantcloud.com/puppetlabs/boxes/centos-6.5-64-puppet/versions/1.0.0/providers/virtualbox.box

and the Vagrant embedded cURL

$ /opt/vagrant/bin/../embedded/bin/curl -O -L https://vagrantcloud.com/puppetlabs/boxes/centos-6.5-64-puppet/versions/1.0.0/providers/virtualbox.box

I downgraded to Vagrant 1.6.5 x64 from the .deb on the website and tried again and it worked.

Here's the command debug log

bug upstream
Source
picture AnthonyMastrean

Most helpful comment

Try using this line in your vagrant file:

config.vm.box_download_insecure = true

picture klub on 5 Jan 2015
👍12

All 24 comments

This is because the certificate bundle in the package is broken.

If I copy /etc/ssl/certs/ca-certificates.crt to /opt/vagrant/embedded/cacert.pem

It all works again.

choffee picture choffee on 17 Dec 2014
👍3

I'm having this same issue but i discovered it using test-kitchen with chefDK. at first i thought it was a kitchen issue but chef helped point me to vagrant . so here some output on a ubuntu 12.04 box

ykelley@EOS01:~/workspace/base chef-repos/platform-engineering-chef/cookbooks/test$ vagrant box add hashicorp/precise64
The box 'hashicorp/precise64' could not be found or
could not be accessed in the remote catalog. If this is a private
box on HashiCorp's Atlas, please verify you're logged in via
vagrant login. Also, please double-check the name. The expanded
URL and error message are shown below:

URL: ["https://atlas.hashicorp.com/hashicorp/precise64"]
Error: SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

using vagrant up hashicorp/precise64 --insecure worked.

cat /etc/ssl/certs/ca-certificates.crt >> /opt/vagrant/embedded/cacert.pem from @choffee worked

rykelley picture rykelley on 18 Dec 2014

Relevant e-mail thread: http://curl.haxx.se/mail/archive-2014-10/0062.html

We wound up pinning to an old version.

Also reported to Amazon that the root key that signs their key is 1024-bit and it went right over the head of the employee that responded to me:

https://forums.aws.amazon.com/thread.jspa?threadID=164095

lamont-granquist picture lamont-granquist on 18 Dec 2014

@lamont-granquist thank you for chiming in. That's crappy of Amazon :frowning:. FWIW, Verisign has 2048-bit keys because that's what my blog is signed with. What version did you pin to?

sethvargo picture sethvargo on 19 Dec 2014

good:

-## Certificate data from Mozilla downloaded on: Wed Aug 20 03:12:04 2014

bad:

+## Certificate data from Mozilla downloaded on: Wed Sep  3 03:12:03 2014

You should probably go pop your head in both the curl mailing list and the amazon thread and poke folks there. The curl folks were going to do something with their script to not filter out those certs.

lamont-granquist picture lamont-granquist on 19 Dec 2014

The longer workaround is also baking mk-ca-bundle.pl directly into build scripts and bypassing the curl url, but I was hoping it'd just get fixed upstream.

lamont-granquist picture lamont-granquist on 19 Dec 2014

Okay - I posted a note and the full certificate chain on that forum.

sethvargo picture sethvargo on 19 Dec 2014

:thumbsup: @choffee

vpassapera picture vpassapera on 21 Dec 2014

Some problem here Was having some problems downloading base boxes from VagrantCloud as well as executing chef provisioning in some projects.
the @choffee workaround worked for me also.

brpaz picture brpaz on 3 Jan 2015

Try using this line in your vagrant file:

config.vm.box_download_insecure = true

klub picture klub on 5 Jan 2015
👍12

We are released Vagrant 1.7.2 later today and it includes a new cacert bundle that fixes this issue.

sethvargo picture sethvargo on 6 Jan 2015

Can verify that this is fixed in 1.7.2 now. Thanks all!

tknerr picture tknerr on 7 Jan 2015

Is there a corresponding bug for OS X, or is this a good issue in which to report a similar problem? I just updated to 1.7.2, and am seeing the same error.

jdub@slender:~/src/wang$ vagrant version
Installed Version: 1.7.2
Latest Version: 1.7.2

You're running an up-to-date version of Vagrant!

jdub@slender:~/src/wang$ vagrant box update
==> default: Checking for updates to 'ubuntu/precise64'
    default: Latest installed version: 12.04.4
    default: Version constraints:
    default: Provider: virtualbox
There was an error while downloading the metadata for this box.
The error message is shown below:

SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
jdub picture jdub on 21 Jan 2015

Same problem here on Ubuntu 14.04

vagrant version
Installed Version: 1.7.2
Latest Version: 1.7.2

You're running an up-to-date version of Vagrant!

vagrant box update 
==> default: Checking for updates to 'ubuntu/trusty64'
    default: Latest installed version: 14.04
    default: Version constraints: 
    default: Provider: virtualbox
There was an error while downloading the metadata for this box.
The error message is shown below:

SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

None of the workarounds above worked for me

rommsen picture rommsen on 21 Jan 2015

What worked for me was the following 

vagrant box add --insecure 'ubuntu/trusty64' https://atlas.hashicorp.com/ubuntu/boxes/trusty64/versions/14.04/providers/virtualbox.box

After this I can not use vagrant box update anymore. But at least I can start the VM:

vagrant box update
==> default: Checking for updates to 'ubuntu/trusty64'
    default: Latest installed version: 0
    default: Version constraints: 
    default: Provider: virtualbox
The box 'ubuntu/trusty64' is not a versioned box. The box was added
directly instead of from a box catalog. Vagrant can only
check the versions of boxes that were added from a catalog
such as from the public Vagrant Server.
rommsen picture rommsen on 21 Jan 2015
😄1

my vagrant 1.7.2 on Windows 7 x64 has this issue just today "SSL certificate problem: unable to get local issuer certificate" and after check, I found vagrantcloud.com using rapidssl which my local curl unable verify complete ssl chain. Just need to grab the ssl cert (pem format) from https://ssl-tools.net/certificates/nakw2x-rapidssl-sha256-ca-g3 and append this to vagrant folder (vagrantembedded)

longthanhtran picture longthanhtran on 22 Jan 2015

@longthanhtran could you tell me how to append the pem file to vagrant folder. only copy this file to the forder? ths!

Tairy picture Tairy on 25 Jan 2015

I think the incomplete certificate chain issue is solved now so you may not need to modify the local issuer certificate file.

If you want to know which file being used by curl then you check by running (for example)

curl -v 'http://vagrantcloud.com'

to

  • check if curl can handle https request or
  • find the local ca bundle file

then you can copy the content of cert file (download per previous link) and append it to current one (either _curl-ca-bundle.crt_ or _cacert.pem_ in the same folder with curl)

longthanhtran picture longthanhtran on 25 Jan 2015

I've opened #5391 as a separate issue for the Mac OS X problem.

cjw296 picture cjw296 on 26 Feb 2015

Just add this line into your vagrantfile
config.vm.box_download_insecure = true

Ozsiix picture Ozsiix on 10 Mar 2016
👍5

@Ozsiix you saved me...

anjaneyaprasad picture anjaneyaprasad on 18 Dec 2016
1

Add in Vagrantfile, the following code:
config.vm.box_download_insecure = true
For more informations:
Machine Settings Vagrant

miscapu picture miscapu on 5 Feb 2017
👍2

@miscapu thats literally what i said a year ago :p

Ozsiix picture Ozsiix on 6 Feb 2017
😄1

Since it is a terrible practice to disable SSL verification long term, you can correct the certificate issue the right way by adding the certificate to the trust chain of the embedded Ruby and curl (painful but possible to automate) or better yet using the alternate CA path that was added to a newer Vagrant version? config.vm.box_download_ca_cert appears to be the new setting.

dragon788 picture dragon788 on 9 Feb 2017
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

OtezVikentiy picture OtezVikentiy  路  3Comments
jazzfog picture jazzfog  路  3Comments
RobertSwirsky picture RobertSwirsky  路  3Comments
bbaassssiiee picture bbaassssiiee  路  3Comments
Cbeck527 picture Cbeck527  路  3Comments