Vagrant: can't securely download from atlas.hashicorp.com

This looks like an issue with the installer. Tagging

I'm having the exact same problem

Issue exists on latest ubuntu as well 14.10.

What is the status on this? Between this and the still open #4473 , it is impossible to vagrant box update over HTTPS.

Yup I am still seeing it on OS X also.

$ sw_vers -productVersion
10.10.3

$ vagrant --version
Vagrant 1.7.2

$ /opt/vagrant/bin/../embedded/bin/curl -v https://atlas.hashicorp.com/
* About to connect() to atlas.hashicorp.com port 443 (#0)
*   Trying 107.23.224.212...
* Adding handle: conn: 0x1013600
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x1013600) send_pipe: 1, recv_pipe: 0
* Connected to atlas.hashicorp.com (107.23.224.212) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

$ curl -v https://atlas.hashicorp.com/
*   Trying 54.175.82.169...
* Connected to atlas.hashicorp.com (54.175.82.169) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /opt/local/share/curl/curl-ca-bundle.crt
  CApath: none
* TLSv1.2, TLS Unknown, Unknown (22):
* TLSv1.2, TLS handshake, Client hello (1):
* SSLv2, Unknown (22):
* TLSv1.2, TLS handshake, Server hello (2):
* SSLv2, Unknown (22):
* TLSv1.2, TLS handshake, CERT (11):
* SSLv2, Unknown (22):
* TLSv1.2, TLS handshake, Server key exchange (12):
* SSLv2, Unknown (22):
* TLSv1.2, TLS handshake, Server finished (14):
* SSLv2, Unknown (22):
* TLSv1.2, TLS handshake, Client key exchange (16):
* SSLv2, Unknown (20):
* TLSv1.2, TLS change cipher, Client hello (1):
* SSLv2, Unknown (22):
* TLSv1.2, TLS handshake, Finished (20):
* SSLv2, Unknown (20):
* TLSv1.2, TLS change cipher, Client hello (1):
* SSLv2, Unknown (22):
* TLSv1.2, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*    subject: OU=GT33562476; OU=See www.rapidssl.com/resources/cps (c)14; OU=Domain Control Validated - RapidSSL(R); CN=*.hashicorp.com
*    start date: 2015-01-22 10:49:51 GMT
*    expire date: 2016-09-04 14:38:50 GMT
*    subjectAltName: atlas.hashicorp.com matched
*    issuer: C=US; O=GeoTrust Inc.; CN=RapidSSL SHA256 CA - G3
*    SSL certificate verify ok.
* SSLv2, Unknown (23):
> GET / HTTP/1.1
> User-Agent: curl/7.41.0
> Host: atlas.hashicorp.com
> Accept: */*
>
* SSLv2, Unknown (23):
< HTTP/1.1 200 OK

But it works fine on Ubuntu 14.04:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.2 LTS
Release:    14.04
Codename:   trusty

$ vagrant --version
Vagrant 1.7.2

$ /opt/vagrant/bin/../embedded/bin/curl -v https://atlas.hashicorp.com/
* About to connect() to atlas.hashicorp.com port 443 (#0)
*   Trying 107.23.224.212...
* Adding handle: conn: 0x231b3e0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x231b3e0) send_pipe: 1, recv_pipe: 0
* Connected to atlas.hashicorp.com (107.23.224.212) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*    subject: OU=GT33562476; OU=See www.rapidssl.com/resources/cps (c)14; OU=Domain Control Validated - RapidSSL(R); CN=*.hashicorp.com
*    start date: 2015-01-22 10:49:51 GMT
*    expire date: 2016-09-04 14:38:50 GMT
*    subjectAltName: atlas.hashicorp.com matched
*    issuer: C=US; O=GeoTrust Inc.; CN=RapidSSL SHA256 CA - G3
*    SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.33.0
> Host: atlas.hashicorp.com
> Accept: */*
> 
< HTTP/1.1 200 OK

If I export the path in an environment variable pointing at the macports curl-ca-bundle the embedded curl works:

$ export SSL_CERT_FILE=/opt/local/share/curl/curl-ca-bundle.crt

$ /opt/vagrant/bin/../embedded/bin/curl -v https://atlas.hashicorp.com/
* About to connect() to atlas.hashicorp.com port 443 (#0)
*   Trying 107.23.224.212...
* Adding handle: conn: 0x1809400
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x1809400) send_pipe: 1, recv_pipe: 0
* Connected to atlas.hashicorp.com (107.23.224.212) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /opt/local/share/curl/curl-ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*    subject: OU=GT33562476; OU=See www.rapidssl.com/resources/cps (c)14; OU=Domain Control Validated - RapidSSL(R); CN=*.hashicorp.com
*    start date: 2015-01-22 10:49:51 GMT
*    expire date: 2016-09-04 14:38:50 GMT
*    subjectAltName: atlas.hashicorp.com matched
*    issuer: C=US; O=GeoTrust Inc.; CN=RapidSSL SHA256 CA - G3
*    SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.33.0
> Host: atlas.hashicorp.com
> Accept: */*
>
< HTTP/1.1 200 OK

But the command to add the box still fails :(

$ vagrant up
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Box 'ubuntu/trusty64' could not be found. Attempting to find and install...
    default: Box Provider: virtualbox
    default: Box Version: >= 0
The box 'ubuntu/trusty64' could not be found or
could not be accessed in the remote catalog. If this is a private
box on HashiCorp's Atlas, please verify you're logged in via
`vagrant login`. Also, please double-check the name. The expanded
URL and error message are shown below:

URL: ["https://atlas.hashicorp.com/ubuntu/trusty64"]
Error:

Same problem in Windows 7 32-bit for me:

$ vagrant -v
Vagrant 1.7.2

$ vagrant up
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Box 'mitchellh/boot2docker' could not be found. Attempting to find and install...
    default: Box Provider: virtualbox
    default: Box Version: >= 0
==> default: Loading metadata for box 'mitchellh/boot2docker'
    default: URL: https://atlas.hashicorp.com/mitchellh/boot2docker
==> default: Adding box 'mitchellh/boot2docker' (v1.2.0) for provider: virtualbox
    default: Downloading: https://atlas.hashicorp.com/mitchellh/boxes/boot2docker/versions/1.2.0/providers/virtualbox.box
    default:
An error occurred while downloading the remote file. The error
message, if any, is reproduced below. Please fix this error and try
again.

Unknown SSL protocol error in connection to s3.amazonaws.com:443

Hi there,

This seems to be an issue related with the ca bundler (see #5739 for more detailed information). We will be updating the bundle in the next release and the issue should go away. Sorry about the issue in the meantime - workaround instructions are in the linked issue! :smile:

I have Vagrant 1.7.4 on OS X. This problem still persists. Why is this closed? Where is an explanation of a workaround?

+1. Not sure why this is closed. I have the config.vm.box_download_insecure = true in my vagrantfile.

$ vagrant -v
Vagrant 1.8.1

$ vagrant box --insecure add nrel/CentOS-6.5-x86_64
==> box: Loading metadata for box 'nrel/CentOS-6.5-x86_64'
box: URL: https://atlas.hashicorp.com/nrel/CentOS-6.5-x86_64
==> box: Adding box 'nrel/CentOS-6.5-x86_64' (v1.2.0) for provider: virtualbox
box: Downloading: https://atlas.hashicorp.com/nrel/boxes/CentOS-6.5-x86_64/versions/1.2.0/providers/virtualbox.box
An error occurred while downloading the remote file. The error
message, if any, is reproduced below. Please fix this error and try
again.

SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

Have this issue on windows installer . version 1.8.5
Suppressed it by including this line in the Vagrantfile
config.vm.box_download_insecure = true

Since it is a terrible practice to disable SSL verification long term, you can correct the certificate issue the right way by adding the certificate to the trust chain of the embedded Ruby and curl (painful but possible to automate) or better yet using the alternate CA path that was added to a newer Vagrant version? config.vm.box_download_ca_cert appears to be the new setting.

Still having certificate issue on mac.

$ vagrant --version
Vagrant 1.9.1
$ vagrant box add https://atlas.hashicorp.com/debian/boxes/jessie64 --name debian/jessie64_nb
==> box: Box file was not detected as metadata. Adding it directly...
==> box: Adding box 'debian/jessie64_nb' (v0) for provider:
box: Downloading: https://atlas.hashicorp.com/debian/boxes/jessie64
An error occurred while downloading the remote file. The error
message, if any, is reproduced below. Please fix this error and try
again.

SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

The insecure workaround does not work

@lhorstm Are you using Vagrant installed via Homebrew or manually installed?

I installed it from the vagrant homepage. I looked at what certificate curl was using by using curl -v (which was through my institutions proxy) and then appended that certificate to the cacert.pem file in the embedded directory. That seems to have solved the issue.

On Feb 13, 2017, at 4:17 PM, dragon788 notifications@github.com wrote:

@lhorstm Are you using Vagrant installed via Homebrew or manually installed?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

Excellent, that is the best and most secure way to resolve the issue!

Thank you Rahul, it worked

config.vm.box_download_insecure = true

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.