17

I am following the official vagrant documentation at https://docs.vagrantup.com/v2/getting-started/index.html

I have installed vagrant and virtual box on Windows 10 64-bit processor. After running these commands on command prompt I get:

vagrant init hashicorp/precise32
vagrant up

errors as shown below: Bringing machine 'default' up with 'virtualbox' provider... ==> default: Box 'hashicorp/precise32' could not be found. Attempting to find and install... default: Box Provider: virtualbox default: Box Version: >= 0 The box 'hashicorp/precise32' could not be found or could not be accessed in the remote catalog. If this is a private box on HashiCorp's Atlas, please verify you're logged in via vagrant login. Also, please double-check the name. The expanded URL and error message are shown below:

URL: ["https://atlas.hashicorp.com/hashicorp/precise32"] Error: SSL certificate problem: unable to get local issuer certificate More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

How do I fix this error ?

Improve this question

4 Answers 4

Reset to default
17

If you get an SSL issue, you can try to add the box using the --insecure option

vagrant box add --insecure hashicorp/precise32 hashicorp/precise32

--insecure When present, SSL certificates won't be verified if the URL is an HTTPS URL

You may need to clean ~/.vagrant.d/tmp/ folder if you have some uncompleted transfer

You can also download the ssl certificate and directly use it to bypass the error

$ vagrant box add --cacert <certificate> box_name
Improve this answer
14

You can add this in Vagrantfile

config.vm.box_download_insecure=true
Improve this answer
6

Since it is a terrible practice to disable SSL verification long term, you can correct the certificate issue the right way by adding the certificate to the trust chain of the embedded Ruby and curl (painful but possible to automate, http://guides.rubygems.org/ssl-certificate-update/#manual-solution-to-ssl-issue) or better yet using the alternate CA path that was added to a newer Vagrant version? config.vm.box_download_ca_cert appears to be the new setting.

Manual way:

The steps are as follows:

Step 1: Obtain the correct trust certificate
Step 2: Locate RubyGems certificate directory in your installation
Step 3: Copy correct trust certificate
Step 4: Profit


Step 1: Obtain the correct trust certificate

We need to download the correct trust certificate, YourCompanyRootCA.pem.
This can probably be obtained from your IT department or by exporting the certificate from your web browser or certificate store (and possibly converting to .pem using OpenSSL).

IMPORTANT: File must have .pem as extension. Browsers like Chrome will try to save it as plain text file. Ensure you change the filename to end with .pem after you have downloaded it.

Step 2: Locate Ruby certificate directory in your installation

In order for us copy this file, we need to know where to put it.

Depending on where you installed Ruby (or Vagrant has embedded it), the directory will be different.

Take for example the default installation of Ruby 2.1.5, placed in C:\Ruby21
Or the Vagrant default of C:\HashiCorp\Vagrant\embedded (or /opt on Linux)
Search for `cacert.pem` or any `*.pem` in those directories.

Step 3: Copy new trust certificate

Now, locate ssl_certs directory (Ruby) and copy the .pem file we obtained from previous step inside. 

It will be listed with other files like AddTrustExternalCARoot.pem.

If you are updating the Vagrant cacert.pem, make a backup copy, then append the entire contents of your new .pem file to the end of the cacert.pem. This should eliminate the warnings from Vagrant's ruby/curl.
Improve this answer
2
  • 1
    That is indeed the best solution. Why security has to be though so non-user friendly? When we want to make something work, it's so much easier to go with the 'insecure' solution. Is there a more user-friendly way to approach security?
    – wizofe
    Commented May 21, 2019 at 11:35
  • Sadly Ruby get used by developers for all sorts of weird things, and often what works for one person rarely works on anybody else's machine (no matter what language you develop in this is often the case). In this case I believe Vagrant has an option to supply other SSL certificates, but it is has been a long while since I looked.
    – dragon788
    Commented Oct 2, 2019 at 2:22
0

Some useful addendum for answer by dragon788

  1. Use OpenSSL to convert the cer/crt files to pem file.
  2. OpenSSL can be located in the following directory on the Windows machines C:\Program Files\Git\usr\bin\openssl.exe
  3. While exporting the cer/crt file from Certificate manager use base64 encoding
Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.