Installing vagrant plugin on the corporate network

I'm trying to install Vagrant plugin on corporate network with its own root certificate, but it fails with:

$ vagrant plugin install vagrant-timezone --plugin-source http://rubygems.org
Installing the 'vagrant-timezone' plugin. This can take a few minutes...
...
Could not verify the SSL certificate for https://gems.hashicorp.com/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
...
Warning: this Gemfile contains multiple primary sources. Using `source` more than once without a block is a security risk, and may result in installing unexpected gems. To resolve this warning, use a block to indicate which gems should come from the secondary source. To upgrade this warning to an error, run `bundle config disable_multisource true`.Warning: this Gemfile contains multiple primary sources. Using `source` more than once without a block is a security risk, and may result in installing unexpected gems. To resolve this warning, use a block to indicate which gems should come from the secondary source. To upgrade this warning to an error, run `bundle config disable_multisource true`.Retrying fetcher due to error (2/4): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://gems.hashicorp.com/.

The certificate works fine under the web browsers, but somehow Vagrant doesn't understand these system certificates. I did use http instead of https as above, but this didn't help.

Any other workarounds for such problem?

kenorb

Posted 2016-09-09T10:20:47.180

Reputation: 16 795

1Isn't your company intercepting SSL with Blue Coat? Are you using proxy? If you go to https://gems.hashicorp.com/ in your browser can you see GeoTrust -> RapidSSL -> *.hashicorp.com, or your company certificate? – techraf – 2016-09-09T11:37:05.850

@techraf I think they're intercepting SSL with Blue Coat. All the websites have their own root chain certificates, so it also happening without any proxy configuration. – kenorb – 2016-09-09T11:40:26.550

So curl https://gems.hashicorp.com/ fails too, right? – techraf – 2016-09-09T11:42:53.697

1@techraf Curl works fine, I've managed to workaround the issue by editing mixin_install_opts.rb and replacing https with http, quiet dirty workaround. – kenorb – 2016-09-09T11:44:44.387

@techraf Since you mentioned Blue Coat, I assume you're familiar with that app, are you able to answer: What Blue Coat Unified Agent application do?

– kenorb – 2016-09-09T13:49:25.440

I wasn't even aware of its existence. I just happened to work in environments with Blue Coat Proxy and encountered similar issues. – techraf – 2016-09-10T00:47:02.013

Answers

The Ruby file hackery in the comments/answers is definitely not recommended as it negates the benefits of having SSL protecting your connections.

The "right" way (aka IT won't hunt you down way) is to add your proxy/firewall's certificate to the list of trusted certificates for the embedded Ruby that Vagrant uses.

Navigate to the directory where Vagrant was installed, then open the embedded\cacert.pem file and append the contents of your corporate certificate to the file and then save and quit.

On Windows that's C:\Hashicorp\Vagrant\embedded\cacert.pem. Sadly you can't always directly use the certificate if you export it from Internet Explorer. In those cases you can convert it using openSSL to get it into the correct format.

I had a script that did most of this for you, but I need to track it down again. Once I do I'll update this answer with an easier way to perform this, since every time you update Vagrant it will likely clobber the cacert.pem file.

dragon788

Posted 2016-09-09T10:20:47.180

Reputation: 634

Normally disabling :ssl_verify_mode in your gemrc located in your sysconfdir solves most of the certificate issues, e.g. adding this line:

:ssl_verify_mode: 0

to %USERPROFILE%\.gemrc or C:\ProgramData\gemrc on Windows, otherwise in ~/.gemrc or /etc/gemrc (on Linux/OS X).

^{Check the right folder by: ruby -retc -e 'p Etc.sysconfdir'. You may need to install RailsInstaller.}

You can check that it worked by:

C:\HashiCorp\Vagrant\embedded\bin>gem.bat env
RubyGems Environment:
  - GEM CONFIGURATION:
     - :ssl_verify_mode => 0

Please note that above is not recommended, since it is a security risk. So setting SSL_CERT_FILE to the right PEM file or copying new trust certificate into ssl_certs directory is a better way. See: Download a cacert.pem for RailsInstaller at GH Gist

However based on my experience above won't work, therefore the easiest workaround is to edit mixin_install_opts.rb file (e.g. C:\HashiCorp\Vagrant\embedded\gems\gems\vagrant-1.8.5\plugins\commands\plugin\command) and replace https in plugin_sources with http, e.g.

module VagrantPlugins
  module CommandPlugin
    module Command
      module MixinInstallOpts
        def build_install_opts(o, options)
          options[:plugin_sources] = [
            "http://rubygems.org",
            "http://gems.hashicorp.com",
          ]

To debug issue further more, SET VAGRANT_LOG=INFO (export VAGRANT_LOG=INFO in shell), before running the vagrant command again.

kenorb

Posted 2016-09-09T10:20:47.180

Reputation: 16 795

There's a much easier option! Lets use hosts updater as an example

First, when assembling the software to be distributed, acquire the plugin as a gem:

❯ gem fetch vagrant-hostsupdater
Fetching: vagrant-hostsupdater-1.1.1.160.gem (100%)
Downloaded vagrant-hostsupdater-1.1.1.160

Then, distribute the gem file and on each machine, run:

vagrant plugin install vagrant-hostsupdater-1.1.1.160.gem

If you can't run gem, download the file from https://rubygems.org/

Tom J Nowell

Posted 2016-09-09T10:20:47.180

Reputation: 418