SSL Certificate Problem When Downloading Box Behind Websense

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL Certificate Problem When Downloading Box Behind Websense

Alex Drawbond
Hello,

I am trying to run:
vagrant box update --box ubuntu/trusty64

from a macOS machine running behind Websense. I am taking the following error:

There was an error while downloading the metadata for this box.
The error message is shown below:
SSL certificate problem
: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification
by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.

We assume the issue is that Websense is terminating SSL, inspecting the traffic and then injecting it's own certificate before passing the traffic along. Websense's certificate isn't recognized by curl and rejected. Using the --insecure option does resolve the problem. I would prefer to not use --insecure, and adding Websense's cert to the list of trusted certs isn't an option either. What I can do is have IP's whitelisted in Websense so that their SSL isn't interfered with. I am having a hard time tracking down all the IP's Vagrant is hitting behind scenes, and was hoping there was some documentation somewhere detailing which IP's need to be whitelisted to work with Websense?

Thanks,
Alex

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/vagrant/issues
IRC: #vagrant on Freenode
---
You received this message because you are subscribed to the Google Groups "Vagrant" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/vagrant-up/7ccf979c-ab52-4486-a724-762faa5fcf9a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: SSL Certificate Problem When Downloading Box Behind Websense

Alvaro Miranda Aguilera

You can add your proxy into the local certs being used
Try setting the variable SSL_CERT_FILE to a file that includes your proxy certificate.

Alvaro.
 

On Thu, Dec 14, 2017 at 2:44 PM, Alex Drawbond <[hidden email]> wrote:
Hello,

I am trying to run:
vagrant box update --box ubuntu/trusty64

from a macOS machine running behind Websense. I am taking the following error:

There was an error while downloading the metadata for this box.
The error message is shown below:
SSL certificate problem
: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification
by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.

We assume the issue is that Websense is terminating SSL, inspecting the traffic and then injecting it's own certificate before passing the traffic along. Websense's certificate isn't recognized by curl and rejected. Using the --insecure option does resolve the problem. I would prefer to not use --insecure, and adding Websense's cert to the list of trusted certs isn't an option either. What I can do is have IP's whitelisted in Websense so that their SSL isn't interfered with. I am having a hard time tracking down all the IP's Vagrant is hitting behind scenes, and was hoping there was some documentation somewhere detailing which IP's need to be whitelisted to work with Websense?

Thanks,
Alex

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/vagrant/issues
IRC: #vagrant on Freenode
---
You received this message because you are subscribed to the Google Groups "Vagrant" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/vagrant-up/7ccf979c-ab52-4486-a724-762faa5fcf9a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Alvaro

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/vagrant/issues
IRC: #vagrant on Freenode
---
You received this message because you are subscribed to the Google Groups "Vagrant" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/vagrant-up/CAHqq0ex3rC6sgfbQaJ0qMxKA3PaO9dR9p6oWcNsrmgXJXXL7wA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.