You can add your proxy into the local certs being used Try setting the variable SSL_CERT_FILE to a file that includes your proxy certificate.
Alvaro. On Thu, Dec 14, 2017 at 2:44 PM, Alex Drawbond <[email protected]> wrote: > Hello, > > I am trying to run: > vagrant box update --box ubuntu/trusty64 > > from a macOS machine running behind Websense. I am taking the following > error: > > There was an error while downloading the metadata for this box. > The error message is shown below: > SSL certificate problem: unable to get local issuer certificate > More details here: https://curl.haxx.se/docs/sslcerts.html > curl performs SSL certificate verification by default, using a "bundle" > of Certificate Authority (CA) public keys (CA certs). If the default > bundle file isn't adequate, you can specify an alternate file using the > --cacert option. If this HTTPS server uses a certificate signed by a CA > represented in the bundle, the certificate verification probably failed due > to a problem with the certificate (it might be expired, or the name might > not match the domain name in the URL). If you'd like to turn off curl's > verification of the certificate, use the -k (or --insecure) option. > HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure. > > We assume the issue is that Websense is terminating SSL, inspecting the > traffic and then injecting it's own certificate before passing the traffic > along. Websense's certificate isn't recognized by curl and rejected. Using > the --insecure option does resolve the problem. I would prefer to not use > --insecure, and adding Websense's cert to the list of trusted certs isn't > an option either. What I can do is have IP's whitelisted in Websense so > that their SSL isn't interfered with. I am having a hard time tracking down > all the IP's Vagrant is hitting behind scenes, and was hoping there was > some documentation somewhere detailing which IP's need to be whitelisted to > work with Websense? > > Thanks, > Alex > > -- > This mailing list is governed under the HashiCorp Community Guidelines - > https://www.hashicorp.com/community-guidelines.html. Behavior in > violation of those guidelines may result in your removal from this mailing > list. > > GitHub Issues: https://github.com/mitchellh/vagrant/issues > IRC: #vagrant on Freenode > --- > You received this message because you are subscribed to the Google Groups > "Vagrant" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/vagrant-up/7ccf979c-ab52-4486-a724-762faa5fcf9a%40googlegroups.com > <https://groups.google.com/d/msgid/vagrant-up/7ccf979c-ab52-4486-a724-762faa5fcf9a%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Alvaro -- This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list. GitHub Issues: https://github.com/mitchellh/vagrant/issues IRC: #vagrant on Freenode --- You received this message because you are subscribed to the Google Groups "Vagrant" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/vagrant-up/CAHqq0ex3rC6sgfbQaJ0qMxKA3PaO9dR9p6oWcNsrmgXJXXL7wA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
