FS#51867 - [vagrant] Issue with an embedded certificate

Attached to Project: Community Packages
Opened by Robert Gonciarz (gonciarz) - Thursday, 17 November 2016, 23:16 GMT
Last edited by Jonathan Steel (jsteel) - Friday, 06 January 2017, 12:44 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Jonathan Steel (jsteel)
Architecture x86_64
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

Vagrant's embadded ruby version is not actual. The certificate has expired and we are not able to fetch any plugin.
In my case I'm trying to install vagrant-libvirt and it's dependency (ruby-libvirt).

Downloading https://raw.githubusercontent.com/rubygems/rubygems/master/lib/rubygems/ssl_certs/index.rubygems.org/GlobalSignRootCA.pem
to directory: /opt/vagrant/embedded/gems/gems/bundler-1.12.5/lib/bundler/ssl_certs/
workarounds the issue

Additional info:
* package version(s): 1.8.7-1
* config and/or log files etc.

Steps to reproduce:
sudo pacman -S vagrant
export PATH=/opt/vagrant/embedded/bin:$PATH
export GEM_HOME=~/.vagrant.d/gems
export GEM_PATH=$GEM_HOME:/opt/vagrant/embedded/gems
gem install ruby-libvirt
ERROR: Could not find a valid gem 'ruby-libvirt' (>= 0), here is why:
Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=error: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)
This task depends upon

Closed by  Jonathan Steel (jsteel)
Friday, 06 January 2017, 12:44 GMT
Reason for closing:  Upstream
Comment by Jonathan Steel (jsteel) - Saturday, 26 November 2016, 00:29 GMT
I can install other plugins with "vagrant plugin install". The GlobalSignRootCA.pem included with vagrant that you suggest replacing says it expires "Jan 28 12:00:00 2028 GMT" so a bit confused why you think that has expired. Maybe this is just an issue with this one plugin? vagrant-libvirt fails to install but I see no SSL error; it looks to be a build issue for me.
Comment by Robert Gonciarz (gonciarz) - Sunday, 27 November 2016, 22:53 GMT
The problem is not related with expiration period. Sorry for a wrong conclusion. I was trying to recreate described scenario on fresh arch installation (using docker). I got the same SSL error:

docker run -d nfnty/arch-mini tail -f /dev/null
docker exec -it $(docker ps -q -f "ancestor=nfnty/arch-mini") bash
pacman --noconfirm -Syu
pacman --noconfirm -S vagrant
export PATH=/opt/vagrant/embedded/bin:$PATH
export GEM_HOME=~/.vagrant.d/gems
export GEM_PATH=$GEM_HOME:/opt/vagrant/embedded/gems
gem install rails

I've noticed that after running I see the path of default cert file:
ruby -ropenssl -e 'p OpenSSL::X509::DEFAULT_CERT_FILE'
"/build/vagrant-substrate/src/vagrant-installers/vagrant-substrate/staging/embedded/ssl/cert.pem"

After I copied certificate to the mentioned above location I was able to fetch gem:
mkdir -p /build/vagrant-substrate/src/vagrant-installers/vagrant-substrate/staging/embedded/ssl/
cp /opt/vagrant/embedded/gems/gems/bundler-1.12.5/lib/bundler/ssl_certs/GlobalSignRoot.pem /build/vagrant-substrate/src/vagrant-installers/vagrant-substrate/staging/embedded/ssl/cert.pem

Another workaround I've found is to change source's protocol:
gem sources --remove https://rubygems.org
gem sources --add http://rubygems.org

I can recreate the issue installing any gem.
Comment by Jonathan Steel (jsteel) - Sunday, 27 November 2016, 23:03 GMT
I'm struggling to see how this is a Vagrant bug, when you are not even running a vagrant command. You are not asking a question or telling me to do something so shall I just close this bug report?
Comment by Robert Gonciarz (gonciarz) - Sunday, 27 November 2016, 23:24 GMT
I'm not a ruby expert but for me it's a problem related with Vagrant's embedded Ruby games or the way it was built.
As I mentioned at the beginning, in order to install vagrant-libvirt I have to add several ruby dependencies using Vagrant's embedded env.
Thus I switch from system's ruby to Vagrant's one. When I use system's ruby (2.5.2) I don't have problem with fetching gems.
Do you have any ideas what would be the best solution for fixing the issue other than just closing it?
I've noticed in PKGBUILD another cert file but it seems to be a different from the one provided.
There is also an article on ruby web: http://guides.rubygems.org/ssl-certificate-update/
Comment by Jonathan Steel (jsteel) - Sunday, 27 November 2016, 23:37 GMT
"vagrant plugin install vagrant-libvirt" should handle dependencies, but OK I'll look further into this.
Comment by Robert Gonciarz (gonciarz) - Monday, 28 November 2016, 01:00 GMT
Thanks for looking into the issue.
Btw this problem is more complex. When I run the command:
vagrant plugin install vagrant-libvirt
1) the newest version crashes when trying to build ruby-libvirt-0.7.0
2) and even if you install the plugin, there is another issue. Please take a look at this:
https://wiki.archlinux.org/index.php/Vagrant#vagrant-libvirt
There is a bug: https://github.com/vagrant-libvirt/vagrant-libvirt/issues/541
and as a workaround I have to use embedded ruby games manually.
Comment by Jonathan Steel (jsteel) - Monday, 28 November 2016, 11:11 GMT
  • Field changed: Summary ([vagrant] Embadded ruby certificate has expired and we are not able to fetch any plugin → [vagrant] Issue with an embedded certificate)
I can replicate the issue with your steps, but putting the new certificate in the locations you mentioned hasn't resolved it for me. I was thinking of pulling in the latest certificate during the build process if this was the solution. Can you revert your changes (maybe a "rm -rf /build/vagrant-substrate/; pacman -S vagrant vagrant-substrate"?) and then document the process you take to resolve this?
Comment by Robert Gonciarz (gonciarz) - Wednesday, 30 November 2016, 23:38 GMT
For some reasons putting cert in /opt/vagrant/embedded/gems/gems/bundler-1.12.5/lib/bundler/ssl_certs/ doesn't work for me neither.
I must've done some more changes. But the procedure I put in the comment should work. I run minimal arch docker image:

docker run -d nfnty/arch-mini tail -f /dev/null # start container
docker exec -it $(docker ps -q -f "ancestor=nfnty/arch-mini") bash # connect to it
pacman --noconfirm -Syu
pacman --noconfirm -S vagrant wget base-devel
export PATH=/opt/vagrant/embedded/bin:$PATH
export GEM_HOME=~/.vagrant.d/gems
export GEM_PATH=$GEM_HOME:/opt/vagrant/embedded/gems

gem install rails # That won't work now

mkdir -p /build/vagrant-substrate/src/vagrant-installers/vagrant-substrate/staging/embedded/ssl/
cp /opt/vagrant/embedded/gems/gems/bundler-1.12.5/lib/bundler/ssl_certs/GlobalSignRoot.pem /build/vagrant-substrate/src/vagrant-installers/vagrant-substrate/staging/embedded/ssl/cert.pem

gem install rails # cert issue does not appear now
Comment by Jonathan Steel (jsteel) - Thursday, 01 December 2016, 18:51 GMT
  • Field changed: Category (Packages → Upstream Bugs)
OK I can replicate that thanks. So the issue is that the embedded ruby thinks its default cert is in the location set as the "vagrant_substrate::build_dir:" during build time. I've tested the official Vagrant builds and they too have this issue, so upstream should look to fix this. Can you raise this issue upstream and link to the bug report here?
Comment by Robert Gonciarz (gonciarz) - Thursday, 01 December 2016, 19:24 GMT

Loading...