3

This error arose while I was trying to deploy to aws. It turns out this is an issue on my machine that others are no experiencing. 

jkazil@jlk:~/Projects/code/geoq-chef-repo [git master] $ vagrant up --provider=aws
Bringing machine 'default' up with 'aws' provider...
[default] Box 'ubuntu_aws' was not found. Fetching box from specified URL for
the provider 'aws'. Note that if the URL does not have
a box for this provider, you should interrupt Vagrant now and add
the box yourself. Otherwise Vagrant will attempt to download the
full box prior to discovering this error.
Downloading or copying the box...
An error occurred while executing multiple actions in parallel.
Any errors that occurred are shown below.

An error occurred while executing the action on the 'default'
machine. Please handle this error then try again:

An error occurred while downloading the remote file. The error
message, if any, is reproduced below. Please fix this error and try
again.

error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
jlk:~/Projects/code/geoq-chef-repo [git master] $

I found a couple of things on the internets that said I should look at my version of openssl. At first, it was 0.9.8, but I had 1.0.1f in homebrew. So I found this: Update OpenSSL on OS X with Homebrew and followed it. And I was was able to update OpenSSL. 

jkazil@jlk:~/Projects/code/geoq-chef-repo [git master] $ openssl version
OpenSSL 1.0.1f 6 Jan 2014
jlk:~/Projects/code/geoq-chef-repo [git master] $

But that didn't fix the issue. Just to clarify, this is not an aws issue, but an me issue. Here is me trying to pull a machine down locally. I am using the insecure flag to try to push it through, but it didn't work with or without.

jkazil@jlk:~/Projects/code/geoq-chef-repo [git master] $ vagrant box add dummy https://github.com/mitchellh/vagrant-aws/raw/master/dummy.box --insecure
Downloading or copying the box...
An error occurred while downloading the remote file. The error
message, if any, is reproduced below. Please fix this error and try
again.

error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
jlk:~/Projects/code/geoq-chef-repo [git master] $

Lastly, I wanted to share my PATH, just in case someone had that question.

jlk:~/Projects/code/geoq-chef-repo [git master] $ echo $PATH
/usr/local/Cellar/ruby/2.0.0-p247/bin:/Users/jkazil/bin:/usr/local/bin:/usr/local/sbin:/usr/local/mysql/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
jlk:~/Projects/code/geoq-chef-repo [git master] $

Any suggestions?

Community
  • 1
  • 1
jackiekazil
  • 5,696
  • 4
  • 21
  • 20
  • Are you behind some SSL intercepting firewall? – Steffen Ullrich Mar 21 '14 at 16:14
  • Could this be related? https://github.com/mitchellh/vagrant/issues/3036 – Alison R. Mar 21 '14 at 16:18
  • This question appears to be off-topic because it is an already-reported bug in Vagrant: https://github.com/mitchellh/vagrant/issues/3036 – sethvargo Mar 21 '14 at 17:18
  • No, this issue is different. Here the server replies with an "unrecognized name" fatal SSL alert (which gets send as an reply to SNI server name it does not know), which is totally different from the client deciding that in cannot verify the certificate (valgrand issue 3036). – Steffen Ullrich Mar 21 '14 at 18:02
  • All -- I am reading through the comments. @SteffenUllrich -- I have tired this on 3 different networks, including home, so I don't think I am behind a an SSL intercepting firewall. – jackiekazil Mar 21 '14 at 18:22
  • I think I've seen this error with misconfigured servers and openssl versions <1.0.0. While it might be that you've updated your openssl installation, it might be, that vagrand is still linked to the older library. I think the right way to check this on OS X is to use otool. – Steffen Ullrich Mar 21 '14 at 18:37
  • This might be relevant: http://www.buzdin.lv/2012/12/running-vagrant-on-mountain-lion.html. It's about missing openssl libs, but might be applied for the wrong ssl libs too. – Steffen Ullrich Mar 21 '14 at 19:09

3 Answers3

2

This is going to be sad answer, but the resolution to this was to update to 10.9. Then the problem went away. I know that this is not the answer that people want to here, but I thought I would try after banging my head against the wall for awhile.

Thank you everyone for your help! P.S. VAGRANT_LOG=info was help also in getting set up.

jackiekazil
  • 5,696
  • 4
  • 21
  • 20
  • I see this exact error on 10.8 (OpenSSL 0.9.8y 5 Feb 2013) but my colleague is running 10.9 (OpenSSL 1.0.1g 7 Apr 2014) and doesn't see this error. – Philip Durbin Jul 21 '14 at 14:10
  • In my case, however, setting the ServerName per http://serverfault.com/questions/540953/ssl23-get-server-helloreason1112-issue-curl-7-25-0/540954#540954 also fixed it, even on 10.8. – Philip Durbin Jul 21 '14 at 18:01
1

I found a couple of things on the internets that said I should look at my version of openssl. At first, it was 0.9.8, but I had 1.0.1f in homebrew. So I found this: OpenSSL Version MacOSX Homebrew and followed it. And I was was able to update OpenSSL.

Mac OS X will do as much as it can to load 0.9.8 in /usr/lib:

$ find /usr/ -iname libssl*
/usr//lib/libssl.0.9.7.dylib
/usr//lib/libssl.0.9.8.dylib
/usr//lib/libssl.dylib

You will need to ensure you are loading the expected version of OpenSSL. If you can get it under gdb, issue info shared and see what version of OpenSSL actually loaded.

A few things about OS X and its linker: (1) it ignores rpath's; (2) it ignores requests like -Bstatic; (3) more generally, it always links to the shared object if available (even on iOS where the only thing you are suppose to use is an archive); (4) LD_PRELOAD is not honored.

You might have some luck with using DYLD_LIBRARY_PATH.

If you can't get OS X to use 1.0.1f, then you will have to re-build the components in question. But instead of specifying -L/usr/local/ssl -lssl -lcrypto, you will need to omit the flags and specify the full archive like /usr/local/ssl/lib/libssl.a (without the -l).

Don't buy into the claims you don't have to do these things on OS X (claims like "use -L and -lssl because that's what your suppose to use"). I suffered them for years on Apple's gear, and I know for certain it does not work (and the people making the claims apparently don't use OS X). OS X is a real bastard at times.

jww
  • 97,681
  • 90
  • 411
  • 885
1

One cause for this error could be an old version of OpenSSL trying to connect to a server which uses HTTPS with SNI:

http://sourceforge.net/p/curl/bugs/1037/?limit=10&page=1#aa7f

Try setting the log level higher (e.g. VAGRANT_LOG=debug vagrant up – see the Vagrant debugging guide) to see the URL in question and test it by hand using curl to confirm the failure.

Chris Adams
  • 4,966
  • 1
  • 30
  • 28