Netskope SSL certificate error while deploying vagrant environment on localhost

  • 9 August 2023
  • 2 replies
  • 73 views

Badge +4

Hello,

 

We are facing issues with development users in the organization trying to set up the Vagrant(dev tool) environment on localhost.

Error logs as below:

"

Failed to verify certificate on vbguest plugin in vagrant.

Error message :

ERROR:  SSL verification error at depth 2: self signed certificate in certificate chain (19)

ERROR:  Root certificate is not trusted (/C=GB/ST=London/L=London/O=netSkope

"

There are no logs captured in the Netskope client.

Hi,

@vijaymspl @RohitK 

Please suggest if you can help how to fix this error.

 

 

 


2 replies

Badge +4

I'm not familiar with Vagrant, but the description of the problem aligns to a common one with command line/developer tools with independent SSL Trusted Root CA stores. We have an article on remediating these tools, if it matches up as the root cause, then the Netskope Root CA will need to be installed where Vagrant can access it. Configuring SSL Inspection for Command-Line Tools 

Userlevel 6
Badge +16

Hello @rohitutla1990,

The default behavior of the Netskope client is to steer selected traffic (specific apps or all web traffic) to anything not in the exceptions list.  Since you are seeing the Netskope certificate that indicates that the client is intercepting and sending this traffic to the Netskope cloud.  Many dev tools use their own certificate stores so they don't trust the system store which is where the Netskope certificate is installed by default so you have a few options:

1.  Bypass the traffic from SSL inspection using the domains or process via a cert pinned application.

 

2. Install the Netskope certificate to Vagrant's certificate store.  This allows for the Vagrant to trust the Netskope certificate.  I found a few different guides on some sites around this:

https://stackoverflow.com/questions/45475023/configuring-vagrant-ca-certificates

https://superuser.com/questions/1122599/installing-vagrant-plugin-on-the-corporate-network 


3. Bypass the process from being steered to Netskope entirely.   This may be preferable as it appears Vagrant is a completely local development application so sending it to any proxy may cause issues but I'm not thoroughly familar with the app to say. 

 

4.  Bypass traffic to the loopback address. I'd say this is least preferable as it bypasses all traffic to the loopback address from any process. 

This traffic should be showing in the nsdebuglog unless the Log Level is set to critical or error.  Info level should show the steering and you should see a line similar to:


Tunneling flow from addr: 192.168.1.84:54651, process: processname.app to host: domain.com, addr: 127.0.0.1:443 to nsProxy

Depending on how the Vagrant app works then your best option may be to bypass the traffic entirely from Netskope if it all needs to stay on the local machine. 
 

Reply