Wrong SSL certificate format when checking for updates

Discussions related to using VirtualBox on Windows hosts.
Post Reply
benze
Posts: 2
Joined: 23. Apr 2018, 17:01

Wrong SSL certificate format when checking for updates

Post by benze »

I just installed VirtualBox (5.1.32) on my Win10x64 machine and tried to check for updates. When I do, I get a "Wrong SSL certificate format" error by VB.

I suspect this is because all my SSL network traffic is intercepted and resigned by my organization using an internal Root certificate.
I checked my Certificate Manager and my org's root certificate is installed and up-to-date.

When I have these issues in Java, I have to add the root certificate to the cacerts store.

Does VirtualBox also have a similar trust store that i need to update with the required root certificate? I've tried to delete and recreate the %HOME%/.VirtualBox folder, but to no avail. Looking at the vbox-ssl-certificate.crt file, I see that it is signed by Thawte. I even tried to add/install that cert to my Windows Cert Store, but that hasn't helped either. Thinking that VB might be using that crt file to validate the network connection, I tried to replace it with my own root cert, but VB just overwrote whatever I placed in the folder.

How do I get around this issue and tell VirtualBox to accept SSL connections signed by my own organization?

Thanks,

Eric
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Wrong SSL certificate format when checking for updates

Post by socratis »

Are you running Secure Boot by any chance?
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
benze
Posts: 2
Joined: 23. Apr 2018, 17:01

Re: Wrong SSL certificate format when checking for updates

Post by benze »

socratis wrote:Are you running Secure Boot by any chance?
I'm not 100% sure. I suspect that I might be as this is an org laptop in which the bios is pretty much locked down. I would have to double check in the bios to see the settings.

Why? Does that impact the SSL certificate store for Virtual Box?
DCLacoste
Posts: 1
Joined: 8. Jan 2019, 18:50

Re: Wrong SSL certificate format when checking for updates

Post by DCLacoste »

Having this same issue in Windows 10 x64, for the same reason: behind a corporate proxy which also performs MITM SSL cert replacement. Checking for a new VirtualBox version (runs in VBox Network Operations Manager?) fails with:
"The network operation failed with the following error: During network request: Wrong SSL certificate format."

Either the format of the "new" cert returned by my corp proxy is bad (but it does NOT affect any other applications/ websites), or something in processing that cert (probably the CA chain) is failing. Any suggestions for updating the trusted CA that VBox is using? I've seen threads in the Mac forums that this is updated in the keychain app, which I assume is the saw as the Windows Certificate Manager. However, my Corp CA is in my Windows certs and works properly for other applications/ websites.
klaus
Oracle Corporation
Posts: 1115
Joined: 10. May 2007, 14:57

Re: Wrong SSL certificate format when checking for updates

Post by klaus »

Good question what the real root cause is... VBox uses libcurl for update checking, and the error originates there. Should mean that the CA info isn't matching/broken, and to my knowledge the code fishes out the CA info from the system's trusted CA store. The code is super complicated though (as some systems don't have the necessary certs, and in this case the code tries to download the no longer applicable root CA info, it wasn't updated when our server's cert was issued by DigiCert). Needs help from someone who knows how this all fits together, and how to get detailed diagnostics out of the update check somehow.

VirtualBox doesn't use certificate pinning in the usual sense, it just tries a bit of magic if the system CA store turns out to not do the job.
Post Reply