When I try to look for updates I get Wrong SSL certificate format

[Mediaf]

When I try to look for updates from the help menu I get "The network operation failed with the following error : Wrong SSL certificate format".

[Frank Mehnert]

Which is the version you actually run the update check on? Is that really VBox 4.3.14?

[MicroWorld]

I've been having the same issue with VBox 5.0.6 on Mac OS X El Capitan (10.11.0). I updated manually to VBox 5.0.8 this morning, I still have that issue (Mac OS 10.11.1).

[Frank Mehnert]

Please remove the file vbox-ssl-cacertificate.crt in your .VirtualBox directory (IIRC in $HOME/Library/VirtualBox on OSX) and try again.

[pafound]

Note that on my Ubuntu PC this location for this file is ~/.config/Virtualbox

I have the same issue but my SSL connections get intercepted by our UTM and scanned for malware. I'm assuming this error in my instance is caused by the UTM replacing the SSL certificate with its own. Normally on a PC or browser I would just add the UTM certificate as a trusted certificate authority but in Virtualbox's case this doesn't work. I tried to export the UTM self-signing CA certificate and replace the vbox-ssl-cacertificate.crt (you never know) ... but failed as well.

Could it be that in the cases of other users complaining about this that their connections are intercepted, monitored, or passed through a proxy possibly?

[MicroWorld]

@frank I removed the vbox-ssl-cacertificate.crt file, started VBox and still having the same issue (a new vbox-ssl-cacertificate.crt file appeared in VirtualBox directory).

@pafound There is nothing on my network monitoring SSL connections (or doing anything fancy with SSL connections).

In selectorwindow.log file I found the following:

00:00:10.507910 refreshCertificates/#1: Cert: SignatureAlgorithm (1.2.840.113549.1.1.11) does not match TbsCertificate.Signature (1.2.840.113549.1.1.11).  Cert: SignatureAlgorithm (1.2.840.113549.1.1.11) does not match TbsCertificate.Signature (1.2.840.113549.1.1.11).  InMem.Cert.TbsCertificate.T3.Extensions.paItems[#].ExtnValue.CertPolicies.paItems[#]: Bad object ID component #6 encoding: 80 e5 37 02 06 01  InMem.Cert.TbsCertificate.T3.Extensions.paItems[#].ExtnValue.CertPolicies.paItems[#]: Bad object ID component #6 encoding: 80 e5 37 02 06 01  Cert: SignatureAlgorithm (1.2.840.113549.1.1.11) does not match TbsCertificate.Signature (1.2.840.113549.1.1.11).  Duplicate extension RTCRX509TBSCERTIFICATE_F_PRESENT_EXT_KEY_USAGE  Duplicate extension RTCRX509TBSCERTIFICATE_F_PRESENT_EXT_KEY_USAGE  InMem.Cert.TbsCertificate.T3.Extensions.paItems[#].ExtnValue.NameConstraints.T0.PermittedSubtrees.paItems[#]: Unexpected sequence type/flags: 0x2/0x80 (expected 0x10/0x20)
00:00:10.511284 refreshCertificates/#3: Found 1/237 SSL certs we/you trust (previously 0/0).

HTH

[Frank Mehnert]

MicroWorld, please could you attach the complete selectorwindow.log file? Thank you!

[aureliens]

I encounter the exact same issue. Here is my selectorwindo.log

VirtualBox GUI VM Selector Window 5.0.8 r103449 darwin.amd64 (Oct 15 2015 16:10:44) release log
00:00:01.793706 Log opened 2015-11-02T11:33:30.986323000Z
00:00:01.793707 Build Type: release
00:00:01.793719 OS Product: Darwin
00:00:01.793725 OS Release: 15.0.0
00:00:01.793730 OS Version: Darwin Kernel Version 15.0.0: Sat Sep 19 15:53:46 PDT 2015; root:xnu-3247.10.11~1/RELEASE_X86_64
00:00:01.793829 DMI Product Name: iMac13,2
00:00:01.793878 DMI Product Version: 1.0
00:00:01.793887 Host RAM: 32768MB total, 14043MB available
00:00:01.793891 Executable: /Applications/VirtualBox.app/Contents/MacOS/VirtualBox
00:00:01.793891 Process ID: 31475
00:00:01.793892 Package type: DARWIN_64BITS_GENERIC
00:00:01.800600 GUI: UIMediumEnumerator: Medium-enumeration started...
00:00:01.866028 GUI: UISelectorWindow: Geometry loaded to: Origin=701x177, Size=967x701
00:00:01.925654 GUI: UIMediumEnumerator: Medium-enumeration finished!
00:00:04.879500 SUP: Failed to open "/dev/vboxdrv", errno=13, rc=VERR_VM_DRIVER_NOT_ACCESSIBLE
00:00:05.286253 refreshCertificates/#1: Cert: SignatureAlgorithm (1.2.840.113549.1.1.11) does not match TbsCertificate.Signature (1.2.840.113549.1.1.11).  Cert: SignatureAlgorithm (1.2.840.113549.1.1.11) does not match TbsCertificate.Signature (1.2.840.113549.1.1.11).  InMem.Cert.TbsCertificate.T3.Extensions.paItems[#].ExtnValue.CertPolicies.paItems[#]: Bad object ID component #6 encoding: 80 e5 37 02 06 01  InMem.Cert.TbsCertificate.T3.Extensions.paItems[#].ExtnValue.CertPolicies.paItems[#]: Bad object ID component #6 encoding: 80 e5 37 02 06 01  Cert: SignatureAlgorithm (1.2.840.113549.1.1.11) does not match TbsCertificate.Signature (1.2.840.113549.1.1.11).  Cert: SignatureAlgorithm (1.2.840.113549.1.1.5) does not match TbsCertificate.Signature (1.2.840.113549.1.1.5).  Duplicate extension RTCRX509TBSCERTIFICATE_F_PRESENT_EXT_KEY_USAGE  InMem.Cert.TbsCertificate.T3.Extensions.paItems[#].ExtnValue.NameConstraints.T0.PermittedSubtrees.paItems[#]: Unexpected sequence type/flags: 0x2/0x80 (expected 0x10/0x20)
00:00:05.288907 refreshCertificates/#3: Found 1/263 SSL certs we/you trust (previously 0/0).
00:00:08.741691 SUP: Failed to open "/dev/vboxdrv", errno=13, rc=VERR_VM_DRIVER_NOT_ACCESSIBLE

[MicroWorld]

Here is it:

VirtualBox GUI VM Selector Window 5.0.8 r103449 darwin.amd64 (Oct 15 2015 16:10:44) release log
00:00:01.305769 Log opened 2015-11-02T17:17:25.894354000Z
00:00:01.305770 Build Type: release
00:00:01.305785 OS Product: Darwin
00:00:01.305792 OS Release: 15.0.0
00:00:01.305799 OS Version: Darwin Kernel Version 15.0.0: Sat Sep 19 15:53:46 PDT 2015; root:xnu-3247.10.11~1/RELEASE_X86_64
00:00:01.305925 DMI Product Name: MacBookPro8,1
00:00:01.305991 DMI Product Version: 1.0
00:00:01.306003 Host RAM: 8192MB total, 2427MB available
00:00:01.306007 Executable: /Applications/VirtualBox.app/Contents/MacOS/VirtualBox
00:00:01.306008 Process ID: 15035
00:00:01.306009 Package type: DARWIN_64BITS_GENERIC
00:00:01.320089 GUI: UIMediumEnumerator: Medium-enumeration started...
00:00:01.424766 GUI: UISelectorWindow: Geometry loaded to: Origin=1x0, Size=770x550
00:00:01.470587 GUI: UIMediumEnumerator: Medium-enumeration finished!
00:00:01.586612 SUP: Failed to open "/dev/vboxdrv", errno=13, rc=VERR_VM_DRIVER_NOT_ACCESSIBLE
00:00:02.334332 refreshCertificates/#1: Cert: SignatureAlgorithm (1.2.840.113549.1.1.11) does not match TbsCertificate.Signature (1.2.840.113549.1.1.11).  Cert: SignatureAlgorithm (1.2.840.113549.1.1.11) does not match TbsCertificate.Signature (1.2.840.113549.1.1.11).  InMem.Cert.TbsCertificate.T3.Extensions.paItems[#].ExtnValue.CertPolicies.paItems[#]: Bad object ID component #6 encoding: 80 e5 37 02 06 01  InMem.Cert.TbsCertificate.T3.Extensions.paItems[#].ExtnValue.CertPolicies.paItems[#]: Bad object ID component #6 encoding: 80 e5 37 02 06 01  Cert: SignatureAlgorithm (1.2.840.113549.1.1.11) does not match TbsCertificate.Signature (1.2.840.113549.1.1.11).  Duplicate extension RTCRX509TBSCERTIFICATE_F_PRESENT_EXT_KEY_USAGE  Duplicate extension RTCRX509TBSCERTIFICATE_F_PRESENT_EXT_KEY_USAGE  InMem.Cert.TbsCertificate.T3.Extensions.paItems[#].ExtnValue.NameConstraints.T0.PermittedSubtrees.paItems[#]: Unexpected sequence type/flags: 0x2/0x80 (expected 0x10/0x20)
00:00:02.339991 refreshCertificates/#3: Found 1/239 SSL certs we/you trust (previously 0/0).

[nbsfred]

I have the exact same issue. Had it with 5.10, so I upgraded to 5.12, but same thing. Strangely enough, no mention of bad SSL certs in the selectorwindo.log file as Microworld has.

VirtualBox GUI VM Selector Window 5.0.12 r104815 darwin.amd64 (Dec 18 2015 17:29:37) release log
00:00:01.212442 Log opened 2015-12-22T15:23:42.570283000Z
00:00:01.212443 Build Type: release
00:00:01.212455 OS Product: Darwin
00:00:01.212460 OS Release: 15.2.0
00:00:01.212464 OS Version: Darwin Kernel Version 15.2.0: Fri Nov 13 19:56:56 PST 2015; root:xnu-3248.20.55~2/RELEASE_X86_64
00:00:01.212564 DMI Product Name: MacBookPro11,3
00:00:01.212617 DMI Product Version: 1.0
00:00:01.212624 Host RAM: 16384MB total, 3924MB available
00:00:01.212628 Executable: /Applications/VirtualBox.app/Contents/MacOS/VirtualBox
00:00:01.212629 Process ID: 81918
00:00:01.212630 Package type: DARWIN_64BITS_GENERIC
00:00:01.250268 GUI: UIMediumEnumerator: Medium-enumeration started...
00:00:01.382227 GUI: UISelectorWindow: Geometry loaded to: Origin=18x178, Size=770x550
00:00:01.441604 GUI: UIMediumEnumerator: Medium-enumeration finished!
00:00:01.501600 SUP: Failed to open "/dev/vboxdrv", errno=13, rc=VERR_VM_DRIVER_NOT_ACCESSIBLE
00:00:08.304843 GUI: UISelectorWindow: Geometry saved as: Origin=18x178, Size=770x550

[nl]

I'm getting this too. VirtualBox 5.0.14 on OS X 10.11.3. Deleting vbox-ssl-cacertificate.crt doesn't help.

selectorwindow.log:

VirtualBox GUI VM Selector Window 5.0.14 r105127 darwin.amd64 (Jan 19 2016 17:52:59) release log
00:00:01.139285 Log opened 2016-02-16T13:04:16.478746000Z
00:00:01.139286 Build Type: release
00:00:01.139297 OS Product: Darwin
00:00:01.139301 OS Release: 15.3.0
00:00:01.139306 OS Version: Darwin Kernel Version 15.3.0: Thu Dec 10 18:40:58 PST 2015; root:xnu-3248.30.4~1/RELEASE_X86_64
00:00:01.139391 DMI Product Name: MacBookPro11,3
00:00:01.139431 DMI Product Version: 1.0
00:00:01.139438 Host RAM: 16384MB total, 5832MB available
00:00:01.139441 Executable: /Applications/VirtualBox.app/Contents/MacOS/VirtualBox
00:00:01.139441 Process ID: 19093
00:00:01.139442 Package type: DARWIN_64BITS_GENERIC
00:00:01.153915 GUI: UIMediumEnumerator: Medium-enumeration started...
00:00:01.231464 GUI: UISelectorWindow: Geometry loaded to: Origin=525x249, Size=770x498
00:00:01.294621 GUI: UIMediumEnumerator: Medium-enumeration finished!
00:00:04.344687 SUP: Failed to open "/dev/vboxdrv", errno=13, rc=VERR_VM_DRIVER_NOT_ACCESSIBLE
00:00:04.891702 refreshCertificates/#1: Cert: SignatureAlgorithm (1.2.840.113549.1.1.5) does not match TbsCertificate.Signature (1.2.840.113549.1.1.5).  Duplicate extension RTCRX509TBSCERTIFICATE_F_PRESENT_EXT_KEY_USAGE  Cert: SignatureAlgorithm (1.2.840.113549.1.1.5) does not match TbsCertificate.Signature (1.2.840.113549.1.1.5).  Duplicate extension RTCRX509TBSCERTIFICATE_F_PRESENT_EXT_KEY_USAGE  Cert: SignatureAlgorithm (1.2.840.113549.1.1.5) does not match TbsCertificate.Signature (1.2.840.113549.1.1.5).  Duplicate extension RTCRX509TBSCERTIFICATE_F_PRESENT_EXT_KEY_USAGE  InMem.Cert.TbsCertificate.T3.Extensions.paItems[#].ExtnValue.NameConstraints.T0.PermittedSubtrees.paItems[#]: Unexpected sequence type/flags: 0x2/0x80 (expected 0x10/0x20)
00:00:04.894821 refreshCertificates/#3: Found 1/238 SSL certs we/you trust (previously 0/0).
00:00:08.848635 GUI: UISelectorWindow: Geometry saved as: Origin=525x249, Size=770x498

[Abernix]

Mac Users: (the original ticket was for Linux)

I've had this problem for a very long time but fixed it today – deleting the vbox-ssl-cacertificate.crt never helped. I will preface the rest of this update by saying that VirtualBox is the ONLY issue I have had with this, so I haven't bothered trying to find a solution before now.

Today I realized it wasn't happening on my (much older) computer. Thinking back about things I have run into in the past with SSL – at one point I ran into an expired "DigiCert High Assurance EV Root CA" situation (​https://blog.digicert.com/expired-intermediate-certificate/) - expired July 26 2014. Basically, this old certificate was breaking something else in my development (I don't recall what it was, but I want to say it broke github and homebrew, maybe more – it was a big issue, and many people experienced it). Anyhow, the known solution was deleting the certificate. DigiCert even said on their site that it was okay to delete it as it was unused for over 3 years. So I did. However, I didn't do that on the old compute.

Somehow though, the old computer (which used to be a mirror of this computer) has obtained an updated DigiCert HA CA-3 certificate (Some OS X update must have done it) AND the "Apple Root CA" – but the computer I manually deleted the old certificate on, didn't do that (despite having the same OS X updates applied).

Long story short, the solution seems to be:

• Check your "Keychain Access"
• You're probably missing an unexpired "DigiCert High Assurance" CA or an "Apple Root CA" (or both)
• If so, install the "Apple Inc. Root Certificate" (from ​https://www.apple.com/certificateauthority/)

Before I tried the Apple Root CA, I actually installed the "DigiCert High Assurance CA-3" (from ​https://www.digicert.com/digicert-root-certificates.htm), and that fixed it, but then decided that an "Apple Root CA" sounded kinda important, ya know, on my Apple computer (and again, I had it on my other Mac), so I installed that too. Out of curiosity, I removed the DigiCert and it still worked, so it appears the Apple CA covers it all. Sorry DigiCert (but you're probably included in Apple's anyhow).

Hope this helps someone else.

[MicroWorld]

Replying to Abernix:

Mac Users: (the original ticket was for Linux)

Long story short, the solution seems to be:

• Check your "Keychain Access"
• You're probably missing an unexpired "DigiCert High Assurance" CA or an "Apple Root CA" (or both)
• If so, install the "Apple Inc. Root Certificate" (from ​https://www.apple.com/certificateauthority/)

Hope this helps someone else.

Hi, thanks for the tip, just tried, looks like it's working :-).

Cheers.

[JustMe]

Mac users:

I would like to add to this issue, as I have been suffering this for months. Here's what didn't work:

• Deleting the certificate file.
• Downloading certificates as mentioned above.

Here's what finally worked.

• Go to Applications -> Utilities -> Keychain Access
• In keychains, look in login (though it's possible you may have to find yours in a different section)
• Sort by expiration date. Not only did I see a cert with an X next to it, it had the same expiration date as that damn VBox cert that kept failing. And, there were many other certificates with the same name, but they were all revoked (and not a problem). I deleted that expired cert only.

Problem solved and I created this account just to share what finally worked (for me). Good luck!

[MarcGweg]

At least for Mac users:

I have copied the vbox-ssl-cacertificate.crt from https://www.virtualbox.org/attachment/ticket/12340/vbox-ssl-cacertificate.crt. This solved my problem with VirtualBox 5.0.20 on MacOSX El Capitan (version 10.11.5 Beta build 15F31a).

The issue I found was, that the .crt file VirtualBox creates, this file is signed by a CA not necessary VeriSigns CA. The .crt created on my machine was signed by the CA of my company. When you check the SSL certificate copied from previous mentioned URL with:

openssl x509 -in vbox-ssl-cacertificate.crt -text -noout

you want to get:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
        Validity
            Not Before: Nov  8 00:00:00 2006 GMT
            Not After : Jul 16 23:59:59 2036 GMT
        Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5

Good luck!

[adfaklsdjf]

This is what ultimately fixed the issue for me. OSX El Capitan, Virtualbox 5.0.2

Thank you!

Replying to MarcGweg:

At least for Mac users:

[kwojniak]

Had similar issue. Using the openssl command above, I found the certificate that was getting copied. I think it may be different per system, because VirtualBox is enumerating system certificates in the keychain and at hard coded paths. Once you identity the certificate in the vbox-ssl-cacertificate.crt file you can delete it from its source. Probably it's in Keychain Access. You can inspect the "Not After" date and "Subject" fields to get the expiration and name which will show in Keychain Access. After deleting the expired keychain, and deleting the vbox-ssl-cacertificate.crt file, VirtualBox is working now.

This code is probably really old and needs updating. For example, https://www.virtualbox.org/svn/vbox/trunk/src/VBox/Runtime/common/crypto/RTCrStoreCertAddWantedFromFishingExpedition.cpp references Xcode-beta.app!

[Mike446]

27" 5K iMac running MacOS Sierra 10.12.4 and VirtualBox 5.1.14 r112924 (Qt5.6.2)

Same problem:

VirtualBox > Check for Updates > error dialog:

The network operation failed with the following error: During network request: Wrong SSL certificate format.

I discovered that the following certificate is saved on the iMac with a modification date of 2017/04/07 3:26PM (today is 2017/04/10 1:155PM):

Macintosh HD > Users > (my name) > Library > VirtualBox > vbox-ssl-cacertificate.crt

I deleted that cert and relaunched VirtualBox but to no avail. Same error dialog when checking for updates.

I then updated to the newest version as of this writing: 5.1.18 r114002 (Qt5.6.2) but the same problem occurs.

[tzeappa]

Hello,

I'm experiencing the same error on OSX 10.13 with VirtualBox 5.1.28 and also with 5.2.0 r118431 (Qt5.6.3). When running Check for Update I get: The network operation failed with the following error: During network request: Wrong SSL certificate format.

• Tried uninstalling VirtualBox and deleting the VirtualBox folder from Library
• Installed VirtualBox right after, the folder was freshly recreated but I get the same error when checking for update

Please help. Thank you

[easydoor]

I have the same problem. Win 8.1, long time I can not update because of this annoying ssl message. I tried everything above, To delete certificate, to delete file vbox-ssl-cacertificate.crt, to uninstall, VB, the install again, and nothing.

In last let it say 7-8 version I have all the time this problem. Now Im on the latest release 5.2.8

Is there any tutorial how to solve this annoying problem?

[Lightuser]

As a MacOS user, the solution to copy (or create, actually) the art file and then put that in my VirtualBox Library folder worked. That is,

I have copied the vbox-ssl-cacertificate.crt from https://www.virtualbox.org/attachment/ticket/12340/vbox-ssl-cacertificate.crt. This solved my problem with VirtualBox 5.0.20 on MacOSX El Capitan (version 10.11.5 Beta build 15F31a).

I guess make sure to have VB closed at the time, don't know if that matters, and when you copy the cat file, you need to avoid the line numbers (using Textedit, I pasted the copied text into a new file, then alt-clickallowed me to highlight just the lefthand number/empty tab columns and delete them). Save it with the same name (vbox-ssl-cacertificate.crt). That worked for me.

Apologies for reiterating this if you have tried this and it has failed.

[dmajkic]

VirtualBox is using libcurl with custom cert database in ~/Library/VirtualBox/vbox-ssl-cacertificate.crt

Solution for MacOS:

1. Dowload cacert.pem from ​https://curl.haxx.se/docs/caextract.html
2. Copy cacert.pem to ~/Library/VirtualBox
3. rename cacert.pem -> vbox-ssl-cacertificate.crt

Restart VirtualBox and try "Check for Updates..."