How to setup Terraform Enterprise with a Certificate Authority (CA) Bundle – HashiCorp Help Center

Introduction

Configuring Terraform Enterprise with a custom Certificate Authority (CA) bundle allows it to trust and connect to internal services that use TLS certificates issued by a private CA. These services can include VCS providers, database servers, and log forwarding destinations.

Prerequisites

Access to the Terraform Enterprise instance.
Administrative access to the Replicated Console, typically available at https://$TFE_HOSTNAME:8800.
The CA bundle file in PEM format.

Procedure

Before proceeding, verify that the file containing your certificate chain is in PEM format and the certificates are in the correct order. For TLS validation, the bundle typically only needs to include the Intermediate and Root CA certificates, as the server provides the site certificate to the client.

An example bundle format is shown below.

-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: DigiCertCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----

Choose the method below that corresponds to your deployment type.

Method 1: Using the Replicated Console UI (Standalone Deployments)

Access the Replicated Console TLS settings page at https://$TFE_HOSTNAME:8800/settings#TLS.
In the Certificate Authority (CA) Bundle section, paste the contents of your certificate chain file.
Click Save.
When prompted, restart the Terraform Enterprise application to apply the changes.

Replicated Console TLS Settings page with a field for the CA bundle.

Method 2: Using the CLI (Active/Active Deployments)

For Active/Active deployments, apply the CA bundle using the replicatedctl command-line utility.

SSH into a Terraform Enterprise host and copy your certificate chain file to the local filesystem (e.g., /local/path/to/cert_chain.crt).

Import the certificate chain into the Terraform Enterprise application configuration. This command reads the file and sets the ca_certs value.

# Import your certificate chain into the Terraform Enterprise application
replicatedctl app-config set ca_certs --value "$(cat /local/path/to/cert_chain.crt)"

Verify that the configuration was set correctly. The output should match the contents of your PEM file.
```
# Verify the format is correct
replicatedctl app-config export --template '{{.ca_certs.Value}}'
```
Apply the configuration changes. This action will trigger a restart of the application.
```
# Apply the configuration changes
replicatedctl app apply-config
```

Additional Information

For more details on certificate ordering, refer to Terraform Enterprise - Order of certificates in SSL cert files.
Official documentation on this setting is available at Certificate Authority (CA) Bundle.