SSL Certificate Error Reports Self Signed Certificate in Certificate Chain

Avatar
Susie Solis
  • Updated

Problem

When you attempt to integrate a version control provider with Terraform Enterprise, the operation fails with the following OpenSSL error:

SSL certificate problem: self signed certificate in certificate chain

Cause

This error occurs when the SSL certificate used by the version control provider's server is not trusted by the Terraform Enterprise HTTP client. This commonly happens if the certificate is self-signed or if the Terraform Enterprise instance has not been configured to trust the certificate's signing chain (the root and any intermediate certificates).

Solution

To resolve this issue, you must add the complete certificate authority (CA) bundle for your version control provider to the Terraform Enterprise trust store. This allows the application's internal services to validate the SSL certificate.

Procedure

  1. Connect to the nginx container on your Terraform Enterprise instance via SSH. The container name varies depending on your Terraform Enterprise version.

    • For versions before v202205-1:

      $ sudo docker exec -it ptfe_nginx /bin/bash

    • For versions v202205-1 and newer:

      $ sudo docker exec -it tfe-nginx /bin/bash

  2. From inside the container's shell, use curl to test the connection to your version control provider and confirm that it reproduces the SSL error. Replace ${URL} with your provider's URL.

    $ curl -v -L ${URL}
  3. If the curl command returns the self signed certificate in certificate chain error, you must upload all certificates in the signing chain to Terraform Enterprise. This includes the root certificate and any intermediate certificates.
  4. Navigate to the TLS settings page in the Terraform Enterprise admin console at https://$TFE_HOSTNAME:8800/settings#TLS.
  5. In the CA Certificate Bundle field, paste the full contents of your certificate chain (root and intermediate certificates).
  6. Save the settings and restart the Terraform Enterprise application when prompted. This action injects the updated CA bundle into the application's containers, allowing them to trust the certificate.

Additional Information

For more details on this setting, please refer to the CA Bundle documentation for Terraform Enterprise.

Articles in this section

Related articles