Failure To Connect Version Control System Provider To Terraform Enterprise

Avatar
Darrell F. Williams
  • Updated

Problem

When attempting to connect to a version control system (“VCS”) provider, the following error is received:

There was a problem connecting the OAuth client to the VCS provider. Please verify the URL, credentials, and permissions of the OAuth application and try again.

Cause

This issue can be related to certificate verification failures, user permission issues, or the ability to connect to the VCS through the network. Upon looking at the container logs for the ptfe_atlas container the following error message may be seen:

"Faraday::SSLError", :message=>"SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)"

For Terraform Enterprise v202205-1 or later:

This issue can be related to certificate verification failures, user permission issues, or the ability to connect to the VCS through the network. Upon looking at the container logs for the tfe_atlas container the following error message may be seen:

"Faraday::SSLError", :message=>"SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)"

Running the command sudo docker logs ptfe_atlas will show the container logs and the full error message will be similar to the following:

[INFO] [66dabb60-da8f-4b28-a328-123456789] [Audit Log] {"resource":"oauth_client","action":"initiate","resource_id":"","organization":"some_org","actor":"some_user","timestamp":"2021-04-05T22:26:17Z","actor_ip":""}
2021-04-05T22:26:17.193800071Z 2021-04-05 22:26:17 [INFO] [66dabb60-da8f-4b28-a328-123456789] {"method":"GET","path":"/auth/3ef2a945-b901-40b5-b3f1-123456789","format":"html","status":302,"duration":24.32,"view":0.0,"db":4.64,"location":"https://github.com/login/oauth/authorize","uuid":"66dabb60-da8f-4b28-a328-123456789","remote_ip":"","request_id":"","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36","user":"some_user"}
2021-04-05T22:26:17.535658849Z 2021-04-05 22:26:17 [ERROR] [285acf70-d321-4206-b32e-123456789] {:exception=>"Faraday::SSLError", :message=>"SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)",

For Terraform Enterprise v202205-1 or later:

Running the command sudo docker logs tfe_atlas will show the container logs and the full error message will be similar to the following:

[INFO] [66dabb60-da8f-4b28-a328-123456789] [Audit Log] {"resource":"oauth_client","action":"initiate","resource_id":"","organization":"some_org","actor":"some_user","timestamp":"2021-04-05T22:26:17Z","actor_ip":""}
2021-04-05T22:26:17.193800071Z 2021-04-05 22:26:17 [INFO] [66dabb60-da8f-4b28-a328-123456789] {"method":"GET","path":"/auth/3ef2a945-b901-40b5-b3f1-123456789","format":"html","status":302,"duration":24.32,"view":0.0,"db":4.64,"location":"https://github.com/login/oauth/authorize","uuid":"66dabb60-da8f-4b28-a328-123456789","remote_ip":"","request_id":"","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36","user":"some_user"}
2021-04-05T22:26:17.535658849Z 2021-04-05 22:26:17 [ERROR] [285acf70-d321-4206-b32e-123456789] {:exception=>"Faraday::SSLError", :message=>"SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)",

On the Terraform Enterprise instance, connect to the ptfe_nginx container using the command below.

$ sudo docker exec -it ptfe_nginx /bin/bash

For Terraform Enterprise v202205-1 or later:

On the Terraform Enterprise instance, connect to the tfe_nginx container using the command below.

$ sudo docker exec -it tfe_nginx /bin/bash

Once connected to the ptfe_nginx container, use curl to attempt to connect to your VCS provider. GitHub is used in this example.

$ curl -v -L https://VCS-FQDN

For Terraform Enterprise v202205-1 or later:

Once connected to the tfe_nginx container, use curl to attempt to connect to your VCS provider. GitHub is used in this example.

$ curl -v -L https://VCS-FQDN

The curl command should time out, reporting something similar to the following:

# curl -v -L https://<vcs-provider>
* Expire in 0 ms for 6 (transfer 0x557d6e03ee00)
* Expire in 1 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 0 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 1 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 0 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 0 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 2 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 0 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 0 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 2 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 0 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 0 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 2 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 0 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 1 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 4 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 1 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 1 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 4 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 1 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 2 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 4 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 2 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 2 ms for 1 (transfer 0x557d6e03ee00)
* Expire in 2 ms for 1 (transfer 0x557d6e03ee00)
* Trying 10.60.248.95...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x557d6e03ee00)
* Connected to github.com (<ip-address>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Solution

As noted in the installation documentation, Terraform Enterprise needs to be able to access all services that it integrates with, such as VCS providers or database servers. Because it typically accesses them via SSL/TLS, it is critical that the certificates used by any service that Terraform Enterprise integrates with are trusted by Terraform Enterprise.

To enable this access, please upload the certificate(s) for the VCS provider to Terraform Enterprise at https://$TFE_HOSTNAME:8800/settings#TLS. See referencing documentation for additional information.

Once the certificate(s) have been added, save the settings and restart the Terraform Enterprise application when prompted. After the restart has completed, attempt to connect to the VCS provider again in order to verify that the issue was resolved.

Additional Information

Additional documentation around CA bundle settings may be found in the installation reference

Articles in this section

See more

Related articles