Problem
When you attempt to connect Terraform Enterprise to a version control system (VCS) provider, the operation fails with the following error in the user interface.
There was a problem connecting the OAuth client to the VCS provider. Please verify the URL, credentials, and permissions of the OAuth application and try again.
Cause
This error can be caused by network connectivity issues, incorrect user permissions, or SSL/TLS certificate verification failures between the Terraform Enterprise instance and the VCS provider.
Reviewing the container logs may show a certificate verification error.
Note: The primary application container name changed in Terraform Enterprise version v202205-1.
- For versions
v202205-1and later, usetfe_atlas. - For versions prior to
v202205-1, useptfe_atlas.
Check the logs for the application container.
# docker logs tfe_atlas
The logs may contain an error message similar to the following, indicating a certificate issue.
[ERROR] {:exception=>"Faraday::SSLError", :message=>"SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)", ##...Solution
To resolve this issue, you must diagnose the connection problem from within the Terraform Enterprise environment and then provide the necessary CA certificate for the VCS provider.
Step 1: Diagnose the connection issue
First, connect to the NGINX container on the Terraform Enterprise instance to test the connection to your VCS provider.
Note: The NGINX container name also changed in version v202205-1.
- For versions
v202205-1and later, usetfe_nginx. - For versions prior to
v202205-1, useptfe_nginx.
Connect to the container.
$ sudo docker exec -it tfe_nginx /bin/bash
From inside the container, use curl to attempt a connection to your VCS provider's domain.
$ curl -v -L https://<VCS_PROVIDER_FQDN>
If there is a certificate issue, the command fails with an output similar to the following.
* Trying 10.60.248.95... * TCP_NODELAY set * Connected to <VCS_PROVIDER_FQDN> (<ip-address>) port 443 (#0) ##... * TLSv1.2 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html ##...
This output confirms that the Terraform Enterprise instance does not trust the certificate presented by the VCS provider.
Step 2: Add the CA certificate to Terraform Enterprise
Terraform Enterprise must be able to trust the SSL/TLS certificates for all services it integrates with, including VCS providers. You must provide the full certificate chain for your VCS provider to Terraform Enterprise.
- Navigate to the Terraform Enterprise admin settings console at
https://$TFE_HOSTNAME:8800/settings. - Select the TLS tab.
- In the Custom CA Certificate Bundle section, upload the public certificate or the full certificate chain for your VCS provider.
- Save the settings and restart the Terraform Enterprise application when prompted.
For more details, refer to the CA Bundle installation documentation.
Step 3: Verify the fix
After the restart completes, navigate to the VCS provider settings in the Terraform Enterprise UI and attempt to connect to the VCS provider again. The connection should now succeed.
Additional Information
For more information on managing certificates, see the Certificate Authority (CA) Bundle settings documentation.