Problem
When using localterraform.com as a module source in Terraform Enterprise (TFE), you receive a 401 Unauthorized error.
localterraform.com: error looking up module versions: 401 Unauthorized.
In some cases, you may also see an error indicating that the IP address is not listed as a Subject Alternative Name (SAN).
Prerequisites
- Terraform Enterprise is configured with the Force TLS setting enabled.
Cause
During a TLS handshake, the client verifies the server's SSL certificate to confirm the server's identity and domain ownership. When you use localterraform.com as a module source, the request fails because localterraform.com is not included as a Subject Alternative Name (SAN) on the Terraform Enterprise instance's TLS certificate. This mismatch causes the TLS verification to fail, resulting in a 401 Unauthorized error.
Solutions
Solution 1: Use the Terraform Enterprise Hostname
The recommended solution is to use the actual hostname of your Terraform Enterprise instance in your module sources instead of the generic localterraform.com hostname. This ensures that the hostname matches the one present in the TLS certificate, allowing for a successful TLS handshake.
Solution 2: Disable Forced TLS (for testing only)
For non-production or testing environments, you can disable the Force TLS setting. This is not recommended for production environments as it reduces security.
You can disable this setting in two ways:
-
Admin Console UI
Navigate to the Terraform Enterprise Admin Console and disable the Force TLS setting.
-
Command Line
Run the following commands on the Terraform Enterprise instance. This action will trigger a restart of the application.
# replicatedctl app-config set force_tls --value "0" # replicatedctl app apply-config