Unable to access UI of a newly deployed TFE FDO (on Docker) – HashiCorp Help Center

Problem

After a successful deployment of Terraform Enterprise (TFE) Flexible Deployment Options (FDO) using Docker, the user interface (UI) is inaccessible by its hostname or IP address.

The NGINX container log displays the following error, indicating an issue with the TLS certificate.

{
  "log": "nginx: [emerg] SSL_CTX_use_certificate(\"/etc/ssl/private/terraform-enterprise/cert.pem\") failed (SSL: error:0A00018E:SSL routines::ca md too weak)",
  "component": "nginx"
}

Cause

The error ca md too weak occurs because the provided TLS certificate was signed using a weak hashing algorithm (such as SHA-1) that does not meet modern security requirements enforced by the underlying cryptographic libraries.

This issue is common with older, self-signed certificates. Certificate Authorities (CAs) typically sign certificates using modern, secure algorithms by default.

Solutions

Solution 1: Regenerate the TLS Certificate

To resolve this issue, you must replace the existing certificate with one that uses a strong hashing algorithm like SHA-256.

Verify the error by checking the NGINX logs inside the TFE container. SSH into the instance where TFE is installed and run the following command. If you used a custom container name, replace terraform-enterprise-tfe-1 accordingly.
```
$ docker exec -it terraform-enterprise-tfe-1 cat /var/log/terraform-enterprise/nginx.log
```
Alternatively, you can generate and inspect a support bundle to find the log at .../host/var/log/terraform-enterprise/nginx.log.
Generate a new certificate and private key. While a CA-signed certificate is recommended for production environments, you can generate a self-signed certificate for testing purposes using the openssl command with the -sha256 flag.
```
$ openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365
```
Note: The -nodes option is required because Terraform Enterprise cannot use a private key that is protected by a passphrase.
After running the command, you will have cert.pem and key.pem files. Next, create the bundle.pem file by copying the certificate.
```
$ cp cert.pem bundle.pem
```
Replace the old certificate files with the newly generated cert.pem, key.pem, and bundle.pem files in your TFE configuration and restart the application.

Outcome

After replacing the certificate and restarting the application, the Terraform Enterprise UI will be accessible by its configured hostname or IP address.

Additional Information

For detailed instructions on generating a support bundle, refer to the guide on How to Generate a Support Bundle for Terraform Enterprise FDO.
For more information on certificate requirements, see the official documentation on TLS Certificates for TFE.