Problem
Cannot access the UI of the newly deployed TFE FDO by hostname or IP address after successful deployment using a Docker compose file.
Upon checking, the NGINX log shows the following error:
{"log":"nginx: [emerg] SSL_CTX_use_certificate(\"/etc/ssl/private/terraform-enterprise/cert.pem\") failed (SSL: error:0A00018E:SSL routines::ca md too weak)","component":"nginx"}
Cause
TLS certificates were signed using a weak hashing algorithm, which doesn’t meet the minimum security requirements.
This error usually comes from self-signed certificates, since Certification authorities sign the certificates using modern algorithms by default.
Please do the following to verify this issue:
- SSH into the instance where TFE is installed and run
docker exec -it terraform-enterprise-tfe-1 cat /var/log/terraform-enterprise/nginx.log If you gave a custom name to a container, please replace terraform-enterprise-tfe-1 with your container name.
or
- Generate a Support bundle using the following documentation TFE FDO Support Bundle.
check.../host/var/log/terraform-enterprise/nginx.log
Solutions
Re-generate the certificates and replace them.
We usually recommend having a CA-signed certificate, however, you can generate a self-signed one with the command below for testing purposes:
Note the presence of the -nodes option is required since Terraform Enterprise cannot use a private key that is protected by a passphrase.
When done, you’ll have your cert.pem and key.pem files but no bundle.pem file.
Create your bundle.pem like so:
Outcome
TFE FDO (installed on Docker) is accessible by Hostname or IP address
Additional Information
- How to generate a TFE FDO Support Bundle
- How to generate a TLS Certificate