Problem
When you access the Terraform Enterprise console using its IP address, your browser may display a warning that the certificate is untrusted. You will not encounter this issue when using the DNS hostname to access the console.
Cause
The certificate has an issue with the Subject Alternative Name (SAN) field. The IP address is either missing or incorrectly entered in the SAN. An entry formatted as DNS:192.0.2.10 is incorrect because IP addresses must be prefixed with IP:, not DNS:.
As a result, the certificate cannot be validated when accessing Terraform Enterprise via its IP address.
Solutions
Solution 1: Update the Certificate's Subject Alternative Name (SAN)
Update the certificate to include the IP address in the Subject Alternative Name (SAN) field. The SAN field must correctly identify all hostnames and IP addresses for the server.
- DNS names should use the format:
DNS:your-tfe-hostname.com - IPv4 addresses should use the format:
IP:192.0.2.10 - IPv6 addresses should use the format:
IP:2001:db8::1
After updating the certificate, apply it to your Terraform Enterprise installation.
Solution 2: Use the DNS Hostname for Access
As a best practice, access the Terraform Enterprise console using its fully qualified domain name (FQDN) instead of its IP address. This ensures the name matches the certificate's common name or a DNS entry in the SAN field.
Outcome
After applying one of the solutions, your browser should trust the certificate when accessing the Terraform Enterprise console.
Additional Information
- For more details on the specification, refer to the RFC5280 Subject Alternative Names documentation.
- For guidance on certificate management in Terraform Enterprise, please refer to the official product documentation.