Terraform Enterprise TLS 1.3 Cipher Suites – HashiCorp Help Center

Problem

When you configure Terraform Enterprise (TFE) to use specific TLS 1.3 cipher suites, the environment becomes unavailable. The nginx process, which handles TLS termination, fails to start and enters a FATAL state.

You may see the following errors in the TFE container logs.

INFO spawned: 'nginx' with pid 1090
INFO exited: nginx (exit status 1; not expected)
INFO gave up: nginx entered FATAL state, too many start retries too quickly

This issue occurs when setting the following parameters for either a Flexible Deployment Options (FDO) or Replicated installation.

Flexible Deployment Options (FDO) Configuration

TFE_TLS_CIPHERS: "TLS_AES_256_GCM_SHA384"
TFE_TLS_VERSION: "tls_1_3"

Replicated Configuration

$ replicatedctl app-config set tls_ciphers --value "ECDHE-RSA-AES256-GCM-SHA384"
$ replicatedctl app-config set tls_vers --value "tls_1_3"

Prerequisites

Terraform Enterprise version 202405-1 or earlier.

Cause

The configuration parameters TFE_TLS_CIPHERS (for FDO) and tls_ciphers (for Replicated) do not correctly configure the underlying nginx service when TFE_TLS_VERSION is set to tls_1_3. These parameters are designed to accept cipher suite names formatted for TLS 1.2.

For example, the following configuration for TLS 1.2 works as expected because the cipher suite format is compatible.

Working TLS 1.2 FDO Configuration

TFE_TLS_CIPHERS: "ECDHE-RSA-AES256-SHA"
TFE_TLS_VERSION: "tls_1_2"

Working TLS 1.2 Replicated Configuration

$ replicatedctl app-config set tls_ciphers --value "ECDHE-RSA-AES256-SHA"
$ replicatedctl app-config set tls_vers --value "tls_1_2"

You can verify the TLS 1.2 connection and cipher suite with the following command.

$ echo -n | openssl s_client -connect <TFE_HOSTNAME>:443 -no_tls1_3

Solution

Terraform Enterprise version 202405-1 and earlier do not support specifying individual TLS 1.3 cipher suites. The workaround is to enable the complete default TLS 1.3 cipher suite by setting the cipher suite parameter to an empty string while keeping the TLS version set to tls_1_3.

Flexible Deployment Options (FDO)

Set TFE_TLS_CIPHERS to an empty value.

TFE_TLS_CIPHERS: ""
TFE_TLS_VERSION: "tls_1_3"

Replicated

Set tls_ciphers to an empty value.

$ replicatedctl app-config set tls_ciphers --value ""
$ replicatedctl app-config set tls_vers --value "tls_1_3"

Outcome

After applying this configuration, Terraform Enterprise will use the full, default TLS 1.3 cipher suite. You can verify that a specific TLS 1.3 cipher is available with the following command.

$ echo | openssl s_client -connect <TFE_HOSTNAME>:443 -tls1_3 -ciphersuites TLS_AES_256_GCM_SHA384

The output should confirm a successful connection using the specified cipher.

...
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
...
Verification: OK

Additional Information

For more details on these parameters, refer to the Terraform Enterprise Configuration documentation.