Problem
In late July 2024, services connecting to Terraform Enterprise, such as VCS webhooks, browsers, or Terraform runs using the tfe provider, may fail with TLS certificate validation errors.
Affected services may fail with errors similar to the following.
tls: failed to verify certificate: x509: certificate signed by unknown authority
SSL_connect returned=1 errno=0 peeraddr=0.0.0.0:443 state=error: certificate verify failed (unable to get local issuer certificate)
Cause
DigiCert identified an issue with certain CNAME domain-validated certificates and performed a mass revocation of the affected certificates. You can find more details in DigiCert's announcement on the certificate revocation incident.
You can confirm if your certificates are affected using DigiCert's CertCentral Portal. If your certificate was revoked, you must issue a new one to restore SSL validation.
Solutions
After issuing a new certificate from DigiCert, you must update your active Terraform Enterprise deployment. The specific steps depend on your architecture.
Solution 1: Update TLS-Terminating Load Balancers
If you use a load balancer to terminate TLS traffic in front of Terraform Enterprise, update the certificate on the load balancer itself.
Solution 2: Update VCS Provider Trust Stores
If the certificate authority (CA) for your new certificate has changed, you may need to update the local trust store on your VCS provider instances to include the new CA.
Solution 3: Update Terraform Enterprise Agent Trust Stores
If the certificate authority (CA) for your new certificate has changed, you may need to update the CA bundle on your Terraform Enterprise agents.
Solution 4: Update Flexible Deployment Option (FDO) Installations
For FDO installations that terminate TLS at the application, you must update the files referenced by the TFE_TLS_CERT_FILE and TFE_TLS_KEY_FILE environment variables with the new certificate and key.
Solution 5: Update Replicated Installations
For Replicated installations that terminate TLS at the application server, you must update the certificate in the Replicated admin console on port 8800. For detailed instructions, refer to the support article on How To Replace the TLS Certificate and Private Key.