Context
In late July 2024, DigiCert idenfitied an issue with CNAME domain validated certificates. In turn, DigiCert has mass-revoked affected certificates. https://www.digicert.com/support/certificate-revocation-incident
Affected certificates can be confirmed via DigiCert's CertCentral Portal, and new certificates will have to be issued in order to allow SSL validation to pass. Services using affected certificates may fail to validate, such as VCS webhooks, browsers accessing the server, and Terraform runs that use the TFE provider. Affected services, such as Terraform runs or VCS webhooks may fail with errors such as:
tls: failed to verify certificate: x509: certificate signed by unknown authority
SSL_connect returned=1 errno=0 peeraddr=0.0.0.0:443 state=error: certificate
verify failed (unable to get local issuer certificate)
Resolution
New DigiCert certificates will need to be issued, and these certificates will need to be updated on active deployments. Some items to consider include:
- TLS-terminating load balancers may need to be updated
- VCS providers will need to have the new certificate's issuing Certificate Authority in their local store, if the authority changed
- Terraform Enterprise agents might need their Certificate Authority updated, if the authority changed
- Flexible Deployment Options (FDO) installations of Terraform Enterprise that terminate TLS will need the files referred to by the TFE_TLS_CERT_FILE and TFE_TLS_KEY_FILE environment variables updated with the new certificate.
- Replicated installations of Terraform Enterprise that terminate TLS at the server will need their certificates updated in the admin console at port 8800. This support article details the process: https://support.hashicorp.com/hc/en-us/articles/360045247693-How-To-Replace-the-TLS-Certificate-and-Private-Key