Pre-flight checks with private authorities certificate HTTPS resources ( Minio; LDAP)

Problem

During a Terraform Enterprise installation or upgrade, the pre-flight checks fail with an error indicating an unknown certificate authority. This typically occurs when Terraform Enterprise is configured to communicate with an external service over HTTPS, such as a self-hosted object storage provider (e.g., Minio) or an LDAP directory, that uses a certificate signed by a private certificate authority (CA).

Example error messages include:

x509: certificate signed by unknown authority

Console auth validation failed for type ldap: Error validating LDAP schema: LDAP Result Code 200 "": x509: certificate signed by unknown authority

AWS authentication failed: RequestError: send request failed caused by: Get "https://tfe-minio01.intranet.yourcompany.info/": x509: certificate signed by unknown authority

Cause

The Terraform Enterprise installer, managed by Replicated, performs pre-flight checks from the host machine before starting the Terraform Enterprise application containers. These checks do not use the custom CA certificate chain provided in the Replicated settings console.

Instead, the pre-flight checks rely on the host operating system's trusted certificate store. If your private CA's certificate chain is not present in the host's trust store, the checks will fail because they cannot validate the certificate presented by the external HTTPS service.

Solution

To resolve this issue, you must add the full certificate chain for your private CA to the host machine's trusted certificate store. Replicated searches for certificates in several common locations on the host. It mounts the first certificate bundle it finds from the following list into the pre-flight check environment:

• /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
• /etc/pki/tls/certs/ca-bundle.crt
• /etc/ssl/ca-bundle.pem
• /etc/pki/tls/cacert.pem
• /etc/ssl/certs/ca-certificates.crt

Procedure

Follow the procedure for your specific Linux distribution to add a new CA certificate to the system's trust store. The following example demonstrates the process for Ubuntu.

1. Copy your private CA certificate file (e.g., foo.crt) to the /usr/local/share/ca-certificates/ directory.

   $ sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt

2. Update the system's CA store. This command consolidates all certificates into a single bundle file.

   $ sudo update-ca-certificates

After updating the host's trust store, re-run the Terraform Enterprise pre-flight checks. The checks should now pass successfully.

Note: For other Linux distributions, consult your operating system's documentation for the correct procedure to update the system-wide CA trust store.

Additional Information

• For a detailed explanation of how Replicated handles certificate chains, refer to the Replicated documentation on Certificate Chain Walk-through.