Introduction
During the installation or/and upgrade phase of Terraform Enterprise sometimes users can stumble upon an error in pre-flight checks
:
... x509: certificate signed by unknown authority
That usually happens when there is some self-hosted Object Storage ( Minio for example), local LDAPs directory - or - other resources in check, that are configured to reply over HTTPS with a certificate signed by a private authority.
Problem is that even if the full certificate chain had been introduced in the input box in the Replicated setting - it will not influence the pre-flight checks.
How-to (fix)
Before proceeding further to the TFE containers Replicated mounts the certificate from the hosts. The first of the locations below that found is what get mounted :
- “/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem”
- “/etc/pki/tls/certs/ca-bundle.crt”
- “/etc/ssl/ca-bundle.pem”
- “/etc/pki/tls/cacert.pem”
- “/etc/ssl/certs/ca-certificates.crt”
So in order for pre-flight checks to pass - and inherited, that object storage test in the example to work, you will need to ensure that you have CA full chain added there, in one of the locations.
An example for Ubuntu would be to use update-ca-certificates
The tool will append the certificate(s) to one of the default locations using the following commands:
- Copy your CA to dir `/usr/local/share/ca-certificates/``
- Use command:
sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
- Update the CA store:
sudo update-ca-certificates
Consult your OS manual for other Linux System Distributions.
Examples of errors
For LDAP console authentication :
Console auth validation failed for type ldap: Error validating LDAP schema: LDAP Result Code 200 "": x509: certificate signed by unknown authority
For Minio object storage test :
AWS authentication failed: RequestError: send request failed caused by: Get "https://tfe-minio01.intranet.yourcompany.info/": x509: certificate signed by unknown authority
Additional Information
- There is also an advanced explanation of certificate chain walk-through for curious in the Help-Center of Replicated: https://help.replicated.com/docs/native/examples/certificate-chain/