Configuring SSL/TLS Certificates for Terraform Enterprise with TLS Termination at NGINX

Introduction

This guide explains how to configure Terraform Enterprise to use an SSL/TLS certificate issued by a private Certificate Authority (CA) when TLS termination occurs at the NGINX web server.

Expected Outcome

End users will receive successful SSL/TLS validation of the Terraform Enterprise site certificate without browser warnings.

Prerequisites

• An operational Terraform Enterprise instance.
• The private Root CA certificate is trusted by all client workstations that will access Terraform Enterprise.
• SSL/TLS connection is terminated at the NGINX service within the Terraform Enterprise installation.
• You have the site certificate, intermediate certificate, private key, and root CA certificate in PEM format.

Procedure

Step 1: Create a Combined Certificate File

To ensure the proper certificate chain is presented, concatenate the Terraform Enterprise site certificate and the intermediate certificate into a single file named cert.pem.

$ cat site.crt intermediate.crt > cert.pem

Step 2: Update the CA Bundle

Incorporate the private CA root certificate into the CA bundle file, bundle.pem, to ensure proper validation of certificates within the Terraform Enterprise environment.

Step 3: Configure Environment Variables

Update your Terraform Enterprise deployment configuration to point to the correct certificate files. The following examples show the required environment variables for different deployment types.

Docker

Update your Docker configuration with the paths to your certificate files.

---
name: terraform-enterprise
services:
  tfe:
    ...
    environment:
      ...
      TFE_TLS_CERT_FILE: "/etc/ssl/private/terraform-enterprise/cert.pem"
      TFE_TLS_KEY_FILE: "/etc/ssl/private/terraform-enterprise/key.pem"
      TFE_TLS_CA_BUNDLE_FILE: "/etc/ssl/private/terraform-enterprise/bundle.pem"

For more details, refer to the Docker deployment guide.

Podman

Update your Podman configuration with the paths to your certificate files.

---
apiVersion: "v1"
kind: "Pod"
...
spec:
  ...
  containers:
  - env:
    ...
    - name: "TFE_TLS_CERT_FILE"
      value: "/etc/ssl/private/terraform-enterprise/cert.pem"
    - name: "TFE_TLS_KEY_FILE"
      value: "/etc/ssl/private/terraform-enterprise/key.pem"
    - name: "TFE_TLS_CA_BUNDLE_FILE"
      value: "/etc/ssl/private/terraform-enterprise/bundle.pem"

For more details, refer to the Podman deployment guide.

Kubernetes

In a Kubernetes deployment, provide the base64-encoded certificate data.

...
tls:
  certData: <BASE_64_ENCODED_CERTIFICATE_PEM_FILE>
  keyData: <BASE_64_ENCODED_CERTIFICATE_PRIVATE_KEY_PEM_FILE>
  caCertData: <BASE_64_ENCODED_CERTIFICATE_CA_CERTIFICATE_PEM_FILE>

For more details, refer to the Kubernetes deployment guide.

Replicated

For detailed instructions on Replicated installations, refer to the How to setup Terraform Enterprise with a Certificate Authority (CA) Bundle article.

Step 4: Validate the Certificate

To validate the Terraform Enterprise site certificate, use the openssl command. This command checks the connection and displays the certificate chain.

$ openssl s_client -connect tfe.example.net \
    -servername tfe.example.net \
    -CAfile bundle.pem \
    -showcerts

Additional Information

• 'x509: certificate signed by unknown authority' from Terraform CLI with a Terraform Enterprise remote
• How to setup Terraform Enterprise with a Certificate Authority (CA) Bundle
• How-to Manage TLS/SSL Certificate Rotation for Terraform Enterprise Using Kubernetes Secrets