Configuring SSL/TLS Certificates for Terraform Enterprise with TLS Termination at NGINX

Expected Outcome

Provide SSL/TLS validation of the Terraform Enterprise site certificate to end users when using a private CA issued intermediate certificate.

Prerequisites

•  Terraform Enterprise
•  Private Root CA certificate is trusted by the client workstation
•  SSL/TLS connection is terminated at NGINX(Terraform Enterprise Web Server)
• Certificate files in PEM format

Procedure

1. Create a Combined Certificate File

To create a cert.pem file, concatenate the Terraform Enterprise site and intermediate certificates together. This combines the certificates into a single file, ensuring the proper certificate chain is established.

$ cat site.crt intermediate.crt > cert.pem

2. Update the CA Bundle

Incorporate the private Certificate Authority (CA) root certificate into the CA bundle file(bundle.pem) to ensure proper validation of certificates within the Terraform Enterprise environment.

3. Configure Environment Variables

Update your Terraform Enterprise deployment configuration to point to the correct certificate files.

Docker Example 

---
name: terraform-enterprise
services:
  tfe:
    ...
    environment:
      ...
      TFE_TLS_CERT_FILE: "/etc/ssl/private/terraform-enterprise/cert.pem"
      TFE_TLS_KEY_FILE: "/etc/ssl/private/terraform-enterprise/key.pem"
      TFE_TLS_CA_BUNDLE_FILE: "/etc/ssl/private/terraform-enterprise/bundle.pem"

For more details refer to the Docker deployment guide.

Podman Example

---
apiVersion: "v1"
kind: "Pod"
...
spec:
  ...
  containers:
  - env:
    ...
    - name: "TFE_TLS_CERT_FILE"
      value: "/etc/ssl/private/terraform-enterprise/cert.pem"
    - name: "TFE_TLS_KEY_FILE"
      value: "/etc/ssl/private/terraform-enterprise/key.pem"
    - name: "TFE_TLS_CA_BUNDLE_FILE"
      value: "/etc/ssl/private/terraform-enterprise/bundle.pem"

For more details refer to the Podman deployment guide.

Kubernetes Example

...
tls:
  certData: <BASE_64_ENCODED_CERTIFICATE_PEM_FILE>
  keyData: <BASE_64_ENCODED_CERTIFICATE_PRIVATE_KEY_PEM_FILE>
  caCertData: <BASE_64_ENCODED_CERTIFICATE_CA_CERTIFICATE_PEM_FILE>

For more details refer to the Kubernetes deployment guide.

Replicated Example

Please refer to this KB article for detailed instructions.

4. Validate the Certificate

To validate the Terraform Enterprise site certificate, use the openssl command as follows:

$ openssl s_client -connect tfe.example.net \
  -servername tfe.example.net \
  -CAfile bundle.pem \
  -showcerts

Additional Information

• 'x509: certificate signed by unknown authority' from Terraform CLI with a Terraform Enterprise remote

• How to setup Terraform Enterprise with a Certificate Authority (CA) Bundle
• How-to Manage TLS/SSL Certificate Rotation for Terraform Enterprise Using Kubernetes Secrets