Problem
After updating the SSL certificate for Terraform Enterprise (TFE) and applying it to all external Terraform agents, workspace runs fail during the Cost Estimation or Sentinel policy check phase. The Plan phase completes successfully.
The affected workspaces use external agents for execution. A review of the atlas logs on the TFE instance reveals the following SSL-related error.
{
"error": "RestClient::SSLCertificateNotVerified",
"message": "SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)"
}This error indicates that the Cost Estimation service failed to establish a secure connection due to an expired or untrusted certificate, even though the new certificate is active on the TFE agents.
Prerequisites
- Terraform Enterprise workspace execution mode is set to Agents.
- Cost Estimation or Sentinel is enabled on the workspace.
Cause
Although the workspace is configured to use external agents, the Cost Estimation and Sentinel policy check steps are handled by Terraform Enterprise’s internal agents. These internal agents rely on the bundle.pem file on the TFE server to validate SSL connections.
While the new SSL certificate was correctly applied to the external agents, it was not updated in the bundle.pem file on the TFE host. As a result, the internal agents failed SSL verification because they were referencing an outdated or expired certificate.
Solutions
To resolve the SSL verification issue, you must add the updated certificate to the bundle.pem file on the TFE server. This ensures that TFE’s internal agents can validate SSL connections correctly. Follow the appropriate steps based on your TFE installation method.
Solution 1: Update Certificates for Docker-based Installations
For installations using the Flexible Deployment Option (FDO), such as Docker, update the bundle.pem file according to the certificate requirements.
For detailed steps, refer to the guide, Updating Certificates in Terraform Enterprise (TFE) Docker Based Installation.
Solution 2: Update Certificates for Replicated Installations
To update the bundle.pem file for a Replicated installation, refer to the guide, How to setup Terraform Enterprise with a Certificate Authority (CA) Bundle.
Outcome
After you update the bundle.pem file on the TFE server, the Cost Estimation or Sentinel policy check phase in workspace runs will process successfully.