How-to replace TLS Certificate and Private Key for Terraform Enterprise using CLI

Avatar
Andrii Guselietov
  • Updated

Introduction

The purpose of this document is to help users replace the TLS certificate and private key used by Terraform Enterprise to provide HTTPS connections to client using a CLI approach, for example as part of some CI/CD flow.

Use Case

It may be necessary to replace the TLS certificate and private key for the following reasons.

  • The current TLS certificate is expiring and needs to be updated.

  • The current TLS private key needs to be rotated to comply with security processes.

  • The TLS certificate and private key need to be changed to update details such as the “Common Name”.

Procedure

  • Procure new PEM-encoded TLS certificate and private key files. Usually, these are provided by the team that manages TLS certificates in your organization

  • Stop the Terraform Enterprise application by :

replicatedctl app stop

* - see note below about the path to the command 

  • Wait for TFE containers to stop, 2-30 seconds, then execute

replicatedctl app status

And wait for status to be stopped like in example below:

replicatedctl app status
[
{
"AppID": "e037a702be084ad052c3fbde252dfdb6",
"Sequence": 550,
"PatchSequence": 0,
"State": "stopped",
"DesiredState": "stopped",
"Error": "",
"IsCancellable": false,
"IsTransitioning": false,
"LastModifiedAt": "2021-07-21T09:46:39.147345499Z"
}
]

You may need to repeat the status request a couple of times, to be sure.

  • Replace certificates by issuing :  
    replicated console cert set <hostname> /path/to/key /path/to/cert
    Notes :
    - That's another binary used here - replicated, not replicatedctl. 
    -     Ensure the new TLS certificate and private key files exist in a path on the Terraform Enterprise instance. This path must differ from the existing TLS certificate and private key path. That is, at a minimum, the new TLS certificate and private key filenames must differ from the existing TLS certificate and private key filenames.

  • Start the Terraform Enterprise application by executing : 

replicatedctl app start

  • Wait for the Terraform Enterprise application to fully start.

Additional Information

* For RedHat-based systems depending from environment settings you may need to use the full path to replicatedctl and replicated. Like this  : "/usr/local/bin/replicatedctl" and "/usr/local/bin/replicated"

Articles in this section

See more

Related articles