Problem
Terraform Enterprise (TFE) fails to start up, and the logs for the ptfe_vault container show the following error:
Error initializing storage of type postgresql: failed to check for native upsert: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
Cause
Starting with TFE release v202107-1, the internal Vault component was upgraded to version 1.7.3. This version of Vault is built with Go version 1.15.
Go 1.15 deprecated the legacy behavior of treating the CommonName field on an X.509 certificate as a valid hostname when no Subject Alternative Names (SANs) are present in the certificate. When TFE attempts to connect to the PostgreSQL database, the TLS verification fails if the database's certificate relies solely on the CommonName field for host identification.
Solutions
Solution 1: Upgrade the PostgreSQL Server Certificate
The recommended, permanent solution is to re-issue the PostgreSQL server certificate to include the server's hostname or IP address in the Subject Alternative Name (SAN) extension. This aligns with modern security best practices as defined in RFC 2818.
Solution 2: Temporarily Modify the SSL Mode
As a temporary workaround, you can relax the TLS verification by changing the PostgreSQL sslmode connection parameter in the TFE configuration from verify-full to verify-ca.
This setting still encrypts the connection and verifies that the certificate is signed by a trusted Certificate Authority (CA), but it does not perform hostname verification. This allows TFE to connect while you work on updating the certificate as described in Solution 1.