Structured Run Output Displays an Error

Avatar
Susie Solis
  • Updated

Problem

When structured run output is enabled in Terraform Enterprise, the runs page displays the following error message.

Error fetching plan data. Failed to fetch plan data: 500

Cause

The structured run output feature uses the Terraform Enterprise backend certificates to complete its API requests. This 500 error typically occurs due to a failure to complete the chain of trust when making outbound HTTPS connections. This is often caused by expired or incorrectly configured certificates on the Terraform Enterprise instance.

Solution

To resolve this issue, you must identify and update the expired certificates in your Terraform Enterprise configuration.

Note: For Terraform Enterprise versions prior to v202205-1, use the container name ptfe_atlas instead of tfe-atlas in the following commands.

Procedure

  1. Connect to your Terraform Enterprise instance and check the application container logs for SSL connection errors. This helps confirm a certificate issue.

    $ sudo docker logs tfe-atlas | grep "SSL_connect"

    An error in the output indicates a certificate verification failure.

    SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired) excluded from capture: DSN not set

  2. If you see an SSL_connect error, run the following command to inspect the certificate chain that Terraform Enterprise is using. Replace <TFE-HOSTNAME> with your instance's hostname.

    $ docker exec -it tfe-atlas openssl s_client -showcerts -connect <TFE-HOSTNAME>:443

  3. Analyze the output to identify the expired certificate. The verify error message will indicate which certificate in the chain has expired.

    CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:1
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
notAfter=Sep 30 14:01:15 2021 GMT
verify return:1
## ...
  4. Update the certificates in the Terraform Enterprise CA bundle with a valid, non-expired certificate chain.
  5. Restart the Terraform Enterprise application to apply the certificate changes.

Outcome

After the application restarts, the containers will use the updated certificates. You can verify that the issue is resolved by running the openssl command from step 2 again. The command should now complete without any verify error messages, and the structured run output feature should function correctly.

Articles in this section

Related articles