Problem
When structured run output is enabled the runs page displays "Error fetching plan data. Failed to fetch plan data: 500".
Cause
The structured run output uses the Terraform Enterprise backend certificates to complete this API request. The 500 error is typically due to a failure to complete the chain of trust when making outbound HTTPS connections due to expired or incorrectly configured certificates on the backend of Terraform Enterprise.
Solution:
To determine the cause of the issue, connect to the ptfe_atlas container (for Terraform Enterprise v202205-1 and later, the container is called tfe-atlas)and grep for SSL_connect.
$ sudo docker logs ptfe_atlas | grep "SSL_connect"
For Terraform Enterprise v202205-1 or later:
$ sudo docker logs tfe-atlas | grep "SSL_connect"
It may produce an error similar to the following:
SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired) excluded from capture: DSN not setIf there is an SSL_connect error then run the following command to determine how to resolve the certificate issue.
$ docker exec -it ptfe_atlas openssl s_client -showcerts -connect <TFE-HOSTNAME>:443For Terraform Enterprise v202205-1 or later:
$ docker exec -it tfe-atlas openssl s_client -showcerts -connect <TFE-HOSTNAME>:443In the case below, the verify error shows that the root certificate has expired. The Terraform Enterprise application will need updated certificates in the CA bundle in order to resolve this issue. Once the certificates have been updated, restart the application so the containers can get the updated certificates. Once that process is completed, run the openssl command again to verify that the errors are resolved.
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:1
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
notAfter=Sep 30 14:01:15 2021 GMT
verify return:1Additional Information
- For additional questions please contact HashiCorp Support.