'x509: certificate signed by unknown authority' from Terraform CLI with a Terraform Enterprise remote

Avatar
Jacob McSwain
  • Updated

Introduction

When utilizing a remote in Terraform to ensure runs are handled by Terraform Enterprise and a custom Certificate Authority (CA) is used, client commands such as terraform login that connect to Terraform Enterprise error with x509: certificate signed by unknown authority or x509: certificate is not trusted

Cause

Due to the way SSL/TLS works, when Terraform Enterprise is configured with a custom Certificate Authority, any connections to it must also trust the CA as well to ensure validity. When utilizing the Terraform CLI, this means that the machine running the terraform command must also contain the Terraform Enterprise CA in its trust store.

Solution

To ensure network traffic to Terraform Enterprise succeeds SSL/TLS validation, the client machine must add the Terraform Enterprise CA to its trust store of certificates. This trust store is different depending on the host OS. After the store has the new Certificate Authority, the terraform commands should work as expected.

 

Windows

  1. Download the Terraform Enterprise CA certificate in the PFX format to the client machine. To do this, simply export the CA certificates from Terraform Enterprise withreplicatedctl app-config export --template '{{.ca_certs.Value}}' > tfe-certs.pem(This can be converted from Terraform Enterprise's PEM-formatted CA certificate with openssl pkcs12 -export -in ca.pem -out ca.pfx)
  2. Click Start, type mmc, and press Enter.
  3. Click Yes, this starts the Microsoft Management Console.
  4. Select File -> Add/Remove Snap-in.
  5. Under Available snap-ins, select Certificates. Click Add.
  6. Select Computer account, then click Next.
  7. Click Finish, and click OK.
  8. Expand Certificates, right click Trusted Root Certification Authority, and select All Tasks -> Import.
  9. Click Next.
  10. Click Browse, select your root CA certificate from Step 1. Click Open.
  11. Click Next -> Next -> Finish.
  12. When the import was successful message is displayed, click OK.
  13. Select File -> Save -> Save.
  14. Close the Microsoft Management Console.

Mac OS

  1. Download the Terraform Enterprise CA certificate in the DER format to the client machine. (This can be converted from Terraform Enterprise's PEM-formatted CA certificate with openssl x509 -inform PEM -in ca.pem -outform DER -out ca.cer). In this example, the file is in the Downloads folder. If the certificate is located in a different folder, navigate to this folder in the Terminal before running the command to add the certificate.
  2. Click Launchpad, in the search field, type terminal. Click the Terminal icon.
  3. In Terminal, run cd ~/Downloads.
  4. Run sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.crt. In this example, the root CA certificate is named ca.crt. If the certificate has a different file name, be sure to change it in the command before running it.
  5. Type your password and press Return.
  6. Close the Terminal.

Linux

Note: This assumes the Linux distribution utilizes ca-certificates as its trust store. This includes all flavors of Linux supported by Terraform Enterprise, including Red Hat-based, Debian-based, and more.

  1. Download the Terraform Enterprise CA certificate in the DER format to the client machine. (This can be converted from Terraform Enterprise's PEM-formatted CA certificate with openssl x509 -inform PEM -in ca.pem -outform DER -out ca.cer). In this example, the file is in the Downloads folder. If the certificate is located in a different folder, change the path before running the cp command to add the certificate to the trust store.
  2. Open a command-line terminal.
  3. The CA certificate can be copied into the store with sudo cp ~/Downloads/ca.crt /etc/pki/ca-trust/source/anchors/tfe-ca.crt. In this example, the root CA certificate is named ca.crt and is copied into a file named tfe-ca.crt. If the certificate has a different file name or the destination file should be named differently, be sure to change it in the command before running it.
  4. Run sudo update-ca-trust.

Additional Information

Please visit this article for more information on how to download the Terraform Enterprise CA certificate: https://support.hashicorp.com/hc/en-us/articles/6631777789971-Tracing-SSL-certificate-chain-issues-in-Terraform-Enterprise 

 

Articles in this section

See more

Related articles