Terraform Enterprise Error: certificate verify failed (certificate has expired)

Problem

When using Terraform Enterprise with a LetsEncrypt certificate, you may encounter the following issues:

• The Runs page in the UI displays the error Error fetching plan data. Failed to fetch plan data: 500.
• Terraform Enterprise is unable to connect to integrated Version Control Systems (VCS).

The ptfe_atlas container logs show errors indicating a certificate verification failure.

{:error=>"RestClient::SSLCertificateNotVerified", :id=>244700, :message=>"SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)"}
...
{:exception=>"Faraday::SSLError", :message=>"SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)"}

Cause

Starting with Terraform Enterprise v202201-1 (594), the application no longer accepts the LetsEncrypt ISRG Root X1 certificate that is cross-signed by the expired DST Root CA X3 root certificate. The system's certificate chain must be updated to use the newer, self-signed ISRG Root X1 certificate.

Solution

To resolve this issue, you must update the system with a new LetsEncrypt certificate chain that is signed by the self-signed ISRG Root X1 certificate.

If you use certbot to manage certificates, run the following command to prefer the new ISRG Root X1 certificate chain. Replace the placeholder variables with your specific values.

$ certbot certonly \
  --preferred-chain "ISRG Root X1" \
  --standalone \
  --agree-tos \
  --non-interactive \
  --email ${email} \
  --domain ${fqdn}

After generating the new certificate, follow the instructions in the Update TLS Certificates guide to apply the updated certificate to your Terraform Enterprise instance.

Additional Information

• DST Root CA X3 Expiration (September 2021)
• Let's Encrypt Root Certificates