Problem
When TFE or VCS integrated with TFE is using LetsEncrypt certificate, we may encounter these errors:
- Runs page displays
Error fetching plan data. Failed to fetch plan data: 500 - Unable to connect to VCS
These error logs will show up in ptfe_atlas container
{:error=>"RestClient::SSLCertificateNotVerified", :id=>244700, :message=>"SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)"}
...
{:exception=>"Faraday::SSLError", :message=>"SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)"Cause
From TFE Release v202201-1 (594), TFE will not accept LetsEncrypt ISRG Root X1 certificate that is cross-signed by expired DST Root CA X3 root certificate
Solution
The system must be updated with new LetsEncrypt certificate chain that signed by the new ISRG Root X1 certificate (self-signed)
If certbot is used, below command can be run to prefer the new ISRG Root X1 certificate
certbot certonly --preferred-chain "ISRG Root X1" --standalone --agree-tos --non-interactive --email ${email} --domain ${fqdn}
Please follow the instructions in this article to update TFE certificate
Outcome
If the issue persists after using the updated certificate, please reach out to HashiCorp support for additional assistance.