Problem
After upgrading Terraform Enterprise to 1.1.0, the application fails to start. The startup logs show the TLS startup check failed with an error resembling the following:
terraform-enterprise: check failed: name=tls duration="142.014µs" err="failed to validate TLS configuration: CA bundle contains expired certificate: certificate expired on 2023-11-23T22:30:44Z"Prerequisites
- Terraform Enterprise 1.1.0 or later
Cause
Terraform Enterprise 1.1.0 adds some additional requirements to the TLS Certificates check which enforce that each certificate in the CA bundle is valid (has not expired or is not yet valid). If there are any certificates which fail to meet that criteria in the CA bundle in this release, the startup check will fail.
Solution(s)
To resolve this issue, identify the certificate in the bundle with the expired certificate. Run the following commands to extract each certificate in the bundle to its own file and display the details of each one.
awk 'BEGIN {c=0} /-----BEGIN CERTIFICATE-----/ {c++}
{print > ("cert" c ".pem")}' /path/to/bundle.pem
for f in cert*.pem; do
echo "==== $f ===="
openssl x509 -in "$f" -text -noout
doneThe output will display each certificate's details as well as the indexed file name to help identify which order in the bundle it appears. To resolve the issue replace the certificates with one that is valid or remove it entirely if it is no longer needed. After the bundle has been fixed, restart Terraform Enterprise and the startup check should no longer fail.