Problem
After an upgrade to Terraform Enterprise 1.1.0 or later, the application fails to start. The startup logs contain a TLS check failure similar to the following error message.
terraform-enterprise: check failed: name=tls duration="142.014µs" err="failed to validate TLS configuration: CA bundle contains expired certificate: certificate expired on 2023-11-23T22:30:44Z"
Prerequisites
- Terraform Enterprise 1.1.0 or later
Cause
Terraform Enterprise 1.1.0 introduced a stricter TLS Certificates check during startup. This check validates that every certificate within the configured CA bundle is currently valid and not expired. If the CA bundle contains one or more expired certificates, the startup check fails and prevents the application from starting.
Solutions
Solution 1: Identify and Remove the Expired Certificate
To resolve this issue, you must identify and remove the expired certificate from your CA bundle file.
-
Split the CA bundle into individual certificate files. This command uses
awkto create a separate.pemfile for each certificate in your bundle, such ascert1.pem,cert2.pem, and so on.awk 'BEGIN {c=0} /-----BEGIN CERTIFICATE-----/ {c++} \ {print > ("cert" c ".pem")}' /path/to/bundle.pem -
Iterate through the generated certificate files and display their details using
openssl. This allows you to inspect the validity period for each certificate.for f in cert*.pem; do \ echo "==== $f ===="; \ openssl x509 -in "$f" -text -noout; \ done
- Review the output to identify the certificate that has expired. Once identified, remove it from your original CA bundle file or replace it with a valid certificate if required.
Outcome
After you correct the CA bundle and restart the application, Terraform Enterprise starts successfully without the TLS check failure.