Problem
When running terraform init in an environment that uses a network proxy, the command fails during provider installation with an x509: certificate signed by unknown authority error.
Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/aws... Error: Failed to query available provider packages Could not retrieve the list of available versions for provider hashicorp/aws: could not query provider registry for registry.terraform.io/hashicorp/aws: failed to retrieve authentication checksums for provider: Get "https://registry.terraform.io/.well-known/terraform.json": x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "...")
Prerequisites
- Terraform is configured to run behind a corporate proxy that performs TLS inspection (also known as SSL/TLS interception).
Cause
This error occurs because the machine running Terraform does not trust the Certificate Authority (CA) that the network proxy uses to re-sign TLS certificates. When the proxy intercepts the HTTPS connection to the Terraform Registry (registry.terraform.io), it presents a new certificate to Terraform. If the CA that signed the proxy's certificate is not in the system's trusted certificate store, Terraform cannot validate the connection and terminates it with a certificate error.
Solution
The solution is to install the proxy's root Certificate Authority (CA) certificate into the system's trusted certificate store on the machine where you run Terraform. You may need to consult your network administration or security team to obtain the correct root CA certificate.
The installation procedure varies by operating system.
Outcome Validation
After installing the root CA certificate, you can verify that the system correctly trusts the connection to the Terraform Registry through the proxy. Run the following curl command, replacing the placeholder values with your proxy's details. A successful connection will return a JSON response.
$ curl --proxy http://proxy.example.com:8080 -U user:password https://registry.terraform.io/
Once the curl command succeeds, run terraform init again. It should now be able to download providers without certificate errors.
Additional Information
For more details on provider installation, please refer to the official Terraform documentation on provider sources and network configurations.