Problem
When you configure Terraform Enterprise with an external PostgreSQL database that requires SSL with verify-full or verify-ca modes, you must ensure Terraform Enterprise can access the entire certificate chain to establish a secure connection.
Procedure
- Add the complete certificate chain, including the root and any intermediate certificates, to the CA Bundle that you provide to Terraform Enterprise.
-
Set the
pg_extra_paramsconfiguration parameter to specify the SSL mode and the path to the root certificate. The following example usesverify-ca."pg_extra_params": { "value": "sslmode=verify-ca&sslrootcert=/etc/ssl/certs/ca-certificates.crt" } - Note the location of the certificate bundle, which varies based on your installation mode. Terraform Enterprise automatically places the provided certificates in these locations, making them accessible to the application for authenticating to PostgreSQL.
-
Standard Installation: The bundle is typically located at
/etc/ssl/certs/ca-certificates.crtor/tmp/cust-ca-certificates.crt. -
Consolidated Services Mode: The bundle is located at
/etc/ssl/private/terraform-enterprise/bundle.pem. Refer to the consolidated services documentation for more details.
-
Standard Installation: The bundle is typically located at