Introduction
When setting the PostgresSQL SSLMode to "verify-full" or "verify-ca" ensure the entire certificate chain is included in the CA Bundle.
Procedure
-
Add the certificate to the CA Bundle with the other certificates.
-
For the extra parameter, use the following code:
-
"pg_extra_params": { "value":sslmode=verify-ca&sslrootcert=/etc/ssl/certs/ca-certificates.crt" }
-
-
The certificates in the Terraform Enterprise bundle are automatically put into this
/etc/ssl/certs/certs.pemfile by the application. So, using this setting will allow the application to access the certificates it needs to authenticate to PostgreSQL.-
Note that in consolidated services mode, the bundle is located at
/etc/ssl/private/terraform-enterprise/bundle.pem.
-
Additional Information
-
Terraform Enterprise: Order of certificates in SSL cert files
- Tracing SSL certificate chain issues in Terraform Enterprise
-
The ca_certs chain gets injected under
/tmp/cust-ca-certificates.crtor/etc/ssl/certs/ca-certificates.crtand/etc/ssl/private/terraform-enterprise/bundle.pem(consolidated services mode)