Introduction
When Terraform Enterprise is installed and a Self-signed certificate is used during the installation process to secure communication between your browser and the TFE management console, you'll see a warning about this in your browser every time you access the management console and your TFE Application. However, you'll have the option to proceed with a warning in your browser.
Problem
If you tried running terraform using CLI-driven workflow you will be presented with a warning as below
$ terraform login 172.31.21.2
│ Error: Service discovery failed for 172.31.21.2
│ Failed to request discovery document: Get "https://172.31.21.2/.well-known/terraform.json": x509: certificate signed by unknown authority.
or
$ terraform login 172.31.21.2
│ Error: Service discovery failed for 172.31.21.2
│ Failed to request discovery document: Get "https://172.31.21.2/.well-known/terraform.json": x509:172.31.21.2 certificate is not trusted.
The errors above might slightly differ based on the Operating System you are using to run terraform CLI.
Cause
Terraform Enterprise is configured with TLS certificates that are not publicly-trusted by the local machine where you run Terraform CLI
Solution
On a default installation, ssh to the TFE server and cd to /var/lib/replicated/secrets and run a command: ls -la
You will see a few certificates and keys, secure copy (scp) the .crt file whose name starts with pkix and ends with .crt out to your local machine and add it to your certificate store. You need to copy the corresponding .crt file which is similar to your hostname in your management console. For e.g, if you set your hostname in the TFE Management console to 172.31.21.2, copy the file `pkix-172.31.21.2.host.crt` out to your local machine.
Once you have the cert file add it to your local machine using the following steps:
Windows
- ClickStart, type
mmc
, and pressEnter. - ClickYes, this starts the Microsoft Management Console.
- SelectFile -> Add/Remove Snap-in.
- Under Available snap-ins, selectCertificates. ClickAdd.
- Select Computer account, then clickNext.
- ClickFinish, and clickOK.
- Expand Certificates, right clickTrusted Root Certification Authority, and selectAll Tasks -> Import.
- ClickNext.
- ClickBrowse, select your root CA certificate from Step 1. ClickOpen.
- ClickNext->Next->Finish.
- When the import was successful message is displayed, clickOK.
- SelectFile -> Save -> Save.
- Close the Microsoft Management Console.
Mac
1. Go to Application > select Keychain Access
2. On the top Right corner click on File > Import Items > select the certificate
3. It will ask you to authenticate using a password or fingerprint, then it will be imported successfully.
4. Close the Keychain Access and open it again. Find the newly imported key and double click on it, expand Trust > select 'Always Trust' on the line which says 'When using this certificate'
Linux
This assumes the Linux distribution utilizesca-certificates
as its trust store. This includes all flavors of Linux supported by Terraform Enterprise, including Red Hat-based, Debian-based, and more.
- Open a command-line terminal.
- The CA certificate can be copied into the store location
/etc/pki/ca-trust/source/anchors/pkix-172.31.21.2.host.crt
. In this example, the certificate is named `pkix-172.31.21.2.host.crt` and is copied into a file named `pkix-172.31.21.2.host.crt`. If the certificate has a different file name or the destination file should be named differently, be sure to change it in the command before running it. - Run
sudo update-ca-trust
.
Now run $terraform login <TFE URL> again and you will be presented with a warning as below:
Do you want to proceed? Only 'yes' will be accepted to confirm. Enter a value:
Once you enter 'yes' it will launch a new browser window where you will have an option to create a new API key and then authenticate successfully.