Azurerm provider - tls: failed to verify certificate: x509: certificate signed by unknown authority

Terraform Version

Terraform v1.7.0
on windows_amd64
+ provider registry.terraform.io/hashicorp/azurerm v3.88.0

Terraform Configuration Files

terraform {
  required_providers {
    azurerm = {
        source = "hashicorp/azurerm"
    }
  }
}

provider "azurerm" {
  client_id  = "REDACTED"
  client_secret = "REDACTED"
  tenant_id = "REDACTED"
  subscription_id = "REDACTED"
  features {}    
}

# Create a resource group
resource "azurerm_resource_group" "rg" {
  name     = "terraform-test-rg"
  location = "westus2"
  tags     = {
        Environment = "Built by Terraform"
  }
}

Debug Output

Snippet

2024-01-19T21:36:14.752+1100 [TRACE] provider.terraform-provider-azurerm_v3.88.0_x5.exe: Calling downstream: @module=sdk.helper_schema tf_provider_addr=provider tf_req_id=9f81bf90-9037-b19b-eed6-60151204cc5b tf_rpc=Configure @caller=github.com/hashicorp/terraform-plugin-sdk/v2@v2.29.0/helper/schema/grpc_provider.go:592 timestamp="2024-01-19T21:36:14.752+1100"
2024-01-19T21:36:14.753+1100 [DEBUG] provider.terraform-provider-azurerm_v3.88.0_x5.exe: POST https://login.microsoftonline.com/REDACTED/oauth2/v2.0/token: timestamp="2024-01-19T21:36:14.753+1100"
2024-01-19T21:36:14.950+1100 [DEBUG] provider.terraform-provider-azurerm_v3.88.0_x5.exe: Generated Provider Correlation Request Id: 0b9ba3e5-f03d-2ead-9e9f-bc385f098c0a: timestamp="2024-01-19T21:36:14.950+1100"
2024-01-19T21:36:15.086+1100 [DEBUG] provider.terraform-provider-azurerm_v3.88.0_x5.exe: error retrieving locations: retrieving supported locations from Azure MetaData service: Get "https://management.azure.com//metadata/endpoints?api-version=2018-01-01": tls: failed to verify certificate: x509: certificate signed by unknown authority. Enhanced validation will be unavailable: timestamp="2024-01-19T21:36:15.086+1100"
2024-01-19T21:36:15.086+1100 [DEBUG] provider.terraform-provider-azurerm_v3.88.0_x5.exe: POST https://login.microsoftonline.com/REDACTED/oauth2/v2.0/token: timestamp="2024-01-19T21:36:15.086+1100"
2024-01-19T21:36:15.188+1100 [DEBUG] provider.terraform-provider-azurerm_v3.88.0_x5.exe: AzureRM Request: 
GET /subscriptions/REDACTED/providers?api-version=2022-09-01 HTTP/1.1
Host: management.azure.com
User-Agent: HashiCorp/go-azure-sdk (Go-http-Client/1.1 providers/2022-09-01) HashiCorp Terraform/1.7.0 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/3.88.0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Accept: application/json; charset=utf-8; IEEE754Compatible=false
Content-Type: application/json; charset=utf-8
Odata-Maxversion: 4.0
Odata-Version: 4.0
X-Ms-Correlation-Request-Id: 0b9ba3e5-f03d-2ead-9e9f-bc385f098c0a
Accept-Encoding: gzip: timestamp="2024-01-19T21:36:15.188+1100"
2024-01-19T21:36:15.188+1100 [DEBUG] provider.terraform-provider-azurerm_v3.88.0_x5.exe: GET https://management.azure.com/subscriptions/REDACTED/providers?api-version=2022-09-01: timestamp="2024-01-19T21:36:15.188+1100"
2024-01-19T21:36:15.239+1100 [ERROR] provider.terraform-provider-azurerm_v3.88.0_x5.exe: GET https://management.azure.com/subscriptions/REDACTED/providers?api-version=2022-09-01 request failed: Get "https://management.azure.com/subscriptions/REDACTED/providers?api-version=2022-09-01": tls: failed to verify certificate: x509: certificate signed by unknown authority: timestamp="2024-01-19T21:36:15.239+1100"
2024-01-19T21:36:15.239+1100 [DEBUG] provider.terraform-provider-azurerm_v3.88.0_x5.exe: GET https://management.azure.com/subscriptions/REDACTED/providers?api-version=2022-09-01: retrying in 1s (4 left): timestamp="2024-01-19T21:36:15.239+1100"
2024-01-19T21:36:16.294+1100 [ERROR] provider.terraform-provider-azurerm_v3.88.0_x5.exe: GET https://management.azure.com/subscriptions/REDACTED/providers?api-version=2022-09-01 request failed: Get "https://management.azure.com/subscriptions/REDACTED/providers?api-version=2022-09-01": tls: failed to verify certificate: x509: certificate signed by unknown authority: timestamp="2024-01-19T21:36:16.294+1100"
2024-01-19T21:36:16.294+1100 [DEBUG] provider.terraform-provider-azurerm_v3.88.0_x5.exe: GET https://management.azure.com/subscriptions/REDACTED/providers?api-version=2022-09-01: retrying in 2s (3 left): timestamp="2024-01-19T21:36:16.294+1100"
2024-01-19T21:36:18.409+1100 [ERROR] provider.terraform-provider-azurerm_v3.88.0_x5.exe: GET https://management.azure.com/subscriptions/REDACTED/providers?api-version=2022-09-01 request failed: Get "https://management.azure.com/subscriptions/REDACTED/providers?api-version=2022-09-01": tls: failed to verify certificate: x509: certificate signed by unknown authority: timestamp="2024-01-19T21:36:18.409+1100"
2024-01-19T21:36:18.409+1100 [DEBUG] provider.terraform-provider-azurerm_v3.88.0_x5.exe: GET https://management.azure.com/subscriptions/REDACTED/providers?api-version=2022-09-01: retrying in 4s (2 left): timestamp="2024-01-19T21:36:18.409+1100"
2024-01-19T21:36:22.502+1100 [ERROR] provider.terraform-provider-azurerm_v3.88.0_x5.exe: GET https://management.azure.com/subscriptions/REDACTED/providers?api-version=2022-09-01 request failed: Get "https://management.azure.com/subscriptions/REDACTED/providers?api-version=2022-09-01": tls: failed to verify certificate: x509: certificate signed by unknown authority: timestamp="2024-01-19T21:36:22.502+1100"
2024-01-19T21:36:22.502+1100 [DEBUG] provider.terraform-provider-azurerm_v3.88.0_x5.exe: GET https://management.azure.com/subscriptions/REDACTED/providers?api-version=2022-09-01: retrying in 8s (1 left): timestamp="2024-01-19T21:36:22.502+1100"
2024-01-19T21:36:30.604+1100 [ERROR] provider.terraform-provider-azurerm_v3.88.0_x5.exe: GET https://management.azure.com/subscriptions/REDACTED/providers?api-version=2022-09-01 request failed: Get "https://management.azure.com/subscriptions/REDACTED/providers?api-version=2022-09-01": tls: failed to verify certificate: x509: certificate signed by unknown authority: timestamp="2024-01-19T21:36:30.604+1100"

Expected Behavior

I expected Terraform to create a resource group in my Azure Environment.

Actual Behavior

Terraform stops executing because of a unknown certificate. Error:

Original Error: populating Resource Provider cache: listing Resource Providers: loading results: Get "https://management.azure.com/subscriptions/REDACTED/providers?api-version=2022-09-01": tls: failed to verify certificate: x509: certificate signed by unknown authority
│
│   with provider["registry.terraform.io/hashicorp/azurerm"],
│   on main.tf line 9, in provider "azurerm":
│    9: provider "azurerm" {

Steps to Reproduce

1. terraform init
2. terraform plan

Additional Context

• Machine is WIndows 10.
• Azure CLI updated to 2.56.0.
• Direct internet connection with no proxy or TLS interception.
  ** Tested on multiple internet connections.
• Opening the URL (https://management.azure.com/subscriptions/REDACTED/providers?api-version=2022-09-01) in MS Edge displays an error about missing the Authorize header, but the TLS certificate chain is intact, complete and trusted:

* DigiCert Global Root G2
** Microsoft Azure TLS Issuing CA 06
*** management.azure.com

I ran the same test on a Windows 10 VM and it works without error. Same network connection (in fact, on the same physical machine as where the error occurs on the host OS).

I found this similar issue, but it is very old and related to proxies using TLS interception: x509: certificate signed by unknown authority AzureRM Provider behind company proxy · Issue #1778 · hashicorp/terraform-provider-azurerm · GitHub

Help, please? Is there any way to debug why/where this is falling over?

Is there any chance that having client certificates (unrelated to Azure) in the Windows ‘Personal’ cert store could cause this issue? i.e. because they are inadvertently presented as client certs to Azure?