Terraform login and self-signed certs

Howdy. When running a demo of Terraform Enterprise, it would be great to be able to log in via ‘terraform login’ at the shell. However, if we’re using a Self-Signed SSL/TLS Cert for the demo of TFE, 'terraform login ’ gives an error about the ‘untrusted’ certificate, and I don’t see a way to temporarily accept the self-signed cert. Is there a way to avoid this error? Thanks in advance.

Hi @boldandbusted,

Terraform uses the main system certificate store to determine what is trusted, so the only way to make terraform login work with a locally-signed or self-signed certificate would be to temporarily add that certificate to the main certificate store for your system. Unfortunately the details for that differ quite a bit between operating systems, so I don’t have detailed instructions readily to hand for that.

It is also possible in principle to skip terraform login and manually add a suitable authentication token (issued through the UI) to a CLI configuration file. Generating such a file is what terraform login would do anyway. However, I expect that would just move the problem downstream a little, because you’ll presumably want to take some other action which uses that new token, which will again contact your Terraform Enterprise install and find an untrusted TLS certificate there.

1 Like

Thank you for your reply!

So, what I’m thinking this would help enable is this: I’ve made an easy Vagrantfile-based TFE installation. This could be useful for sales demos. If we can also use ‘terraform login’ and communicate with the TFE instance in the VM, we have a readymade, reliable way to demonstrate more of TFE’s features (like remote state backend for the CLI, shell-based remote plans, etc.) to potential clients. Yes, we could probably make some way that involves something like Let’s Encrypt, but then… we’d need to have that Vagrant-ized TFE instance be available on the public Internet. :face_vomiting:

Any chance there’s something on the Terraform core backlog for better support of self-signed certs (or a “–HORRIBLY-INSECURE-NO-SUPPORT” secret switch :wink: )?

Cheers!

There are many separate components of Terraform that reach out to various different remote services, some of which are not in the main Terraform program at all (e.g. provider code), so unfortunately I don’t think it’s practical to introduce a special-case certificate override: whatever subset of things we were able to wire it up to would end up falling short of expectations, causing a never-ending stream of requests to support that setting for one more thing, including things that are architecturally very difficult to support this for, such as the tfe provider (which is an entirely separate executable than the terraform CLI and thus has no direct access to the CLI arguments).

Your mention of using Vagrant here made me think of another option: the Vagrantfile could also potentially either install the Terraform CLI into the single VM it’s creating or declare a second VM intended for client use, and then have instructions for users to vagrant ssh into that VM in order to run the Terraform executable for the demo.

You could then arrange for whichever VM contains the client to also trust the one-off self-signed certificate, making the demo environment entirely self-contained and self-trusting without encouraging users to “temporarily” set insecure settings on their main system that they may forget to unset later. Setting it up this way would also have a nice side-effect that any other HTTP client software they might want to try out – such as curl against the API if they are evaluating an API-based integration – is likely to “just work” if they run it inside the client VM, without needing to make a special exception for each client application individually.

Thank you, @apparentlymart! I hear you on the ‘slippery slope’ angle (pun intended).

Regarding the Vagrant scenario - since this particular self-signed cert is generated by TFE itself, I’m not sure how I’ll access it to enable other applications (including the Terraform CLI) to make use of it. Is there a way to get that TFE-generated cert out of TFE and into the host OS’s web of trust database? (I didn’t see a way using the “Terraform Enterprise” provider. Other than this conundrum, I like this idea a lot! :smiley:

Hi @boldandbusted,

I’m afraid the Terraform Enterprise certificate generation is outside of my area of expertise, and thus I can’t offer a specific answer.

However, if the bootstrapping is happening inside the Vagrant VM(s) you are creating then I expect the TFE server is implicitly trusted from the perspective of that bootstrapping, and so perhaps you could take the certificate chain from the running server directly. For example, here’s an openssl command that I think will show the certificate information for a running server:

openssl s_client -showcerts -verify 5 -connect 127.0.0.1:443

This particular openssl command is not super convenient for an automated script since it includes everything together in a single stream of output. The CA chain information should be available from the server itself though, so hopefully there is another command similar to the above which is more convenient to use in an automated script. (I don’t know one off the top of my head.)