Terraform is a great infrastructure provisioning tool that works well for multi-cloud and On-PREM environments. This software tool provides a consistent CLI workflow to manage hundreds of cloud services. I see that many of the beginners trying to learn “terraform” on the VM’s. But they face challenge regards to trusted TLS certificate while trying to download the providers. The primary reason is the “Terraform” SSL connection is behind the proxy. This article will help to fix those certificate issues on the Linux VM’s and who can’t fix the certificate issues due to various reason, it will help you to set up offline terraform plugins.
Here are the most common errors we face during the “terraform init” stage.
It says “Error: Failed to query available providers packages. Could not retrieve the list of available versions for provider. hasicorp/azure: could not connect to registry.terraform.io: Failed to request discovery document: Get https://registry.terraform.io/.well-known/terraform.json”: x509: certificate
signed by unknown authority
[root@terra terraform_demo]# terraform init Initializing the backend… Initializing provider plugins… Finding latest version of hashicorp/azurerm… ╷ │ Error: Failed to query available provider packages │ │ Could not retrieve the list of available versions for provider hashicorp/azurerm: could not connect to registry.terraform.io: Failed to request discovery │ document: Get "https://registry.terraform.io/.well-known/terraform.json": x509: certificate signed by unknown authority ╵ [root@terra terraform_demo]#
Host level Checks:
- Ensure system time is correct.
[root@terra ~]# chronyc makestep 200 OK [root@terra ~]# date Sun Jun 13 07:54:05 EDT 2021 [root@terra ~]#
2. Update system certificates
[root@terra ~]# update-ca-trust force-enable [root@terra ~]# update-ca-trust extract [root@terra ~]# /bin/update-ca-trust [root@terra ~]#
3. Update the system and reboot it.
[root@terra ~]# yum update -y [root@terra ~]# reboot Update root certificate
If still the problem is not solved, we need to update the organization root certificate on the VM. When you use Terraform behind the corporate proxy, you might this kind of SSL connection issues.
If you are able to manage to get the root certificate of your corporate network gateway, you can append this certificate in to existing ca-certificate.crt file.
- In windows 10, type “cert” in the search box to find the “Manager user certificate” console. Navigate to “Trusted Root Certificate Authorities”.
2. Copy to file and transfer this file / copy contents to Linux VM where you are facing this issue.
3. I have placed the copied certificate in “/root/root_cert.pem”. Append this certificate in to existing ca-certificates.crt.
[root@terra ~]# cat /root/root_cert.pem >> /etc/pki/tls/certs/ca-certificates.crt [root@terra ~]#
4. Try “terraform init” to initialize/download the provider plugins from registry.
[root@terra ~]# terraform init Initializing the backend… Initializing provider plugins… Finding latest version of hashicorp/azurerm… Installing hashicorp/azurerm v2.63.0… Installed hashicorp/azurerm v2.63.0 (signed by HashiCorp) Terraform has created a lock file .terraform.lock.hcl to record the provider selections it made above. Include this file in your version control repository so that Terraform can guarantee to make the same selections by default when you run "terraform init" in the future. Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary. [root@terra ~]#
If you couldn’t get the root certificate of your organization’s network gateway, you could try to manually prepare the plugins for the terraform.
Terraform Offline method
- Let’s assume that terraform configuration files requires an “azurerm” provider. Create the following directory hierarchy on the working directory.
# mkdir -p terraform.d/plugins/registry.terraform.io/terraform-provider-
azurerm/azurerm/2.63.0/linux_amd64/
terraform.d
└── plugins
└── registry.terraform.io
└── terraform-provider-azurerm
└── azurerm
└── 2.63.0
└── linux_amd64
2. Download the “azurerm” provider plugin from “https://releases.hashicorp.com/terraform-provider-azurerm/” . Select the correct version and platform. In my case, I m running terraform on “RHEL 7 / CentOS 7.
3. Use the following command to download the provider.
[root@terra terraform_demo]# wget --no-check-certificate https://releases.hashicorp.com/terraform-provider-azurerm/2.63.0/terraform-provider-azurerm_2.63.0_linux_amd64.zip --2021-06-13 09:17:43-- https://releases.hashicorp.com/terraform-provider-azurerm/2.63.0/terraform-provider-azurerm_2.63.0_linux_amd64.zip Resolving releases.hashicorp.com (releases.hashicorp.com)… 151.101.153.183, 2a04:4e42:24::439 Connecting to releases.hashicorp.com (releases.hashicorp.com)|151.101.153.183|:443… connected. WARNING: cannot verify releases.hashicorp.com's certificate, HTTP request sent, awaiting response… 200 OK Length: 31831587 (30M) [application/zip] Saving to: ‘terraform-provider-azurerm_2.63.0_linux_amd64.zip’ 100%[=======================================================================>] 31,831,587 7.22MB/s in 4.7s 2021-06-13 09:17:49 (6.50 MB/s) - ‘terraform-provider-azurerm_2.63.0_linux_amd64.zip’ saved [31831587/31831587] [root@terra terraform_demo]#
4. Unzip the downloaded provider and place it in the newly create path. Re-run tree command to ensure that you have the desired plugin in the right location.
[root@terra terraform_demo]# tree terraform.d
terraform.d
└── plugins
└── registry.terraform.io
└── terraform-provider-azurerm
└── azurerm
└── 2.63.0
└── linux_amd64
└── terraform-provider-azurerm_v2.63.0_x5
6 directories, 1 file
[root@terra terraform_demo]#
5. Run “terraform init” . We have successfully initialized terraform without downloading the provider from terraform registry.
[root@terra terraform_demo]# terraform init Initializing the backend… Initializing provider plugins… Reusing previous version of terraform-provider-azurerm/azurerm from the dependency lock file Using previously-installed terraform-provider-azurerm/azurerm v2.63.0 Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary. [root@terra terraform_demo]#
Hope this article helps you to overcome some of the limitation to test and practice terraform on the nested virtualization environments.
Leave a Reply