Fixing terraform x509 certificate signed by unknown authority?
The error x509: certificate signed by unknown authority is a very common problem faced by developers.
There are many reasons behind this issue -
- self-signed certificate not issued by a trusted certificate authority (CA)
- Expiration of the current certificate
- Due to a changed hostname
- Corporate network where the traffic is intercepted by firewall and it replaces the certificates by adding own self-signed certificate
How to Fix it?
This issue could happen with tools such as - Git, Docker, Terraform, Kubernetes, Jenkins,AWS etc..
But to fix an issue irrespective of what kind of tool you are using, you have to follow these steps -
- Step-1: Generate the certificate using
- Step-2: Copy the content of generated certificate into
- Step-3: Move the generated
.crtto trusted root in Linux
1. Generate the certificate using openssl
Pre-requisite - Before we start fixing the issue, there is one primary requirement for installing
opensslbecause you will need
opensslfor generating the certificate.
Install openSSL - In case if you do not have openSSL installed then follow these instructions for installing the
Generate Certificate- After installing the openSSL, you are ready to generate the certificate.
Here is the command for generating a certificate -
1openssl s_client -connect registry.terraform.io:443 2>/dev/null </dev/null |\ 2sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
In the above command, we are generating the self-signed certificate for the URL registry.terraform.io because I faced this issue while working with Terraform.
How to Identify the URL for generating a self-signed certificate?
Note- You must look into the error description of a certificate signed by an unknown authority and you will find a URL.
The above error I have to show is happening when I am trying to run the terraform command
But here is one more example of docker -
Here is the command for generating the self-signed certificates for hub.docker.com
1openssl s_client -connect hub.docker.com:443 2>/dev/null </dev/null |\ 2sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
2. Copy the content of generated certificate into .crt file
As soon as you run the command mentioned in Step-1, you will see an output very similar to the following screenshot.
Copy the certificate details as highlighted in the following screenshot and save it the file for example - my-certificate-self-signed.crt
3. Add the certificate(.crt) file to root trust(/usr/local/share/ca-certificates/)
Now you have the my-certificate-self-signed.crt with you. But you need to add this certificate to the root trust store of your working machine.
Based on your operating system the root trust store path will differ. Please refer to the following instruction based on your operating system -
1. Ubuntu or Debian
Run the following copy command to move my-certificate-self-signed.crt to /usr/local/share/ca-certificates directory.
1sudo cp my-certificate-self-signed.crt /usr/local/share/ca-certificates/terraform.crt
After moving the certificate to the root trust store path, you need to refresh the certificate -
If needed you can remove the certificate using the following command from the debian/ubuntu system -
1sudo update-ca-certificates --fresh
For macOS you need to add the certificate to system.keychain
1sudo security add-trusted-cert -d -r trustRoot \ 2-k /Library/Keychains/System.keychain ~/my-certificate-self-signed.crt
In case if you want to remove the certificate from system.keychain use the following command -
1sudo security delete-certificate -c my-certificate-self-signed.crt
In case you are using Windows operating system then you need to run the following command from cmd for adding certificate -
1certutil -addstore -f "ROOT" my-certificate-self-signed.crt
Here is the command for removing the certificate from certutil
1certutil -delstore "ROOT" serial-number-hex
For CentOS, the step is a little bit different from the ubuntu or Debian-based system.
First of all, you need to install the ca-certificates package -
1yum install ca-certificates
Enable the dynamic CA configuration -
Add the certificate to ca-trust -
1cp my-certificate-self-signed.crt /etc/pki/ca-trust/source/anchors/
Update the ca-trust