Fixing terraform x509 certificate signed by unknown authority?

The error x509: certificate signed by unknown authority is a very common problem faced by developers.

terraform x509: certificate signed by unknown authority

There are many reasons behind this issue -

  1. self-signed certificate not issued by a trusted certificate authority (CA)
  2. Expiration of the current certificate
  3. Due to a changed hostname
  4. Corporate network where the traffic is intercepted by firewall and it replaces the certificates by adding own self-signed certificate

How to Fix it?

This issue could happen with tools such as - Git, Docker, Terraform, Kubernetes, Jenkins,AWS etc..

But to fix an issue irrespective of what kind of tool you are using, you have to follow these steps -

  1. Step-1: Generate the certificate using openssl
  2. Step-2: Copy the content of generated certificate into .crt file
  3. Step-3: Move the generated .crt to trusted root in Linux

1. Generate the certificate using openssl

  1. Pre-requisite - Before we start fixing the issue, there is one primary requirement for installing openssl because you will need openssl for generating the certificate.

  2. Install openSSL - In case if you do not have openSSL installed then follow these instructions for installing the openSSL

  3. Generate Certificate- After installing the openSSL, you are ready to generate the certificate.

    Here is the command for generating a certificate -

    1openssl s_client -connect registry.terraform.io:443 2>/dev/null </dev/null |\
    2sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
    

    In the above command, we are generating the self-signed certificate for the URL registry.terraform.io because I faced this issue while working with Terraform.

    How to Identify the URL for generating a self-signed certificate?

    terraform x509: certificate signed by unknown authority

    Note- You must look into the error description of a certificate signed by an unknown authority and you will find a URL.

    The above error I have to show is happening when I am trying to run the terraform command terraform init.

    But here is one more example of docker -

    terraform x509: certificate signed by unknown authority

    Here is the command for generating the self-signed certificates for hub.docker.com

    1openssl s_client -connect hub.docker.com:443 2>/dev/null </dev/null |\
    2sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
    

2. Copy the content of generated certificate into .crt file

As soon as you run the command mentioned in Step-1, you will see an output very similar to the following screenshot.

Copy the certificate details as highlighted in the following screenshot and save it the file for example - my-certificate-self-signed.crt

Openssl generate certificate command


3. Add the certificate(.crt) file to root trust(/usr/local/share/ca-certificates/)

Now you have the my-certificate-self-signed.crt with you. But you need to add this certificate to the root trust store of your working machine.

Based on your operating system the root trust store path will differ. Please refer to the following instruction based on your operating system -

1. Ubuntu or Debian

Run the following copy command to move my-certificate-self-signed.crt to /usr/local/share/ca-certificates directory.

1sudo cp my-certificate-self-signed.crt /usr/local/share/ca-certificates/terraform.crt

After moving the certificate to the root trust store path, you need to refresh the certificate -

1sudo update-ca-certificates 

If needed you can remove the certificate using the following command from the debian/ubuntu system -

1sudo update-ca-certificates --fresh

2. MacOS

For macOS you need to add the certificate to system.keychain

1sudo security add-trusted-cert -d -r trustRoot \
2-k /Library/Keychains/System.keychain ~/my-certificate-self-signed.crt

In case if you want to remove the certificate from system.keychain use the following command -

1sudo security delete-certificate -c my-certificate-self-signed.crt

3. Widnows

In case you are using Windows operating system then you need to run the following command from cmd for adding certificate -

1certutil -addstore -f "ROOT" my-certificate-self-signed.crt

Here is the command for removing the certificate from certutil

1certutil -delstore "ROOT" serial-number-hex

4. CentOS

For CentOS, the step is a little bit different from the ubuntu or Debian-based system.

First of all, you need to install the ca-certificates package -

1yum install ca-certificates

Enable the dynamic CA configuration -

1update-ca-trust force-enable

Add the certificate to ca-trust -

1cp my-certificate-self-signed.crt /etc/pki/ca-trust/source/anchors/

Update the ca-trust

1update-ca-trust extract