terraform icon indicating copy to clipboard operation
terraform copied to clipboard
verified publisher icon hashicorp

azure state provider: tls: failed to verify certificate: x509: certificate signed by unknown authority (reopen of #34427)

Open joaocc opened this issue 1 year ago • 2 comments

Terraform Version

1.5.7

Terraform Configuration Files

N/A

Debug Output

N/A

Expected Behavior

When trying to access azure blob state bucket on azure blob storage, the client should trust certificates installed on the OS. (this is a reopen of https://github.com/hashicorp/terraform/issues/34427)

Actual Behavior

When running behind traffic-intercepting proxy, trying to access a state bucket on azure blob storage yields the following:

Error: Failed to load state: blobs.Client#Get: Failure sending request: StatusCode=0 -- Original Error: Get "https://some-blob-name.blob.core.windows.net/some-container-nale/some-name%2Fterraform.tfstate?st=2023-12-17T13%3A12%3A26Z&se=2023-12-23T13%3A27%3A26Z&sp=racwdl&spr=https&sv=2022-11-02&sr=c&skoid=xxxx-a2d0-xxx-xxx-xxx&sktid=70361cf4-caa3-4dfe-a915-05704b779731&skt=2023-12-17T13%3A12%3A26Z&ske=2023-12-23T13%3A27%3A26Z&sks=b&skv=2022-11-02&sig=xxxxxxxx%3D": tls: failed to verify certificate: x509: certificate signed by unknown authority

This happens on debian 11/bullseye, where the certificate of the intercepting party (in this case Cloudflare WARP) is already installed as trusted. Also, azure-cli is already configured to work in this environment.

Wasn't able to find any documentation

Steps to Reproduce

Configure cloudflare-warp (or any other traffic inspecting client) Add certificate to OS trusted certificate store Add certificate to azure-cli as per (https://learn.microsoft.com/en-us/cli/azure/use-cli-effectively?tabs=bash%2Cbash2#work-behind-a-proxy) run terraform

Additional Context

No response

References

No response

joaocc avatar Jan 19 '24 17:01 joaocc

Thanks for this feature request! If you are viewing this issue and would like to indicate your interest, please use the 👍 reaction on the issue description to upvote this issue. We also welcome additional use case descriptions.

Note that the team that works on this feature is the Azure Provider Team, and they have been notified of this issue. Thanks again!

crw avatar Jan 19 '24 21:01 crw

Thanks for the feedback. I would think a similar issue would arise with S3 backend or other backend, where certificate validation is not relying on the underlying OS. For reference, I raised similar issues for azure-cli (https://github.com/Azure/azure-cli/issues/28050) and aws-cli (https://github.com/aws/aws-cli/issues/9017), and this also seems to be addressed by https://github.com/Azure/azure-cli/issues/26456. Not sure if terraform would need some custom solution or if it could be addressed by configurations at the level of the SDK.

joaocc avatar Jan 20 '24 14:01 joaocc