Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azure state provider: tls: failed to verify certificate: x509: certificate signed by unknown authority (reopen of #34427) #34546

Open
joaocc opened this issue Jan 19, 2024 · 2 comments
Open

azure state provider: tls: failed to verify certificate: x509: certificate signed by unknown authority (reopen of #34427) #34546

joaocc opened this issue Jan 19, 2024 · 2 comments
Labels
backend/azure bug new new issue not yet triaged

Comments

@joaocc
Copy link
Contributor

joaocc commented Jan 19, 2024
edited
Loading

Terraform Version

1.5.7

Terraform Configuration Files

N/A

Debug Output

N/A

Expected Behavior

When trying to access azure blob state bucket on azure blob storage, the client should trust certificates installed on the OS.
(this is a reopen of #34427)

Actual Behavior

When running behind traffic-intercepting proxy, trying to access a state bucket on azure blob storage yields the following:

Error: Failed to load state: blobs.Client#Get: Failure sending request: StatusCode=0 -- Original Error: Get "https://some-blob-name.blob.core.windows.net/some-container-nale/some-name%2Fterraform.tfstate?st=2023-12-17T13%3A12%3A26Z&se=2023-12-23T13%3A27%3A26Z&sp=racwdl&spr=https&sv=2022-11-02&sr=c&skoid=xxxx-a2d0-xxx-xxx-xxx&sktid=70361cf4-caa3-4dfe-a915-05704b779731&skt=2023-12-17T13%3A12%3A26Z&ske=2023-12-23T13%3A27%3A26Z&sks=b&skv=2022-11-02&sig=xxxxxxxx%3D": tls: failed to verify certificate: x509: certificate signed by unknown authority

This happens on debian 11/bullseye, where the certificate of the intercepting party (in this case Cloudflare WARP) is already installed as trusted. Also, azure-cli is already configured to work in this environment.

Wasn't able to find any documentation

Steps to Reproduce

Configure cloudflare-warp (or any other traffic inspecting client)
Add certificate to OS trusted certificate store
Add certificate to azure-cli as per (https://learn.microsoft.com/en-us/cli/azure/use-cli-effectively?tabs=bash%2Cbash2#work-behind-a-proxy)
run terraform

Additional Context

No response

References

No response
@joaocc joaocc added bug new new issue not yet triaged labels Jan 19, 2024
@crw
Copy link
Collaborator

crw commented Jan 19, 2024

Thanks for this feature request! If you are viewing this issue and would like to indicate your interest, please use the 👍 reaction on the issue description to upvote this issue. We also welcome additional use case descriptions.

Note that the team that works on this feature is the Azure Provider Team, and they have been notified of this issue. Thanks again!

@joaocc
Copy link
Contributor Author

joaocc commented Jan 20, 2024

Thanks for the feedback. I would think a similar issue would arise with S3 backend or other backend, where certificate validation is not relying on the underlying OS.
For reference, I raised similar issues for azure-cli (Azure/azure-cli#28050) and aws-cli (aws/aws-cli#9017), and this also seems to be addressed by Azure/azure-cli#26456. Not sure if terraform would need some custom solution or if it could be addressed by configurations at the level of the SDK.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backend/azure bug new new issue not yet triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jbardin @crw @joaocc