Terraform-provider-azurerm: x509: certificate signed by unknown authority AzureRM Provider behind company proxy

Created on 15 Aug 2018 · 7Comments · Source: terraform-providers/terraform-provider-azurerm

_This issue was originally opened by @Quisl as hashicorp/terraform#18683. It was migrated here as a result of the provider split. The original body of the issue is below._

Terraform Version

Terraform v0.11.7
+ provider.azurerm v1.7.0

Terraform Configuration Files


provider "azurerm" {
    subscription_id = "CENSORED"
    client_id       = "CENSORED"
    client_secret   = "CENSORED"
    tenant_id       = "CENSORED"
}

resource "azurerm_resource_group" "storage-rg"
{
  name     = "storage-prd-rg"
  location = "West Europe"

  tags
  {
    description = "contains azure resources concerning storage"
  }
}

Debug Output

https://gist.github.com/Quisl/c4275d4559e53bc5d982aff1fc733169

Expected Behavior

I expected Terraform to create a resource group in my Azure Environment.

Actual Behavior

Terraform stops executing because of a unknown certificate. Error:

provider.azurerm: Unable to list provider registration status, it is possible that this is due to invalid credentials or the service principal does not have permission to use the Resource Manager API, Azure error: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/99b15bc4-130e-432e-8b6f-3a6ccb5a52ae/providers?api-version=2017-05-10: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = 'Post https://login.microsoftonline.com/b9f7bf6b-2511-4987-9cf9-6e979ade93d3/oauth2/token?api-version=1.0: x509: certificate signed by unknown authority'

Steps to Reproduce

terraform init
terraform plan

Additional Context

I am using Debian 9 (stretch) and I sit behind a proxy server which requires me to use the companies CA Certificate for outgoing traffic. However I have added the certificate to my operating system using the

update-ca-certificates

command (curl works).

authentication bug

Source

hashibot[bot]

Most helpful comment

Hi @tombuildsstuff

I had to test it on a different machine as the other one was just a testing VM.

However, it appears to work now!

Thank you 👍

Quisl on 17 Oct 2018

👍2

All 7 comments

hey @Quisl

Thanks for opening this issue :)

I've taken a look into this issue and believe there's two parts to fixing this:

making the Azure SDK client configuration consistent (which has been done in #1845)
using the Proxy from the Environment when it's set (which is done in this branch: https://github.com/terraform-providers/terraform-provider-azurerm/compare/proxy-support)

Unfortunately I don't have access to a Proxy to verify this patch works as expected behind a proxy with custom authentication - however I can see these requests going through the proxy as expected using Charles Proxy on macOS. Would you be able to pull and build the branch proxy-support and confirm if this fixes your issue? If so there's build instructions in the README

Thanks!

tombuildsstuff on 30 Aug 2018

👍2

Hi @tombuildsstuff

I had to test it on a different machine as the other one was just a testing VM.

However, it appears to work now!

Thank you 👍

Quisl on 17 Oct 2018

👍2

hey @Quisl

Thanks for confirming that - we'll send a PR to update that shortly.

Thanks!

tombuildsstuff on 22 Oct 2018

PR: #2133

tombuildsstuff on 22 Oct 2018

hi @Quisl

Just to let you know that this has been released as a part of v1.18 of the AzureRM Provider (the full changelog is available here). You can upgrade to this by specifying the version in the provider block (as shown below) and then running terraform init -upgrade

provider "azurerm" {
  version = "=1.18.0"
}

Thanks!

tombuildsstuff on 2 Nov 2018

Terraform v0.11.10

provider.azurerm v1.19.0

Still having issue.
Log:

* provider.azurerm: Unable to list provider registration status, it is possible that this is due to invalid credentials or the service principal does not have permission to use the Resource Manager API, Azure error: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/<CENSORED>/providers?api-version=2017-05-10: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = 'Post https://login.microsoftonline.com/<CENSORED>/oauth2/token?api-version=1.0: dial tcp: lookup login.microsoftonline.com on [fec0:0:0:ffff::1]:53: dial udp [fec0:0:0:ffff::1]:53: connect: invalid argument'

akaFalsh on 23 Nov 2018

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

hashibot[bot] on 5 Mar 2019

Was this page helpful?

0 / 5 - 0 ratings