Join Log in
Score:0
winter avatar Server

Terraform: "S3:path_to_terraform.tfstate": x509: cannot validate certificate for because it doesn't contain any IP SANs

in flag
winter

I'm using s3 to save my state. since this is a custom S3 (and not AWS) I configured it as shown below (using IP + Port).

when running terraform init I received this error:

Successfully configured the backend "s3"! Terraform will automatically use this backend unless the backend configuration changes. Error refreshing state: RequestError: send request failed caused by: Get "https://custom_S3_server_IP:8082/mytest/my_sub_folder/terraform.tfstate": x509: cannot validate certificate for custom_S3_server_IP because it doesn't contain any IP SANs

Usually when I encounter issue like this, I assume it is endpoint(dns) verification. But seems like I can't disable it using Terraform. here is my S3 config:

  backend "s3" {
    region = "DEGO"
    skip_region_validation = true
    force_path_style = true
    bucket = "mytest"
    key = "my_sub_folder/terraform.tfstate"
    access_key = "myK"
    secret_key = "myS"
    endpoint = "custom_S3_server_IP:8082"
  }

Edit: I know that the certificate doesn't contain the IP which is entered, but in every client which has this issue, there is always a way to disable the dns verification. e.g. Terraform aws implementation can use the "--no-verify-ssl" option to overcome this, but I couldn't find any property which use something like this

325
0 + 0
Score:0
avatar Server
us flag
Tero Kilkanen

Your S3 server's TLS certificate doesn't have the IP address listed in its Subject Alternative Name field. You need to use a proper certificate in your S3 server that has this.

An easier alternative is to use DNS name in the URL and make sure your certificate has the DNS name in its SAN field.

0 + 0
winter avatar
in flag
winter
I know, but in aws-cli you can add --no-verify-ssl which I assumed that can also used somehow in S3 terraform configuration (I edited my post so it will be clearer)
0
Reply
us flag
Tero Kilkanen
You shouldn't risk your system integrity by disabling essential security features like certificate validation.
0
Reply
winter avatar
in flag
winter
well since it's TLS verification in client side, I am not that worried.. we use terraform behind vpn, and it's currently for testing. ;)
0
Reply
Score:0
winter avatar Server
in flag
winter

Seems like currently there is no option to disable tls verification using terraform s3 as state bucket.

here is a reference for an open issue:

https://github.com/hashicorp/terraform/issues/26883

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.