Terraform's TLS certificate parsing error occurs when the TLS provider encounters malformed, expired, or untrusted certificates. This error typically appears when using data sources like tls_certificate or connecting to remote backends with problematic certificates.
This error occurs when Terraform's TLS provider attempts to parse a certificate but encounters an issue with its format or validity. Common causes include malformed PEM encoding, negative serial numbers (in Terraform 1.10+), invalid certificate chains, missing intermediate certificates, or expired certificates. The error often surfaces when using the tls_certificate data source, connecting to HTTPS endpoints during provider initialization, or when accessing state stored in S3 or other cloud backends secured with TLS.
First, check if the certificate file is valid PEM format and not corrupted.
# Extract the certificate from your endpoint or file
openssl s_client -showcerts -connect example.com:443 </dev/null | openssl x509 -text -noout
# Or check a local PEM file
openssl x509 -text -noout -in /path/to/certificate.pemLook for:
- Valid date range (notBefore and notAfter)
- Correct certificate subject/CN matches your domain
- Complete certificate chain (no truncated PEM blocks)
If the certificate is expired, you'll need to update it with a valid one.
Terraform 1.10 upgraded from Go 1.22 to Go 1.23, which enforces stricter certificate validation. Certificates with negative serial numbers are now rejected.
# Check the serial number of the certificate
openssl x509 -serial -noout -in /path/to/certificate.pemIf the serial starts with a minus sign or is very large, you need to either:
1. Upgrade the certificate to one with a valid positive serial number
2. Downgrade to Terraform 1.9.8 temporarily while planning certificate replacement
3. Set environment variable to relax Go's validation (not recommended for production):
export GODEBUG=x509negativeserial=1
terraform planIf using a certificate from a provider like AWS ACM or Azure, ensure the complete chain is included. The certificate file must contain the leaf certificate and all intermediate certificates in the correct order.
# Count certificates in your PEM file
grep -c "BEGIN CERTIFICATE" certificate.pem
# Should typically have: 1 (leaf) + N (intermediates) + optional 1 (root)If missing intermediates, download and append them:
# Download full chain
openssl s_client -showcerts -connect example.com:443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > full_chain.pem
# Use the complete chain in TerraformIf using the tls_certificate data source, you can control certificate chain verification with the verify_chain parameter:
data "tls_certificate" "example" {
url = "https://example.com"
# Set to false to skip verification (not recommended for production)
verify_chain = true # default
}For local certificate files, use the content parameter instead:
data "tls_certificate" "example" {
content = file("${path.module}/certificate.pem")
}Note: When using content with multiple PEM certificates, only the first is typically parsed.
If behind a corporate proxy or using self-signed certificates, add the certificate to your system's CA bundle:
On Linux:
# Copy certificate to system store
sudo cp certificate.pem /usr/local/share/ca-certificates/
sudo update-ca-certificates
# Or append to system CA file
cat certificate.pem >> /etc/ssl/certs/ca-certificates.crtOn macOS:
# Add certificate to system keychain
sudo security add-certificates -k /Library/Keychains/System.keychain certificate.pemIn Terraform, you can also set custom CA paths:
# Set via environment variable (affects all HTTPS connections)
# export TF_VAR_ca_bundle=/path/to/ca-bundle.pemEnsure you're running the latest stable version of Terraform and the hashicorp/tls provider:
# Upgrade Terraform
terraform version
# Follow https://www.terraform.io/downloads to upgrade
# Upgrade TLS provider
terraform init -upgradeNewer versions include bug fixes for certificate parsing. For example:
- Terraform 1.10.5+ has improved Go 1.23 compatibility
- Terraform Enterprise v202405-1+ fixes S3-compatible storage certificate issues
For advanced troubleshooting, use openssl to verify the entire certificate chain:
openssl verify -CAfile ca-bundle.pem -untrusted intermediate.pem leaf.pemIf using Terraform Enterprise with S3-compatible storage, ensure the certificate validation happens after the CA bundle is loaded. Upgrading to v202405-1 or later resolves timing issues where certificates were checked before CA configuration.
In containerized environments (Docker, Kubernetes), ensure ca-certificates are properly installed and mounted. Different Linux distributions store CA certificates in different locations (/etc/ssl/certs vs /usr/local/share/ca-certificates), which can affect Terraform's certificate discovery.
Error: Error installing helm release: cannot re-use a name that is still in use
How to fix "release name in use" error in Terraform with Helm
Error: Error creating GKE Cluster: BadRequest
BadRequest error creating GKE cluster in Terraform
Error: External program failed to produce valid JSON
External program failed to produce valid JSON
Error: Unsupported argument in child module call
How to fix "Unsupported argument in child module call" in Terraform
Error: network is unreachable
How to fix "network is unreachable" in Terraform