Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Providers version 3 and 4 return different certificates #249

Closed
1 task done
jmorganc opened this issue Jul 25, 2022 · 4 comments
Closed
1 task done

Providers version 3 and 4 return different certificates #249

jmorganc opened this issue Jul 25, 2022 · 4 comments
Labels
bug

Comments

@jmorganc
Copy link

Terraform CLI and Provider Versions

Terraform: v1.2.5
Providers: 3.4.0 and >= 4.0.0

Terraform Configuration

terraform {
  required_providers {
    tls = {
      source = "hashicorp/tls"
      version = "~> 4.0"
      #version = "= 3.4.0"
    }
  }
}

data "tls_certificate" "gitlab" {
  url = "https://gitlab.com"
}

output "gitlab_certificates" {
  value = data.tls_certificate.gitlab.certificates
}

Expected Behavior

data.tls_certificate.gitlab: Reading...
data.tls_certificate.gitlab: Read complete after 0s [id=90b04bf2994b659df7526f0f90eb92d321dad652]

Changes to Outputs:

  • gitlab_certificates = [
    • {
      • cert_pem = <<-EOT
        -----BEGIN CERTIFICATE-----
        MIIDzTCCArWgAwIBAgIQCjeHZF5ftIwiTv0b7RQMPDANBgkqhkiG9w0BAQsFADBa
        MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl
        clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTIw
        MDEyNzEyNDgwOFoXDTI0MTIzMTIzNTk1OVowSjELMAkGA1UEBhMCVVMxGTAXBgNV
        BAoTEENsb3VkZmxhcmUsIEluYy4xIDAeBgNVBAMTF0Nsb3VkZmxhcmUgSW5jIEVD
        QyBDQS0zMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEua1NZpkUC0bsH4HRKlAe
        nQMVLzQSfS2WuIg4m4Vfj7+7Te9hRsTJc9QkT+DuHM5ss1FxL2ruTAUJd9NyYqSb
        16OCAWgwggFkMB0GA1UdDgQWBBSlzjfq67B1DpRniLRF+tkkEIeWHzAfBgNVHSME
        GDAWgBTlnVkwgkdYzKz6CFQ2hns6tQRN8DAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0l
        BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYI
        KwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j
        b20wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL09t
        bmlyb290MjAyNS5jcmwwbQYDVR0gBGYwZDA3BglghkgBhv1sAQEwKjAoBggrBgEF
        BQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzALBglghkgBhv1sAQIw
        CAYGZ4EMAQIBMAgGBmeBDAECAjAIBgZngQwBAgMwDQYJKoZIhvcNAQELBQADggEB
        AAUkHd0bsCrrmNaF4zlNXmtXnYJX/OvoMaJXkGUFvhZEOFp3ArnPEELG4ZKk40Un
        +ABHLGioVplTVI+tnkDB0A+21w0LOEhsUCxJkAZbZB2LzEgwLt4I4ptJIsCSDBFe
        lpKU1fwg3FZs5ZKTv3ocwDfjhUkV+ivhdDkYD7fa86JXWGBPzI6UAPxGezQxPk1H
        goE6y/SJXQ7vTQ1unBuCJN0yJV0ReFEQPaA1IwQvZW+cwdFD19Ae8zFnWSfda9J1
        CZMRJCQUzym+5iPDuI9yP+kHyCREU3qzuWFloUwOxkgAyXVjBYdwRVKD05WdRerw
        6DEdfgkfCv4+3ao8XnTSrLE=
        -----END CERTIFICATE-----
        EOT
      • is_ca = true
      • issuer = "CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE"
      • not_after = "2024-12-31T23:59:59Z"
      • not_before = "2020-01-27T12:48:08Z"
      • public_key_algorithm = "ECDSA"
      • serial_number = "13580602362388610137601344763287833660"
      • sha1_fingerprint = "b3dd7606d2b5a8b4a13771dbecc9ee1cecafa38a"
      • signature_algorithm = "SHA256-RSA"
      • subject = "CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US"
      • version = 3
        },
    • {
      • cert_pem = <<-EOT
        -----BEGIN CERTIFICATE-----
        MIIFgzCCBSigAwIBAgIQBiPZw4be7paOmVGMBVHSLDAKBggqhkjOPQQDAjBKMQsw
        CQYDVQQGEwJVUzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEgMB4GA1UEAxMX
        Q2xvdWRmbGFyZSBJbmMgRUNDIENBLTMwHhcNMjIwNzA0MDAwMDAwWhcNMjIxMDAy
        MjM1OTU5WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
        A1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjET
        MBEGA1UEAxMKZ2l0bGFiLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABACu
        ir0FpY/Td6QwLGHdBMssRJ9jEvqFqYj2y6K9ZQkiKbgzITxLPzUX5it8/ctNGiqn
        +KOhQQefGKkRWYTzs5qjggPOMIIDyjAfBgNVHSMEGDAWgBSlzjfq67B1DpRniLRF
        +tkkEIeWHzAdBgNVHQ4EFgQUp7B0Ubbe4FBSgpW+ucHTDarKhd4wgZQGA1UdEQSB
        jDCBiYITcGFja2FnZXMuZ2l0bGFiLmNvbYIUY3VzdG9tZXJzLmdpdGxhYi5jb22C
        CmdpdGxhYi5jb22CD2NoZWYuZ2l0bGFiLmNvbYIaZW1haWwuY3VzdG9tZXJzLmdp
        dGxhYi5jb22CDmthcy5naXRsYWIuY29tghNyZWdpc3RyeS5naXRsYWIuY29tMA4G
        A1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwewYD
        VR0fBHQwcjA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0Nsb3VkZmxh
        cmVJbmNFQ0NDQS0zLmNybDA3oDWgM4YxaHR0cDovL2NybDQuZGlnaWNlcnQuY29t
        L0Nsb3VkZmxhcmVJbmNFQ0NDQS0zLmNybDA+BgNVHSAENzA1MDMGBmeBDAECAjAp
        MCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwdgYIKwYB
        BQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20w
        QAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9DbG91ZGZs
        YXJlSW5jRUNDQ0EtMy5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisGAQQB1nkCBAIE
        ggFtBIIBaQFnAHUAKXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAGB
        xronxwAABAMARjBEAiA5IrJ05KRTZhpfPx4F0q+4fPYuXsURNIwl2+IDIXGfPgIg
        GNMXcN5Ls2LPn5I8FJQ5PRzG+N/ipXIKym3BaHLNnP8AdgBByMqx3yJGShDGoToJ
        QodeTjGLGwPr60vHaPCQYpYG9gAAAYHGuigJAAAEAwBHMEUCIE2XyQm+tVEVrmPk
        qOTjT4LZR1cjzflhSWd6Gm9ydHG6AiEArEldk9K6kKLCLr1TsniI5FbyDoG86s83
        +O1XPL+5swkAdgDfpV6raIJPH2yt7rhfTj5a6s2iEqRqXo47EsAgRFwqcwAAAYHG
        uifLAAAEAwBHMEUCIAtAsPWw7ExMrIDeYiFYLuckjrqyTl4aRdVf3EdmgXFiAiEA
        gMfVbiysb2r+G6pqUIm3IKZf1qzUCMgcQE0QDxd02mgwCgYIKoZIzj0EAwIDSQAw
        RgIhAJq7U7Fasv+fIk/j1dlplJxovxE3YQTThZ/WnGmylkt/AiEAmLbVsjNPtKZW
        sSwAYSAKFTsYqEWJLHbP9zi2dCvHtH4=
        -----END CERTIFICATE-----
        EOT
      • is_ca = false
      • issuer = "CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US"
      • not_after = "2022-10-02T23:59:59Z"
      • not_before = "2022-07-04T00:00:00Z"
      • public_key_algorithm = "ECDSA"
      • serial_number = "8161515138874396446973791632352203308"
      • sha1_fingerprint = "578ebaf3348af92ca4ffd9b6e2b1f05f45216a15"
      • signature_algorithm = "ECDSA-SHA256"
      • subject = "CN=gitlab.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US"
      • version = 3
        },
        ]

Actual Behavior

data.tls_certificate.gitlab: Reading...
data.tls_certificate.gitlab: Read complete after 1s [id=466462f636242cee492ef7a0d87a0b5bc4cca77a]

Changes to Outputs:

  • gitlab_certificates = [
    • {
      • cert_pem = <<-EOT
        -----BEGIN CERTIFICATE-----
        MIIEjzCCA3egAwIBAgIQfCoMIT/GVVNFyR8ZH7hO+jANBgkqhkiG9w0BAQsFADBM
        MSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xv
        YmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0yMjA0MjAxMjAwMDBaFw0y
        NTA0MjAwMDAwMDBaMFgxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWdu
        IG52LXNhMS4wLAYDVQQDEyVHbG9iYWxTaWduIEF0bGFzIFIzIERWIFRMUyBDQSAy
        MDIyIFEzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKh6ZjxOZpzO
        N6VUNU02x5nTqCc28i/G1Rg+6QndBdbXLDQyfAhjSdEQN+V4XRFizm37Lz83lNuP
        ezDpXizZVT+y27mgtWA3i6QGMjVQpAmvCkX/qB+bZY7dSuBAoeNjN1iQ3XU7/A4c
        gkCYvXCxwUgUFDwES2nd1JwBpukh44IK/uSqvzSgjMvJeW4+XGpSnsTtK8Vp/lA8
        k521/y0oqGwGbJ3Fr7JZ+1l3DXR6iISk1B3UuiAGzLUeSE50IRWGdcDMWtEFz1cW
        ehMX7MJKrtUecqoiWoycgjLEEOZCbiGGaHyAIzA1072wXgopK/AUsRg32Vklw+c4
        2enULTY1ZQIDAQABo4IBXzCCAVswDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQG
        CCsGAQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQW
        BBT6kTljmvutECTlvrW52qvZxEZpqzAfBgNVHSMEGDAWgBSP8Et/qC5FJK5NUPpj
        move4t0bvDB7BggrBgEFBQcBAQRvMG0wLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3Nw
        Mi5nbG9iYWxzaWduLmNvbS9yb290cjMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9zZWN1
        cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L3Jvb3QtcjMuY3J0MDYGA1UdHwQvMC0w
        K6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vcm9vdC1yMy5jcmwwIQYD
        VR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAGgMgoBAzANBgkqhkiG9w0BAQsFAAOC
        AQEAFDMseeU/gsZwP9pZOKe7onasYRgFaFfZDfuKRrzxqOgMcAIdxi+X7TY+nlKG
        L1xi2NVHQ5pz0Sslh59EtBTrJrwhR3QgvZ+kv7OAHU01fc25tdpV8pBQyLIXTg60
        YYgpX0RdA39XkYHQ6zCu1SrsgiDOTtKwi5UCYXPYaTT0rWMOXOQgH6l97Y7lHAS7
        Ip/HqSLKmT0Cp2foBi36BGu7SdJsmVdjbC3CYXjhILH79r/hgjk5PHvvfRqVSrJy
        2lWQru3d4nCQfBrutTJaXc/W+kXyngEMMS+JhP4xYA/97qZbhNXHGOak+UAwKRge
        /vxBtbkpBXWLYhpbIi6/5FlssA==
        -----END CERTIFICATE-----
        EOT
      • is_ca = true
      • issuer = "CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign"
      • not_after = "2025-04-20T00:00:00Z"
      • not_before = "2022-04-20T12:00:00Z"
      • public_key_algorithm = "RSA"
      • serial_number = "165042593968569963659526406870247427834"
      • sha1_fingerprint = "2284b06c017cfa97e2846c6e0821233f0d6a9aeb"
      • signature_algorithm = "SHA256-RSA"
      • subject = "CN=GlobalSign Atlas R3 DV TLS CA 2022 Q3,O=GlobalSign nv-sa,C=BE"
      • version = 3
        },
    • {
      • cert_pem = <<-EOT
        -----BEGIN CERTIFICATE-----
        MIIGYjCCBUqgAwIBAgIQATfkha/xTr3pbLHVWlPq4jANBgkqhkiG9w0BAQsFADBY
        MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEuMCwGA1UE
        AxMlR2xvYmFsU2lnbiBBdGxhcyBSMyBEViBUTFMgQ0EgMjAyMiBRMzAeFw0yMjA3
        MjIxOTQyMTFaFw0yMzA4MjMxOTQyMTBaMBsxGTAXBgNVBAMMEGFib3V0LmdpdGxh
        Yi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFFFQs8EITaWo5
        0U18/mPTDLencU/7siJT/4P8oeDkemyx98wzK6vuNj/2JEZ3v1psKun5n8Pb/fHa
        somKd/4icHgC4rnxrO6zayfb+cKzVghQe12Nj75lx6RtppqTgAmSOa3Tai5niICT
        I8s3d2wsHtfEgqAavcD0/zdPIk25Ji7yfquldSthnlhQqI4Pm3OxTiyFj/V5ZhFl
        IWZLvQaENjBSDVZQDcaPdWwodfXNA8fJmqk7cTLQ9P9NgjWvva7acl+Yd6hOFzV0
        EllBl/WF1KB+YzGuHI0CQHT7sv3GW1lXeE2EqrWoSdLTOSAqm6y02DyE79d1xvG6
        XXfX5ILlAgMBAAGjggNjMIIDXzAbBgNVHREEFDASghBhYm91dC5naXRsYWIuY29t
        MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
        HQYDVR0OBBYEFHK7MnjGDptQWjfmJ2fr3IrjxEopMFcGA1UdIARQME4wCAYGZ4EM
        AQIBMEIGCisGAQQBoDIKAQMwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xv
        YmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wDAYDVR0TAQH/BAIwADCBngYIKwYBBQUH
        AQEEgZEwgY4wQAYIKwYBBQUHMAGGNGh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29t
        L2NhL2dzYXRsYXNyM2R2dGxzY2EyMDIycTMwSgYIKwYBBQUHMAKGPmh0dHA6Ly9z
        ZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzYXRsYXNyM2R2dGxzY2EyMDIy
        cTMuY3J0MB8GA1UdIwQYMBaAFPqROWOa+60QJOW+tbnaq9nERmmrMEgGA1UdHwRB
        MD8wPaA7oDmGN2h0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vY2EvZ3NhdGxhc3Iz
        ZHZ0bHNjYTIwMjJxMy5jcmwwggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB1AG9T
        dqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABgiduiHEAAAQDAEYwRAIg
        SYQrru/KAKfe+hUqpJmk7Fc8drkgtY3IcAurTOwbM68CIBYO9sbDspd5p7v17RQi
        QQkjdRwSjHiIgvlX0Y1JqmXjAHYArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWG
        NOvcgooAAAGCJ26IcQAABAMARzBFAiBc5a10annqMEH69bdEFy/Vo1gb3S3GQ993
        BCRV7ZXG4gIhAMqnsoKkU6ITwRXwE9KGjHnijJ8QrBrnK0i+JFaGe1ffAHYAs3N3
        B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZoAAAGCJ26I6QAABAMARzBFAiAf
        lW8Agd0DB68YA8XAbnlq7QNHw3uRMzNdS8gtRUe75gIhANTe+mt2p1ryW83P31OW
        jH3cEGJxdUNT/oDM3Fzesx94MA0GCSqGSIb3DQEBCwUAA4IBAQAfivKEmjqqOFFh
        VsX2XYkoDtreghpqMwHMCLwNk852Alr/Seyv9Ilng8cunU4NmhvEtsYVXkfE4XvB
        0QIVxkg1w7A+p7ejMjh6doLJ0aWNWIVW/DwOeP0qstF9lqvLdLDABoVn0BtYCDTH
        gjG80e2xpvPiKHGvBL+hlOIJwUuIAT3jN23sS1GoiYQGKsz0lovB09/6MGG0Qj8C
        3i9a59T9XBpwSKdpKd4u/CB6koBXD3atbBNBACuAMcFckTEtmkCFtSpqBuocJGKf
        LB4MFVaEwrd7Lc1ACC1et5FDtEI4I3/CerkRZTV+mRz5n6tB91AK3dRvjElfhiuh
        XXYRULvB
        -----END CERTIFICATE-----
        EOT
      • is_ca = false
      • issuer = "CN=GlobalSign Atlas R3 DV TLS CA 2022 Q3,O=GlobalSign nv-sa,C=BE"
      • not_after = "2023-08-23T19:42:10Z"
      • not_before = "2022-07-22T19:42:11Z"
      • public_key_algorithm = "RSA"
      • serial_number = "1619439304191178059589364932622412514"
      • sha1_fingerprint = "bed5a2982f39d671d948bfdc0c235abc317588ac"
      • signature_algorithm = "SHA256-RSA"
      • subject = "CN=about.gitlab.com"
      • version = 3
        },
        ]

Steps to Reproduce

  1. Set hashicorp/tls provider version to ~> 3.0
  2. terraform plan
  3. Observe the certificates
  4. Set hashicorp/tls provider version to ~> 4.0
  5. terraform plan
  6. Observe the certificates

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
@jmorganc jmorganc added the bug label Jul 25, 2022
@bflad
Copy link
Contributor

bflad commented Jul 25, 2022
edited
Loading

Drive-by note: https://gitlab.com is a redirected URL. gitlab.com is hosted with the CloudFlare TLS certificate that redirects to https://about.gitlab.com which is hosted with the GlobalSign TLS certificate. TLS provider version 3.x used a direct TLS connection, which would not redirect, while TLS provider version 4.x uses a HTTP client, which would currently follow the HTTP redirect via the Location header.

Some discussion on the topic of using direct TLS connection versus using the HTTP client was done in these threads:

If direct TLS connections are not desirable (or not possible in the case of HTTP proxying), another solution may be to setup the HTTP client to disable HTTP redirects.

@jmorganc
Copy link
Author

@bflad Thanks a lot for the hint! If I change my tls_certiticate url to be tls://gitlab.com:443, the same certificates are then returned regardless of the provider version, which is what I expected the behavior to be.

@detro
Copy link
Contributor

detro commented Jul 26, 2022

Hello @jmorganc - sorry this caused issues for you.

Luckly, as the change in configuration (https:// -> tls://) solved the issue, and because of the information reported by @bflad above, I feel we can close this ticket.

I'll also add a link to the ticket describing the breaking change #183, so to create references across issues.

Thank you.

@detro detro closed this as completed Jul 26, 2022
@bflad bflad mentioned this issue Jul 26, 2022
Open
1 task
@abacchi abacchi mentioned this issue Jan 20, 2023
Open
1 task
@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@detro @bflad @jmorganc