Providers version 3 and 4 return different certificates #249

jmorganc · 2022-07-25T20:18:44Z

Terraform CLI and Provider Versions

Terraform: v1.2.5
Providers: 3.4.0 and >= 4.0.0

Terraform Configuration

terraform {
  required_providers {
    tls = {
      source = "hashicorp/tls"
      version = "~> 4.0"
      #version = "= 3.4.0"
    }
  }
}

data "tls_certificate" "gitlab" {
  url = "https://gitlab.com"
}

output "gitlab_certificates" {
  value = data.tls_certificate.gitlab.certificates
}

Expected Behavior

data.tls_certificate.gitlab: Reading...
data.tls_certificate.gitlab: Read complete after 0s [id=90b04bf2994b659df7526f0f90eb92d321dad652]

Changes to Outputs:

gitlab_certificates = [
- {
  - cert_pem = <<-EOT
    -----BEGIN CERTIFICATE-----
    MIIDzTCCArWgAwIBAgIQCjeHZF5ftIwiTv0b7RQMPDANBgkqhkiG9w0BAQsFADBa
    MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl
    clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTIw
    MDEyNzEyNDgwOFoXDTI0MTIzMTIzNTk1OVowSjELMAkGA1UEBhMCVVMxGTAXBgNV
    BAoTEENsb3VkZmxhcmUsIEluYy4xIDAeBgNVBAMTF0Nsb3VkZmxhcmUgSW5jIEVD
    QyBDQS0zMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEua1NZpkUC0bsH4HRKlAe
    nQMVLzQSfS2WuIg4m4Vfj7+7Te9hRsTJc9QkT+DuHM5ss1FxL2ruTAUJd9NyYqSb
    16OCAWgwggFkMB0GA1UdDgQWBBSlzjfq67B1DpRniLRF+tkkEIeWHzAfBgNVHSME
    GDAWgBTlnVkwgkdYzKz6CFQ2hns6tQRN8DAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0l
    BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYI
    KwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j
    b20wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL09t
    bmlyb290MjAyNS5jcmwwbQYDVR0gBGYwZDA3BglghkgBhv1sAQEwKjAoBggrBgEF
    BQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzALBglghkgBhv1sAQIw
    CAYGZ4EMAQIBMAgGBmeBDAECAjAIBgZngQwBAgMwDQYJKoZIhvcNAQELBQADggEB
    AAUkHd0bsCrrmNaF4zlNXmtXnYJX/OvoMaJXkGUFvhZEOFp3ArnPEELG4ZKk40Un
    +ABHLGioVplTVI+tnkDB0A+21w0LOEhsUCxJkAZbZB2LzEgwLt4I4ptJIsCSDBFe
    lpKU1fwg3FZs5ZKTv3ocwDfjhUkV+ivhdDkYD7fa86JXWGBPzI6UAPxGezQxPk1H
    goE6y/SJXQ7vTQ1unBuCJN0yJV0ReFEQPaA1IwQvZW+cwdFD19Ae8zFnWSfda9J1
    CZMRJCQUzym+5iPDuI9yP+kHyCREU3qzuWFloUwOxkgAyXVjBYdwRVKD05WdRerw
    6DEdfgkfCv4+3ao8XnTSrLE=
    -----END CERTIFICATE-----
    EOT
  - is_ca = true
  - issuer = "CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE"
  - not_after = "2024-12-31T23:59:59Z"
  - not_before = "2020-01-27T12:48:08Z"
  - public_key_algorithm = "ECDSA"
  - serial_number = "13580602362388610137601344763287833660"
  - sha1_fingerprint = "b3dd7606d2b5a8b4a13771dbecc9ee1cecafa38a"
  - signature_algorithm = "SHA256-RSA"
  - subject = "CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US"
  - version = 3
    },
- {
  - cert_pem = <<-EOT
    -----BEGIN CERTIFICATE-----
    MIIFgzCCBSigAwIBAgIQBiPZw4be7paOmVGMBVHSLDAKBggqhkjOPQQDAjBKMQsw
    CQYDVQQGEwJVUzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEgMB4GA1UEAxMX
    Q2xvdWRmbGFyZSBJbmMgRUNDIENBLTMwHhcNMjIwNzA0MDAwMDAwWhcNMjIxMDAy
    MjM1OTU5WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
    A1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjET
    MBEGA1UEAxMKZ2l0bGFiLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABACu
    ir0FpY/Td6QwLGHdBMssRJ9jEvqFqYj2y6K9ZQkiKbgzITxLPzUX5it8/ctNGiqn
    +KOhQQefGKkRWYTzs5qjggPOMIIDyjAfBgNVHSMEGDAWgBSlzjfq67B1DpRniLRF
    +tkkEIeWHzAdBgNVHQ4EFgQUp7B0Ubbe4FBSgpW+ucHTDarKhd4wgZQGA1UdEQSB
    jDCBiYITcGFja2FnZXMuZ2l0bGFiLmNvbYIUY3VzdG9tZXJzLmdpdGxhYi5jb22C
    CmdpdGxhYi5jb22CD2NoZWYuZ2l0bGFiLmNvbYIaZW1haWwuY3VzdG9tZXJzLmdp
    dGxhYi5jb22CDmthcy5naXRsYWIuY29tghNyZWdpc3RyeS5naXRsYWIuY29tMA4G
    A1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwewYD
    VR0fBHQwcjA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0Nsb3VkZmxh
    cmVJbmNFQ0NDQS0zLmNybDA3oDWgM4YxaHR0cDovL2NybDQuZGlnaWNlcnQuY29t
    L0Nsb3VkZmxhcmVJbmNFQ0NDQS0zLmNybDA+BgNVHSAENzA1MDMGBmeBDAECAjAp
    MCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwdgYIKwYB
    BQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20w
    QAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9DbG91ZGZs
    YXJlSW5jRUNDQ0EtMy5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisGAQQB1nkCBAIE
    ggFtBIIBaQFnAHUAKXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAGB
    xronxwAABAMARjBEAiA5IrJ05KRTZhpfPx4F0q+4fPYuXsURNIwl2+IDIXGfPgIg
    GNMXcN5Ls2LPn5I8FJQ5PRzG+N/ipXIKym3BaHLNnP8AdgBByMqx3yJGShDGoToJ
    QodeTjGLGwPr60vHaPCQYpYG9gAAAYHGuigJAAAEAwBHMEUCIE2XyQm+tVEVrmPk
    qOTjT4LZR1cjzflhSWd6Gm9ydHG6AiEArEldk9K6kKLCLr1TsniI5FbyDoG86s83
    +O1XPL+5swkAdgDfpV6raIJPH2yt7rhfTj5a6s2iEqRqXo47EsAgRFwqcwAAAYHG
    uifLAAAEAwBHMEUCIAtAsPWw7ExMrIDeYiFYLuckjrqyTl4aRdVf3EdmgXFiAiEA
    gMfVbiysb2r+G6pqUIm3IKZf1qzUCMgcQE0QDxd02mgwCgYIKoZIzj0EAwIDSQAw
    RgIhAJq7U7Fasv+fIk/j1dlplJxovxE3YQTThZ/WnGmylkt/AiEAmLbVsjNPtKZW
    sSwAYSAKFTsYqEWJLHbP9zi2dCvHtH4=
    -----END CERTIFICATE-----
    EOT
  - is_ca = false
  - issuer = "CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US"
  - not_after = "2022-10-02T23:59:59Z"
  - not_before = "2022-07-04T00:00:00Z"
  - public_key_algorithm = "ECDSA"
  - serial_number = "8161515138874396446973791632352203308"
  - sha1_fingerprint = "578ebaf3348af92ca4ffd9b6e2b1f05f45216a15"
  - signature_algorithm = "ECDSA-SHA256"
  - subject = "CN=gitlab.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US"
  - version = 3
    },
    ]

Actual Behavior

data.tls_certificate.gitlab: Reading...
data.tls_certificate.gitlab: Read complete after 1s [id=466462f636242cee492ef7a0d87a0b5bc4cca77a]

Changes to Outputs:

gitlab_certificates = [
- {
  - cert_pem = <<-EOT
    -----BEGIN CERTIFICATE-----
    MIIEjzCCA3egAwIBAgIQfCoMIT/GVVNFyR8ZH7hO+jANBgkqhkiG9w0BAQsFADBM
    MSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xv
    YmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0yMjA0MjAxMjAwMDBaFw0y
    NTA0MjAwMDAwMDBaMFgxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWdu
    IG52LXNhMS4wLAYDVQQDEyVHbG9iYWxTaWduIEF0bGFzIFIzIERWIFRMUyBDQSAy
    MDIyIFEzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKh6ZjxOZpzO
    N6VUNU02x5nTqCc28i/G1Rg+6QndBdbXLDQyfAhjSdEQN+V4XRFizm37Lz83lNuP
    ezDpXizZVT+y27mgtWA3i6QGMjVQpAmvCkX/qB+bZY7dSuBAoeNjN1iQ3XU7/A4c
    gkCYvXCxwUgUFDwES2nd1JwBpukh44IK/uSqvzSgjMvJeW4+XGpSnsTtK8Vp/lA8
    k521/y0oqGwGbJ3Fr7JZ+1l3DXR6iISk1B3UuiAGzLUeSE50IRWGdcDMWtEFz1cW
    ehMX7MJKrtUecqoiWoycgjLEEOZCbiGGaHyAIzA1072wXgopK/AUsRg32Vklw+c4
    2enULTY1ZQIDAQABo4IBXzCCAVswDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQG
    CCsGAQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQW
    BBT6kTljmvutECTlvrW52qvZxEZpqzAfBgNVHSMEGDAWgBSP8Et/qC5FJK5NUPpj
    move4t0bvDB7BggrBgEFBQcBAQRvMG0wLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3Nw
    Mi5nbG9iYWxzaWduLmNvbS9yb290cjMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9zZWN1
    cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L3Jvb3QtcjMuY3J0MDYGA1UdHwQvMC0w
    K6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vcm9vdC1yMy5jcmwwIQYD
    VR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAGgMgoBAzANBgkqhkiG9w0BAQsFAAOC
    AQEAFDMseeU/gsZwP9pZOKe7onasYRgFaFfZDfuKRrzxqOgMcAIdxi+X7TY+nlKG
    L1xi2NVHQ5pz0Sslh59EtBTrJrwhR3QgvZ+kv7OAHU01fc25tdpV8pBQyLIXTg60
    YYgpX0RdA39XkYHQ6zCu1SrsgiDOTtKwi5UCYXPYaTT0rWMOXOQgH6l97Y7lHAS7
    Ip/HqSLKmT0Cp2foBi36BGu7SdJsmVdjbC3CYXjhILH79r/hgjk5PHvvfRqVSrJy
    2lWQru3d4nCQfBrutTJaXc/W+kXyngEMMS+JhP4xYA/97qZbhNXHGOak+UAwKRge
    /vxBtbkpBXWLYhpbIi6/5FlssA==
    -----END CERTIFICATE-----
    EOT
  - is_ca = true
  - issuer = "CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign"
  - not_after = "2025-04-20T00:00:00Z"
  - not_before = "2022-04-20T12:00:00Z"
  - public_key_algorithm = "RSA"
  - serial_number = "165042593968569963659526406870247427834"
  - sha1_fingerprint = "2284b06c017cfa97e2846c6e0821233f0d6a9aeb"
  - signature_algorithm = "SHA256-RSA"
  - subject = "CN=GlobalSign Atlas R3 DV TLS CA 2022 Q3,O=GlobalSign nv-sa,C=BE"
  - version = 3
    },
- {
  - cert_pem = <<-EOT
    -----BEGIN CERTIFICATE-----
    MIIGYjCCBUqgAwIBAgIQATfkha/xTr3pbLHVWlPq4jANBgkqhkiG9w0BAQsFADBY
    MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEuMCwGA1UE
    AxMlR2xvYmFsU2lnbiBBdGxhcyBSMyBEViBUTFMgQ0EgMjAyMiBRMzAeFw0yMjA3
    MjIxOTQyMTFaFw0yMzA4MjMxOTQyMTBaMBsxGTAXBgNVBAMMEGFib3V0LmdpdGxh
    Yi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFFFQs8EITaWo5
    0U18/mPTDLencU/7siJT/4P8oeDkemyx98wzK6vuNj/2JEZ3v1psKun5n8Pb/fHa
    somKd/4icHgC4rnxrO6zayfb+cKzVghQe12Nj75lx6RtppqTgAmSOa3Tai5niICT
    I8s3d2wsHtfEgqAavcD0/zdPIk25Ji7yfquldSthnlhQqI4Pm3OxTiyFj/V5ZhFl
    IWZLvQaENjBSDVZQDcaPdWwodfXNA8fJmqk7cTLQ9P9NgjWvva7acl+Yd6hOFzV0
    EllBl/WF1KB+YzGuHI0CQHT7sv3GW1lXeE2EqrWoSdLTOSAqm6y02DyE79d1xvG6
    XXfX5ILlAgMBAAGjggNjMIIDXzAbBgNVHREEFDASghBhYm91dC5naXRsYWIuY29t
    MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
    HQYDVR0OBBYEFHK7MnjGDptQWjfmJ2fr3IrjxEopMFcGA1UdIARQME4wCAYGZ4EM
    AQIBMEIGCisGAQQBoDIKAQMwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xv
    YmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wDAYDVR0TAQH/BAIwADCBngYIKwYBBQUH
    AQEEgZEwgY4wQAYIKwYBBQUHMAGGNGh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29t
    L2NhL2dzYXRsYXNyM2R2dGxzY2EyMDIycTMwSgYIKwYBBQUHMAKGPmh0dHA6Ly9z
    ZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzYXRsYXNyM2R2dGxzY2EyMDIy
    cTMuY3J0MB8GA1UdIwQYMBaAFPqROWOa+60QJOW+tbnaq9nERmmrMEgGA1UdHwRB
    MD8wPaA7oDmGN2h0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vY2EvZ3NhdGxhc3Iz
    ZHZ0bHNjYTIwMjJxMy5jcmwwggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB1AG9T
    dqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABgiduiHEAAAQDAEYwRAIg
    SYQrru/KAKfe+hUqpJmk7Fc8drkgtY3IcAurTOwbM68CIBYO9sbDspd5p7v17RQi
    QQkjdRwSjHiIgvlX0Y1JqmXjAHYArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWG
    NOvcgooAAAGCJ26IcQAABAMARzBFAiBc5a10annqMEH69bdEFy/Vo1gb3S3GQ993
    BCRV7ZXG4gIhAMqnsoKkU6ITwRXwE9KGjHnijJ8QrBrnK0i+JFaGe1ffAHYAs3N3
    B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZoAAAGCJ26I6QAABAMARzBFAiAf
    lW8Agd0DB68YA8XAbnlq7QNHw3uRMzNdS8gtRUe75gIhANTe+mt2p1ryW83P31OW
    jH3cEGJxdUNT/oDM3Fzesx94MA0GCSqGSIb3DQEBCwUAA4IBAQAfivKEmjqqOFFh
    VsX2XYkoDtreghpqMwHMCLwNk852Alr/Seyv9Ilng8cunU4NmhvEtsYVXkfE4XvB
    0QIVxkg1w7A+p7ejMjh6doLJ0aWNWIVW/DwOeP0qstF9lqvLdLDABoVn0BtYCDTH
    gjG80e2xpvPiKHGvBL+hlOIJwUuIAT3jN23sS1GoiYQGKsz0lovB09/6MGG0Qj8C
    3i9a59T9XBpwSKdpKd4u/CB6koBXD3atbBNBACuAMcFckTEtmkCFtSpqBuocJGKf
    LB4MFVaEwrd7Lc1ACC1et5FDtEI4I3/CerkRZTV+mRz5n6tB91AK3dRvjElfhiuh
    XXYRULvB
    -----END CERTIFICATE-----
    EOT
  - is_ca = false
  - issuer = "CN=GlobalSign Atlas R3 DV TLS CA 2022 Q3,O=GlobalSign nv-sa,C=BE"
  - not_after = "2023-08-23T19:42:10Z"
  - not_before = "2022-07-22T19:42:11Z"
  - public_key_algorithm = "RSA"
  - serial_number = "1619439304191178059589364932622412514"
  - sha1_fingerprint = "bed5a2982f39d671d948bfdc0c235abc317588ac"
  - signature_algorithm = "SHA256-RSA"
  - subject = "CN=about.gitlab.com"
  - version = 3
    },
    ]

Steps to Reproduce

Set hashicorp/tls provider version to ~> 3.0
terraform plan
Observe the certificates
Set hashicorp/tls provider version to ~> 4.0
terraform plan
Observe the certificates

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

No response

Code of Conduct

I agree to follow this project's Code of Conduct

The text was updated successfully, but these errors were encountered:

bflad · 2022-07-25T21:03:54Z

Drive-by note: https://gitlab.com is a redirected URL. gitlab.com is hosted with the CloudFlare TLS certificate that redirects to https://about.gitlab.com which is hosted with the GlobalSign TLS certificate. TLS provider version 3.x used a direct TLS connection, which would not redirect, while TLS provider version 4.x uses a HTTP client, which would currently follow the HTTP redirect via the Location header.

Some discussion on the topic of using direct TLS connection versus using the HTTP client was done in these threads:

If direct TLS connections are not desirable (or not possible in the case of HTTP proxying), another solution may be to setup the HTTP client to disable HTTP redirects.

jmorganc · 2022-07-26T05:20:46Z

@bflad Thanks a lot for the hint! If I change my tls_certiticate url to be tls://gitlab.com:443, the same certificates are then returned regardless of the provider version, which is what I expected the behavior to be.

detro · 2022-07-26T17:18:53Z

Hello @jmorganc - sorry this caused issues for you.

Luckly, as the change in configuration (https:// -> tls://) solved the issue, and because of the information reported by @bflad above, I feel we can close this ticket.

I'll also add a link to the ticket describing the breaking change #183, so to create references across issues.

Thank you.

github-actions · 2024-05-23T08:52:56Z

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

jmorganc added the bug label Jul 25, 2022

detro closed this as completed Jul 26, 2022

bflad mentioned this issue Jul 26, 2022

data-source/tls_certificate: Consider Disabling HTTP Redirects (Or Provide Configuration Choice) #250

Open

1 task

abacchi mentioned this issue Jan 20, 2023

Gitlab fingerprint on TLSv4.0.2 different with TLSv3.4.0 #288

Open

1 task

github-actions bot locked as resolved and limited conversation to collaborators May 23, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Providers version 3 and 4 return different certificates #249

Providers version 3 and 4 return different certificates #249

jmorganc commented Jul 25, 2022

bflad commented Jul 25, 2022 •

edited

Loading

jmorganc commented Jul 26, 2022

detro commented Jul 26, 2022

github-actions bot commented May 23, 2024

Providers version 3 and 4 return different certificates #249

Providers version 3 and 4 return different certificates #249

Comments

jmorganc commented Jul 25, 2022

Terraform CLI and Provider Versions

Terraform Configuration

Expected Behavior

Actual Behavior

Steps to Reproduce

How much impact is this issue causing?

Logs

Additional Information

Code of Conduct

bflad commented Jul 25, 2022 • edited Loading

jmorganc commented Jul 26, 2022

detro commented Jul 26, 2022

github-actions bot commented May 23, 2024

bflad commented Jul 25, 2022 •

edited

Loading