Providers version 3 and 4 return different certificates

[jmorganc]

Terraform CLI and Provider Versions

Terraform: v1.2.5
Providers: 3.4.0 and >= 4.0.0

Terraform Configuration

terraform {
  required_providers {
    tls = {
      source = "hashicorp/tls"
      version = "~> 4.0"
      #version = "= 3.4.0"
    }
  }
}

data "tls_certificate" "gitlab" {
  url = "https://gitlab.com"
}

output "gitlab_certificates" {
  value = data.tls_certificate.gitlab.certificates
}

Expected Behavior

data.tls_certificate.gitlab: Reading...
data.tls_certificate.gitlab: Read complete after 0s [id=90b04bf2994b659df7526f0f90eb92d321dad652]

Changes to Outputs:

• gitlab_certificates = [
  • {
    • cert_pem = <<-EOT
      -----BEGIN CERTIFICATE-----
      MIIDzTCCArWgAwIBAgIQCjeHZF5ftIwiTv0b7RQMPDANBgkqhkiG9w0BAQsFADBa
      MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl
      clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTIw
      MDEyNzEyNDgwOFoXDTI0MTIzMTIzNTk1OVowSjELMAkGA1UEBhMCVVMxGTAXBgNV
      BAoTEENsb3VkZmxhcmUsIEluYy4xIDAeBgNVBAMTF0Nsb3VkZmxhcmUgSW5jIEVD
      QyBDQS0zMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEua1NZpkUC0bsH4HRKlAe
      nQMVLzQSfS2WuIg4m4Vfj7+7Te9hRsTJc9QkT+DuHM5ss1FxL2ruTAUJd9NyYqSb
      16OCAWgwggFkMB0GA1UdDgQWBBSlzjfq67B1DpRniLRF+tkkEIeWHzAfBgNVHSME
      GDAWgBTlnVkwgkdYzKz6CFQ2hns6tQRN8DAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0l
      BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYI
      KwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j
      b20wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL09t
      bmlyb290MjAyNS5jcmwwbQYDVR0gBGYwZDA3BglghkgBhv1sAQEwKjAoBggrBgEF
      BQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzALBglghkgBhv1sAQIw
      CAYGZ4EMAQIBMAgGBmeBDAECAjAIBgZngQwBAgMwDQYJKoZIhvcNAQELBQADggEB
      AAUkHd0bsCrrmNaF4zlNXmtXnYJX/OvoMaJXkGUFvhZEOFp3ArnPEELG4ZKk40Un
      +ABHLGioVplTVI+tnkDB0A+21w0LOEhsUCxJkAZbZB2LzEgwLt4I4ptJIsCSDBFe
      lpKU1fwg3FZs5ZKTv3ocwDfjhUkV+ivhdDkYD7fa86JXWGBPzI6UAPxGezQxPk1H
      goE6y/SJXQ7vTQ1unBuCJN0yJV0ReFEQPaA1IwQvZW+cwdFD19Ae8zFnWSfda9J1
      CZMRJCQUzym+5iPDuI9yP+kHyCREU3qzuWFloUwOxkgAyXVjBYdwRVKD05WdRerw
      6DEdfgkfCv4+3ao8XnTSrLE=
      -----END CERTIFICATE-----
      EOT
    • is_ca = true
    • issuer = "CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE"
    • not_after = "2024-12-31T23:59:59Z"
    • not_before = "2020-01-27T12:48:08Z"
    • public_key_algorithm = "ECDSA"
    • serial_number = "13580602362388610137601344763287833660"
    • sha1_fingerprint = "b3dd7606d2b5a8b4a13771dbecc9ee1cecafa38a"
    • signature_algorithm = "SHA256-RSA"
    • subject = "CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US"
    • version = 3
      },
  • {
    • cert_pem = <<-EOT
      -----BEGIN CERTIFICATE-----
      MIIFgzCCBSigAwIBAgIQBiPZw4be7paOmVGMBVHSLDAKBggqhkjOPQQDAjBKMQsw
      CQYDVQQGEwJVUzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEgMB4GA1UEAxMX
      Q2xvdWRmbGFyZSBJbmMgRUNDIENBLTMwHhcNMjIwNzA0MDAwMDAwWhcNMjIxMDAy
      MjM1OTU5WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
      A1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjET
      MBEGA1UEAxMKZ2l0bGFiLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABACu
      ir0FpY/Td6QwLGHdBMssRJ9jEvqFqYj2y6K9ZQkiKbgzITxLPzUX5it8/ctNGiqn
      +KOhQQefGKkRWYTzs5qjggPOMIIDyjAfBgNVHSMEGDAWgBSlzjfq67B1DpRniLRF
      +tkkEIeWHzAdBgNVHQ4EFgQUp7B0Ubbe4FBSgpW+ucHTDarKhd4wgZQGA1UdEQSB
      jDCBiYITcGFja2FnZXMuZ2l0bGFiLmNvbYIUY3VzdG9tZXJzLmdpdGxhYi5jb22C
      CmdpdGxhYi5jb22CD2NoZWYuZ2l0bGFiLmNvbYIaZW1haWwuY3VzdG9tZXJzLmdp
      dGxhYi5jb22CDmthcy5naXRsYWIuY29tghNyZWdpc3RyeS5naXRsYWIuY29tMA4G
      A1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwewYD
      VR0fBHQwcjA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0Nsb3VkZmxh
      cmVJbmNFQ0NDQS0zLmNybDA3oDWgM4YxaHR0cDovL2NybDQuZGlnaWNlcnQuY29t
      L0Nsb3VkZmxhcmVJbmNFQ0NDQS0zLmNybDA+BgNVHSAENzA1MDMGBmeBDAECAjAp
      MCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwdgYIKwYB
      BQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20w
      QAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9DbG91ZGZs
      YXJlSW5jRUNDQ0EtMy5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisGAQQB1nkCBAIE
      ggFtBIIBaQFnAHUAKXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAGB
      xronxwAABAMARjBEAiA5IrJ05KRTZhpfPx4F0q+4fPYuXsURNIwl2+IDIXGfPgIg
      GNMXcN5Ls2LPn5I8FJQ5PRzG+N/ipXIKym3BaHLNnP8AdgBByMqx3yJGShDGoToJ
      QodeTjGLGwPr60vHaPCQYpYG9gAAAYHGuigJAAAEAwBHMEUCIE2XyQm+tVEVrmPk
      qOTjT4LZR1cjzflhSWd6Gm9ydHG6AiEArEldk9K6kKLCLr1TsniI5FbyDoG86s83
      +O1XPL+5swkAdgDfpV6raIJPH2yt7rhfTj5a6s2iEqRqXo47EsAgRFwqcwAAAYHG
      uifLAAAEAwBHMEUCIAtAsPWw7ExMrIDeYiFYLuckjrqyTl4aRdVf3EdmgXFiAiEA
      gMfVbiysb2r+G6pqUIm3IKZf1qzUCMgcQE0QDxd02mgwCgYIKoZIzj0EAwIDSQAw
      RgIhAJq7U7Fasv+fIk/j1dlplJxovxE3YQTThZ/WnGmylkt/AiEAmLbVsjNPtKZW
      sSwAYSAKFTsYqEWJLHbP9zi2dCvHtH4=
      -----END CERTIFICATE-----
      EOT
    • is_ca = false
    • issuer = "CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US"
    • not_after = "2022-10-02T23:59:59Z"
    • not_before = "2022-07-04T00:00:00Z"
    • public_key_algorithm = "ECDSA"
    • serial_number = "8161515138874396446973791632352203308"
    • sha1_fingerprint = "578ebaf3348af92ca4ffd9b6e2b1f05f45216a15"
    • signature_algorithm = "ECDSA-SHA256"
    • subject = "CN=gitlab.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US"
    • version = 3
      },
      ]

Actual Behavior

data.tls_certificate.gitlab: Reading...
data.tls_certificate.gitlab: Read complete after 1s [id=466462f636242cee492ef7a0d87a0b5bc4cca77a]

Changes to Outputs:

• gitlab_certificates = [
  • {
    • cert_pem = <<-EOT
      -----BEGIN CERTIFICATE-----
      MIIEjzCCA3egAwIBAgIQfCoMIT/GVVNFyR8ZH7hO+jANBgkqhkiG9w0BAQsFADBM
      MSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xv
      YmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0yMjA0MjAxMjAwMDBaFw0y
      NTA0MjAwMDAwMDBaMFgxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWdu
      IG52LXNhMS4wLAYDVQQDEyVHbG9iYWxTaWduIEF0bGFzIFIzIERWIFRMUyBDQSAy
      MDIyIFEzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKh6ZjxOZpzO
      N6VUNU02x5nTqCc28i/G1Rg+6QndBdbXLDQyfAhjSdEQN+V4XRFizm37Lz83lNuP
      ezDpXizZVT+y27mgtWA3i6QGMjVQpAmvCkX/qB+bZY7dSuBAoeNjN1iQ3XU7/A4c
      gkCYvXCxwUgUFDwES2nd1JwBpukh44IK/uSqvzSgjMvJeW4+XGpSnsTtK8Vp/lA8
      k521/y0oqGwGbJ3Fr7JZ+1l3DXR6iISk1B3UuiAGzLUeSE50IRWGdcDMWtEFz1cW
      ehMX7MJKrtUecqoiWoycgjLEEOZCbiGGaHyAIzA1072wXgopK/AUsRg32Vklw+c4
      2enULTY1ZQIDAQABo4IBXzCCAVswDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQG
      CCsGAQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQW
      BBT6kTljmvutECTlvrW52qvZxEZpqzAfBgNVHSMEGDAWgBSP8Et/qC5FJK5NUPpj
      move4t0bvDB7BggrBgEFBQcBAQRvMG0wLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3Nw
      Mi5nbG9iYWxzaWduLmNvbS9yb290cjMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9zZWN1
      cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L3Jvb3QtcjMuY3J0MDYGA1UdHwQvMC0w
      K6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vcm9vdC1yMy5jcmwwIQYD
      VR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAGgMgoBAzANBgkqhkiG9w0BAQsFAAOC
      AQEAFDMseeU/gsZwP9pZOKe7onasYRgFaFfZDfuKRrzxqOgMcAIdxi+X7TY+nlKG
      L1xi2NVHQ5pz0Sslh59EtBTrJrwhR3QgvZ+kv7OAHU01fc25tdpV8pBQyLIXTg60
      YYgpX0RdA39XkYHQ6zCu1SrsgiDOTtKwi5UCYXPYaTT0rWMOXOQgH6l97Y7lHAS7
      Ip/HqSLKmT0Cp2foBi36BGu7SdJsmVdjbC3CYXjhILH79r/hgjk5PHvvfRqVSrJy
      2lWQru3d4nCQfBrutTJaXc/W+kXyngEMMS+JhP4xYA/97qZbhNXHGOak+UAwKRge
      /vxBtbkpBXWLYhpbIi6/5FlssA==
      -----END CERTIFICATE-----
      EOT
    • is_ca = true
    • issuer = "CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign"
    • not_after = "2025-04-20T00:00:00Z"
    • not_before = "2022-04-20T12:00:00Z"
    • public_key_algorithm = "RSA"
    • serial_number = "165042593968569963659526406870247427834"
    • sha1_fingerprint = "2284b06c017cfa97e2846c6e0821233f0d6a9aeb"
    • signature_algorithm = "SHA256-RSA"
    • subject = "CN=GlobalSign Atlas R3 DV TLS CA 2022 Q3,O=GlobalSign nv-sa,C=BE"
    • version = 3
      },
  • {
    • cert_pem = <<-EOT
      -----BEGIN CERTIFICATE-----
      MIIGYjCCBUqgAwIBAgIQATfkha/xTr3pbLHVWlPq4jANBgkqhkiG9w0BAQsFADBY
      MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEuMCwGA1UE
      AxMlR2xvYmFsU2lnbiBBdGxhcyBSMyBEViBUTFMgQ0EgMjAyMiBRMzAeFw0yMjA3
      MjIxOTQyMTFaFw0yMzA4MjMxOTQyMTBaMBsxGTAXBgNVBAMMEGFib3V0LmdpdGxh
      Yi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFFFQs8EITaWo5
      0U18/mPTDLencU/7siJT/4P8oeDkemyx98wzK6vuNj/2JEZ3v1psKun5n8Pb/fHa
      somKd/4icHgC4rnxrO6zayfb+cKzVghQe12Nj75lx6RtppqTgAmSOa3Tai5niICT
      I8s3d2wsHtfEgqAavcD0/zdPIk25Ji7yfquldSthnlhQqI4Pm3OxTiyFj/V5ZhFl
      IWZLvQaENjBSDVZQDcaPdWwodfXNA8fJmqk7cTLQ9P9NgjWvva7acl+Yd6hOFzV0
      EllBl/WF1KB+YzGuHI0CQHT7sv3GW1lXeE2EqrWoSdLTOSAqm6y02DyE79d1xvG6
      XXfX5ILlAgMBAAGjggNjMIIDXzAbBgNVHREEFDASghBhYm91dC5naXRsYWIuY29t
      MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
      HQYDVR0OBBYEFHK7MnjGDptQWjfmJ2fr3IrjxEopMFcGA1UdIARQME4wCAYGZ4EM
      AQIBMEIGCisGAQQBoDIKAQMwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xv
      YmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wDAYDVR0TAQH/BAIwADCBngYIKwYBBQUH
      AQEEgZEwgY4wQAYIKwYBBQUHMAGGNGh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29t
      L2NhL2dzYXRsYXNyM2R2dGxzY2EyMDIycTMwSgYIKwYBBQUHMAKGPmh0dHA6Ly9z
      ZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzYXRsYXNyM2R2dGxzY2EyMDIy
      cTMuY3J0MB8GA1UdIwQYMBaAFPqROWOa+60QJOW+tbnaq9nERmmrMEgGA1UdHwRB
      MD8wPaA7oDmGN2h0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vY2EvZ3NhdGxhc3Iz
      ZHZ0bHNjYTIwMjJxMy5jcmwwggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB1AG9T
      dqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABgiduiHEAAAQDAEYwRAIg
      SYQrru/KAKfe+hUqpJmk7Fc8drkgtY3IcAurTOwbM68CIBYO9sbDspd5p7v17RQi
      QQkjdRwSjHiIgvlX0Y1JqmXjAHYArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWG
      NOvcgooAAAGCJ26IcQAABAMARzBFAiBc5a10annqMEH69bdEFy/Vo1gb3S3GQ993
      BCRV7ZXG4gIhAMqnsoKkU6ITwRXwE9KGjHnijJ8QrBrnK0i+JFaGe1ffAHYAs3N3
      B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZoAAAGCJ26I6QAABAMARzBFAiAf
      lW8Agd0DB68YA8XAbnlq7QNHw3uRMzNdS8gtRUe75gIhANTe+mt2p1ryW83P31OW
      jH3cEGJxdUNT/oDM3Fzesx94MA0GCSqGSIb3DQEBCwUAA4IBAQAfivKEmjqqOFFh
      VsX2XYkoDtreghpqMwHMCLwNk852Alr/Seyv9Ilng8cunU4NmhvEtsYVXkfE4XvB
      0QIVxkg1w7A+p7ejMjh6doLJ0aWNWIVW/DwOeP0qstF9lqvLdLDABoVn0BtYCDTH
      gjG80e2xpvPiKHGvBL+hlOIJwUuIAT3jN23sS1GoiYQGKsz0lovB09/6MGG0Qj8C
      3i9a59T9XBpwSKdpKd4u/CB6koBXD3atbBNBACuAMcFckTEtmkCFtSpqBuocJGKf
      LB4MFVaEwrd7Lc1ACC1et5FDtEI4I3/CerkRZTV+mRz5n6tB91AK3dRvjElfhiuh
      XXYRULvB
      -----END CERTIFICATE-----
      EOT
    • is_ca = false
    • issuer = "CN=GlobalSign Atlas R3 DV TLS CA 2022 Q3,O=GlobalSign nv-sa,C=BE"
    • not_after = "2023-08-23T19:42:10Z"
    • not_before = "2022-07-22T19:42:11Z"
    • public_key_algorithm = "RSA"
    • serial_number = "1619439304191178059589364932622412514"
    • sha1_fingerprint = "bed5a2982f39d671d948bfdc0c235abc317588ac"
    • signature_algorithm = "SHA256-RSA"
    • subject = "CN=about.gitlab.com"
    • version = 3
      },
      ]

Steps to Reproduce

1. Set hashicorp/tls provider version to ~> 3.0
2. terraform plan
3. Observe the certificates
4. Set hashicorp/tls provider version to ~> 4.0
5. terraform plan
6. Observe the certificates

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[bflad]

Drive-by note: https://gitlab.com is a redirected URL. gitlab.com is hosted with the CloudFlare TLS certificate that redirects to https://about.gitlab.com which is hosted with the GlobalSign TLS certificate. TLS provider version 3.x used a direct TLS connection, which would not redirect, while TLS provider version 4.x uses a HTTP client, which would currently follow the HTTP redirect via the Location header.

Some discussion on the topic of using direct TLS connection versus using the HTTP client was done in these threads:

• Support for Proxy on the Provider level #179 (comment)
• Support for Proxy on the Provider level #179 (comment)

If direct TLS connections are not desirable (or not possible in the case of HTTP proxying), another solution may be to setup the HTTP client to disable HTTP redirects.

[jmorganc]

@bflad Thanks a lot for the hint! If I change my tls_certiticate url to be tls://gitlab.com:443, the same certificates are then returned regardless of the provider version, which is what I expected the behavior to be.

[detro]

Hello @jmorganc - sorry this caused issues for you.

Luckly, as the change in configuration (https:// -> tls://) solved the issue, and because of the information reported by @bflad above, I feel we can close this ticket.

I'll also add a link to the ticket describing the breaking change #183, so to create references across issues.

Thank you.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.