HTTPS, SSL, TLS
When using a self-signed certificate for Atlantis (with flags --ssl-cert-file
and --ssl-key-file
), there are a few considerations.
Atlantis uses the web server from the standard Go library, the method name is ListenAndServeTLS.
ListenAndServeTLS
acts identically to ListenAndServe, except that it expects HTTPS connections. Additionally, files containing a certificate and matching private key for the server must be provided. If the certificate is signed by a certificate authority, the file passed to --ssl-cert-file
should be the concatenation of the server's certificate, any intermediates, and the CA's certificate.
If you have this error when specifying a TLS cert with a key:
[ERROR] server.go:413 server: Tls: private key does not match public key
Check that the locally signed certificate authority is prepended to the self signed certificate. A good example is shown at Seth Vargo terraform implementation of atlantis-on-gke
For Go specific TLS resources have a look at the repository by denji called golang-tls.
For a complete explanation on PKI, read this article.