Skip to content

backend/http: add ca_file support for custom CA trust #38024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
vincent-turato wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

backend/http: add ca_file support for custom CA trust #38024

vincent-turato wants to merge 2 commits into from

Conversation

@vincent-turato
Copy link

@vincent-turato vincent-turato commented Dec 21, 2025

Summary

Add support for configuring a custom CA certificate bundle for the HTTP backend using a new ca_file option (and TF_HTTP_CA_FILE).

This allows TLS certificate verification with private or internal CAs without disabling verification.

Fixes #36937

Changes

  • Add ca_file / TF_HTTP_CA_FILE backend option
  • Load CA certificates from file and use them for TLS verification
  • Merge file-based CAs with existing inline CA configuration
  • Add unit tests for CA loading and error handling

Target Release

1.15.x

Changes to Security Controls

Yes. This change improves TLS security by allowing users to configure a trusted CA bundle for the HTTP backend. This enables proper server certificate verification in environments that use private or internal certificate authorities, reducing the need to disable TLS verification via skip_cert_verification.

No existing security controls are removed or weakened.

CHANGELOG entry

  • This change is user-facing and I added a changelog entry.

@hashicorp-cla-app
Copy link

hashicorp-cla-app bot commented Dec 21, 2025

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

Have you signed the CLA already but the status is still pending? Recheck it.

1 similar comment
@hashicorp-cla-app
Copy link

hashicorp-cla-app bot commented Dec 21, 2025

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

Have you signed the CLA already but the status is still pending? Recheck it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support for own CA Certificate for HTTP backend

1 participant

@vincent-turato